security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-03-01 23:02:53 +00:00
parent ba3d91a29e
commit 8bc469a357
12 changed files with 65 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1714-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1715-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1357,6 +1357,7 @@ command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b
command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1357 command-and-control T1219 Remote Access Software 12 RustDesk Files Detected Test on Windows f1641ba9-919a-4323-b74f-33372333bf0e powershell
1358 command-and-control T1219 Remote Access Software 13 Splashtop Execution b025c580-029e-4023-888d-a42710d76934 powershell
1359 command-and-control T1219 Remote Access Software 14 Splashtop Streamer Execution 3e1858ee-3550-401c-86ec-5e70ed79295b powershell
1360 command-and-control T1219 Remote Access Software 15 Microsoft App Quick Assist Execution 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75 powershell
1361 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
1362 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
1363 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -925,6 +925,7 @@ command-and-control,T1219,Remote Access Software,11,MSP360 Connect Execution,b1b
command-and-control,T1219,Remote Access Software,12,RustDesk Files Detected Test on Windows,f1641ba9-919a-4323-b74f-33372333bf0e,powershell
command-and-control,T1219,Remote Access Software,13,Splashtop Execution,b025c580-029e-4023-888d-a42710d76934,powershell
command-and-control,T1219,Remote Access Software,14,Splashtop Streamer Execution,3e1858ee-3550-401c-86ec-5e70ed79295b,powershell
command-and-control,T1219,Remote Access Software,15,Microsoft App Quick Assist Execution,1aea6d15-70f1-4b4e-8b02-397b5d5ffe75,powershell
command-and-control,T1572,Protocol Tunneling,1,DNS over HTTPS Large Query Volume,ae9ef4b0-d8c1-49d4-8758-06206f19af0a,powershell
command-and-control,T1572,Protocol Tunneling,2,DNS over HTTPS Regular Beaconing,0c5f9705-c575-42a6-9609-cbbff4b2fc9b,powershell
command-and-control,T1572,Protocol Tunneling,3,DNS over HTTPS Long Domain Query,748a73d5-cea4-4f34-84d8-839da5baa99c,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
925 command-and-control T1219 Remote Access Software 12 RustDesk Files Detected Test on Windows f1641ba9-919a-4323-b74f-33372333bf0e powershell
926 command-and-control T1219 Remote Access Software 13 Splashtop Execution b025c580-029e-4023-888d-a42710d76934 powershell
927 command-and-control T1219 Remote Access Software 14 Splashtop Streamer Execution 3e1858ee-3550-401c-86ec-5e70ed79295b powershell
928 command-and-control T1219 Remote Access Software 15 Microsoft App Quick Assist Execution 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75 powershell
929 command-and-control T1572 Protocol Tunneling 1 DNS over HTTPS Large Query Volume ae9ef4b0-d8c1-49d4-8758-06206f19af0a powershell
930 command-and-control T1572 Protocol Tunneling 2 DNS over HTTPS Regular Beaconing 0c5f9705-c575-42a6-9609-cbbff4b2fc9b powershell
931 command-and-control T1572 Protocol Tunneling 3 DNS over HTTPS Long Domain Query 748a73d5-cea4-4f34-84d8-839da5baa99c powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1846,6 +1846,7 @@
- Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
- Atomic Test #13: Splashtop Execution [windows]
- Atomic Test #14: Splashtop Streamer Execution [windows]
- Atomic Test #15: Microsoft App Quick Assist Execution [windows]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1287,6 +1287,7 @@
- Atomic Test #12: RustDesk Files Detected Test on Windows [windows]
- Atomic Test #13: Splashtop Execution [windows]
- Atomic Test #14: Splashtop Streamer Execution [windows]
- Atomic Test #15: Microsoft App Quick Assist Execution [windows]
- T1659 Content Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1205 Traffic Signaling [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1572 Protocol Tunneling](../../T1572/T1572.md)
atomics/Indexes/index.yaml
+11
View File
@@ -77109,6 +77109,17 @@ command-and-control:
Remote\Server\#{srserver_exe}"
name: powershell
elevation_required: true
- name: Microsoft App Quick Assist Execution
auto_generated_guid: 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
description: "An adversary may attempt to trick a user into executing Microsoft
Quick Assist Microsoft Store app and connect to the user's machine. \n"
supported_platforms:
- windows
executor:
command: Start-Process "shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App"
cleanup_command: Stop-Process -Name quickassist
name: powershell
elevation_required: true
T1659:
technique:
modified: '2023-10-01T02:28:45.147Z'
atomics/Indexes/windows-index.yaml
+11
View File
@@ -63558,6 +63558,17 @@ command-and-control:
Remote\Server\#{srserver_exe}"
name: powershell
elevation_required: true
- name: Microsoft App Quick Assist Execution
auto_generated_guid: 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
description: "An adversary may attempt to trick a user into executing Microsoft
Quick Assist Microsoft Store app and connect to the user's machine. \n"
supported_platforms:
- windows
executor:
command: Start-Process "shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App"
cleanup_command: Stop-Process -Name quickassist
name: powershell
elevation_required: true
T1659:
technique:
modified: '2023-10-01T02:28:45.147Z'
atomics/T1219/T1219.md
+34
View File
@@ -42,6 +42,8 @@ Installation of many remote access software may also include persistence (e.g.,
- [Atomic Test #14 - Splashtop Streamer Execution](#atomic-test-14---splashtop-streamer-execution)
- [Atomic Test #15 - Microsoft App Quick Assist Execution](#atomic-test-15---microsoft-app-quick-assist-execution)
<br/>
@@ -678,4 +680,36 @@ Start-Process "c:\Temp\ExternalPayloads\Splashtop.exe" -Wait -ArgumentList "/s"
<br/>
<br/>
## Atomic Test #15 - Microsoft App Quick Assist Execution
An adversary may attempt to trick a user into executing Microsoft Quick Assist Microsoft Store app and connect to the user's machine.
**Supported Platforms:** Windows
**auto_generated_guid:** 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```powershell
Start-Process "shell:AppsFolder\MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe!App"
```
#### Cleanup Commands:
```powershell
Stop-Process -Name quickassist
```
<br/>
atomics/T1219/T1219.yaml
+1
View File
@@ -343,6 +343,7 @@ atomic_tests:
name: powershell
elevation_required: true
- name: Microsoft App Quick Assist Execution
auto_generated_guid: 1aea6d15-70f1-4b4e-8b02-397b5d5ffe75
description: |
An adversary may attempt to trick a user into executing Microsoft Quick Assist Microsoft Store app and connect to the user's machine.
supported_platforms:
atomics/used_guids.txt
+1
View File
@@ -1738,3 +1738,4 @@ cfb6d400-a269-4c06-a347-6d88d584d5f7
a4b74723-5cee-4300-91c3-5e34166909b4
7b5d350e-f758-43cc-a761-8e3f6b052a03
8e139e1f-1f3a-4be7-901d-afae9738c064
1aea6d15-70f1-4b4e-8b02-397b5d5ffe75