security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-10-31 18:55:22 +00:00
parent 535c5be594
commit 8c427d03ea
8 changed files with 59 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -327,6 +327,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Bl
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script,f45df6be-2e1e-4136-a384-8f18ab3826fb,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
327 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
328 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
329 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
330 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
331 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
332 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
333 defense-evasion T1027 Obfuscated Files or Information 1 Decode base64 Data into Script f45df6be-2e1e-4136-a384-8f18ab3826fb sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -247,6 +247,7 @@ defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,33,LockBit Bl
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,34,LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell,d8c57eaa-497a-4a08-961e-bd5efd7c9374,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,35,Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell,5e27f36d-5132-4537-b43b-413b0d5eec9a,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,36,Disable Windows Defender with PwSh Disable-WindowsOptionalFeature,f542ffd3-37b4-4528-837f-682874faa012,powershell
defense-evasion,T1562.001,Impair Defenses: Disable or Modify Tools,37,WMIC Tamper with Windows Defender Evade Scanning Folder,59d386fc-3a4b-41b8-850d-9e3eee24dfe4,command_prompt
defense-evasion,T1055.012,Process Injection: Process Hollowing,1,Process Hollowing using PowerShell,562427b4-39ef-4e8c-af88-463a78e70b9c,powershell
defense-evasion,T1055.012,Process Injection: Process Hollowing,2,RunPE via VBA,3ad4a037-1598-4136-837c-4027e4fa319b,powershell
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell,a50d5a97-2531-499e-a1de-5544c74432c6,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
247 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 34 LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell d8c57eaa-497a-4a08-961e-bd5efd7c9374 powershell
248 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 35 Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell 5e27f36d-5132-4537-b43b-413b0d5eec9a powershell
249 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 36 Disable Windows Defender with PwSh Disable-WindowsOptionalFeature f542ffd3-37b4-4528-837f-682874faa012 powershell
250 defense-evasion T1562.001 Impair Defenses: Disable or Modify Tools 37 WMIC Tamper with Windows Defender Evade Scanning Folder 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 command_prompt
251 defense-evasion T1055.012 Process Injection: Process Hollowing 1 Process Hollowing using PowerShell 562427b4-39ef-4e8c-af88-463a78e70b9c powershell
252 defense-evasion T1055.012 Process Injection: Process Hollowing 2 RunPE via VBA 3ad4a037-1598-4136-837c-4027e4fa319b powershell
253 defense-evasion T1027 Obfuscated Files or Information 2 Execute base64-encoded PowerShell a50d5a97-2531-499e-a1de-5544c74432c6 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -465,6 +465,7 @@
- Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
- Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
- T1601 Modify System Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -356,6 +356,7 @@
- Atomic Test #34: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell [windows]
- Atomic Test #35: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell [windows]
- Atomic Test #36: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature [windows]
- Atomic Test #37: WMIC Tamper with Windows Defender Evade Scanning Folder [windows]
- T1574 Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1027.005 Indicator Removal from Tools [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+18
View File
@@ -18189,6 +18189,24 @@ defense-evasion:
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore
name: powershell
elevation_required: true
- name: WMIC Tamper with Windows Defender Evade Scanning Folder
auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
description: |
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
supported_platforms:
- windows
executor:
command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference
call Add ExclusionPath=\"ATOMICREDTEAM\"
'
cleanup_command: 'wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class
MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
'
name: command_prompt
elevation_required: true
T1601:
technique:
x_mitre_platforms:
atomics/T1562.001/T1562.001.md
+35
View File
@@ -78,6 +78,8 @@ Adversaries may also tamper with artifacts deployed and utilized by security too
- [Atomic Test #36 - Disable Windows Defender with PwSh Disable-WindowsOptionalFeature](#atomic-test-36---disable-windows-defender-with-pwsh-disable-windowsoptionalfeature)
- [Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder](#atomic-test-37---wmic-tamper-with-windows-defender-evade-scanning-folder)
<br/>
@@ -1517,4 +1519,37 @@ Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Applicatio
<br/>
<br/>
## Atomic Test #37 - WMIC Tamper with Windows Defender Evade Scanning Folder
The following Atomic will attempt to exclude a folder within Defender leveraging WMI
Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/
**Supported Platforms:** Windows
**auto_generated_guid:** 59d386fc-3a4b-41b8-850d-9e3eee24dfe4
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"ATOMICREDTEAM\"
```
#### Cleanup Commands:
```cmd
wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\"
```
<br/>