From 99a4e8850a1051220cf05e84cd20cd78f11f79e7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Fri, 7 Aug 2020 17:14:19 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1003/T1003.md | 1 + atomics/T1020/T1020.md | 1 + atomics/T1021.006/T1021.006.md | 1 + atomics/T1033/T1033.md | 1 + atomics/T1040/T1040.md | 1 + atomics/T1046/T1046.md | 1 + atomics/T1053.004/T1053.004.md | 2 +- atomics/T1057/T1057.md | 2 +- atomics/T1078.001/T1078.001.md | 1 + atomics/T1106/T1106.md | 1 + atomics/T1110.003/T1110.003.md | 1 + atomics/T1135/T1135.md | 1 + atomics/T1176/T1176.md | 2 ++ atomics/T1546.001/T1546.001.md | 2 +- atomics/T1547.001/T1547.001.md | 4 ++-- atomics/T1547.005/T1547.005.md | 1 + atomics/T1559.002/T1559.002.md | 1 - atomics/T1560.001/T1560.001.md | 2 +- atomics/T1560/T1560.md | 2 +- atomics/T1562.001/T1562.001.md | 2 +- atomics/T1562.003/T1562.003.md | 1 + atomics/T1574.006/T1574.006.md | 2 +- 22 files changed, 23 insertions(+), 10 deletions(-) diff --git a/atomics/T1003/T1003.md b/atomics/T1003/T1003.md index 7cee0c96..30be8e5c 100644 --- a/atomics/T1003/T1003.md +++ b/atomics/T1003/T1003.md @@ -108,6 +108,7 @@ Changes ProviderOrder Registry Key Parameter and creates Key for NPPSpy. After user's logging in cleartext password is saved in C:\NPPSpy.txt. Clean up deletes the files and reverses Registry changes. NPPSpy Source: https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy + **Supported Platforms:** Windows diff --git a/atomics/T1020/T1020.md b/atomics/T1020/T1020.md index 24906f7e..e4f89f97 100644 --- a/atomics/T1020/T1020.md +++ b/atomics/T1020/T1020.md @@ -15,6 +15,7 @@ When automated exfiltration is used, other exfiltration techniques likely apply Creates a text file Tries to upload to a server via HTTP PUT method with ContentType Header Deletes a created file + **Supported Platforms:** Windows diff --git a/atomics/T1021.006/T1021.006.md b/atomics/T1021.006/T1021.006.md index 367a7eff..d3423212 100644 --- a/atomics/T1021.006/T1021.006.md +++ b/atomics/T1021.006/T1021.006.md @@ -198,6 +198,7 @@ invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} ## Atomic Test #6 - WinRM Access with Evil-WinRM An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled + **Supported Platforms:** Windows diff --git a/atomics/T1033/T1033.md b/atomics/T1033/T1033.md index a716c5a7..b4dbc359 100644 --- a/atomics/T1033/T1033.md +++ b/atomics/T1033/T1033.md @@ -84,6 +84,7 @@ who ## Atomic Test #3 - Find computers where user has session - Stealth mode (PowerView) Find existing user session on other computers. Upon execution, information about any sessions discovered will be displayed. + **Supported Platforms:** Windows diff --git a/atomics/T1040/T1040.md b/atomics/T1040/T1040.md index 22333b52..e41c7a1c 100644 --- a/atomics/T1040/T1040.md +++ b/atomics/T1040/T1040.md @@ -143,6 +143,7 @@ c:\windump.exe ## Atomic Test #4 - Windows Internal Packet Capture Uses the built-in Windows packet capture After execution you should find a file named trace.etl and trace.cab in the temp directory + **Supported Platforms:** Windows diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index f4153df8..386cb316 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -93,6 +93,7 @@ echo "Install nmap on the machine to run the test."; exit 1; ## Atomic Test #3 - Port Scan NMap for Windows Scan ports to check for listening ports for the local host 127.0.0.1 + **Supported Platforms:** Windows diff --git a/atomics/T1053.004/T1053.004.md b/atomics/T1053.004/T1053.004.md index 3d22548a..432008e0 100644 --- a/atomics/T1053.004/T1053.004.md +++ b/atomics/T1053.004/T1053.004.md @@ -12,7 +12,7 @@ An adversary may use the launchd daemon in macOS environments to sc
## Atomic Test #1 - Event Monitor Daemon Persistence -This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. +This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. **Supported Platforms:** macOS diff --git a/atomics/T1057/T1057.md b/atomics/T1057/T1057.md index 4d4d96b8..b860e1a8 100644 --- a/atomics/T1057/T1057.md +++ b/atomics/T1057/T1057.md @@ -52,7 +52,7 @@ rm #{output_file} ## Atomic Test #2 - Process Discovery - tasklist Utilize tasklist to identify processes. -Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. +Upon successful execution, cmd.exe will execute tasklist.exe to list processes. Output will be via stdout. **Supported Platforms:** Windows diff --git a/atomics/T1078.001/T1078.001.md b/atomics/T1078.001/T1078.001.md index 2c32dc26..6714cbcf 100644 --- a/atomics/T1078.001/T1078.001.md +++ b/atomics/T1078.001/T1078.001.md @@ -13,6 +13,7 @@ Default accounts are not limited to client machines, rather also include account ## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections + **Supported Platforms:** Windows diff --git a/atomics/T1106/T1106.md b/atomics/T1106/T1106.md index e6109e9a..70b40eda 100644 --- a/atomics/T1106/T1106.md +++ b/atomics/T1106/T1106.md @@ -17,6 +17,7 @@ Adversaries may abuse these native API functions as a means of executing behavio ## Atomic Test #1 - Execution through API - CreateProcess Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt. + **Supported Platforms:** Windows diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index d09895f7..811eacfa 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -35,6 +35,7 @@ CAUTION! Be very careful to not exceed the password lockout threshold for users This atomic attempts to map the IPC$ share on one of the Domain Controllers using a password of Spring2020 for each user in the %temp%\users.txt list. Any successful authentications will be printed to the screen with a message like "[*] username:password", whereas a failed auth will simply print a period. Use the input arguments to specify your own password to use for the password spray. Use the get_prereq_command's to create a list of all domain users in the temp directory called users.txt. See the "Windows FOR Loop Password Spraying Made Easy" blog by @OrEqualsOne for more details on how these spray commands work. https://medium.com/walmartlabs/windows-for-loop-password-spraying-made-easy-c8cd4ebb86b5 + **Supported Platforms:** Windows diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index 7ba4879e..4f3a8b0e 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -115,6 +115,7 @@ get-smbshare -Name #{computer_name} ## Atomic Test #4 - View available share drives View information about all of the resources that are shared on the local computer Upon execution, avalaible share drives will be displayed in the powershell session + **Supported Platforms:** Windows diff --git a/atomics/T1176/T1176.md b/atomics/T1176/T1176.md index e689b535..71c08da0 100644 --- a/atomics/T1176/T1176.md +++ b/atomics/T1176/T1176.md @@ -21,6 +21,7 @@ There have also been instances of botnets using a persistent backdoor through ma ## Atomic Test #1 - Chrome (Developer Mode) + **Supported Platforms:** Linux, Windows, macOS @@ -46,6 +47,7 @@ tick 'Developer Mode'. ## Atomic Test #2 - Chrome (Chrome Web Store) + **Supported Platforms:** Linux, Windows, macOS diff --git a/atomics/T1546.001/T1546.001.md b/atomics/T1546.001/T1546.001.md index 33ea4105..c109d920 100644 --- a/atomics/T1546.001/T1546.001.md +++ b/atomics/T1546.001/T1546.001.md @@ -19,7 +19,7 @@ The values of the keys listed are commands that are executed when the handler op ## Atomic Test #1 - Change Default File Association Change Default File Association From cmd.exe of hta to notepad. -Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. +Upon successful execution, cmd.exe will change the file association of .hta to notepad.exe. **Supported Platforms:** Windows diff --git a/atomics/T1547.001/T1547.001.md b/atomics/T1547.001/T1547.001.md index ea3d2cfd..c0aeef82 100644 --- a/atomics/T1547.001/T1547.001.md +++ b/atomics/T1547.001/T1547.001.md @@ -56,7 +56,7 @@ Adversaries can use these configuration locations to execute malware, such as re ## Atomic Test #1 - Reg Key Run Run Key Persistence -Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout. +Upon successful execution, cmd.exe will modify the registry by adding \"Atomic Red Team\" to the Run key. Output will be via stdout. **Supported Platforms:** Windows @@ -91,7 +91,7 @@ REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red T ## Atomic Test #2 - Reg Key RunOnce RunOnce Key Persistence. -Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. +Upon successful execution, cmd.exe will modify the registry to load AtomicRedTeam.dll to RunOnceEx. Output will be via stdout. **Supported Platforms:** Windows diff --git a/atomics/T1547.005/T1547.005.md b/atomics/T1547.005/T1547.005.md index 96f4c4bb..3f7a8045 100644 --- a/atomics/T1547.005/T1547.005.md +++ b/atomics/T1547.005/T1547.005.md @@ -13,6 +13,7 @@ The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentC ## Atomic Test #1 - Modify SSP configuration in registry Add a value to a Windows registry SSP key, simulating an adversarial modification of those keys. + **Supported Platforms:** Windows diff --git a/atomics/T1559.002/T1559.002.md b/atomics/T1559.002/T1559.002.md index d1a2f182..bc718f14 100644 --- a/atomics/T1559.002/T1559.002.md +++ b/atomics/T1559.002/T1559.002.md @@ -72,7 +72,6 @@ start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx
## Atomic Test #3 - DDEAUTO - TrustedSec - Unicorn - https://github.com/trustedsec/unicorn SensePost DDEAUTO - https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ diff --git a/atomics/T1560.001/T1560.001.md b/atomics/T1560.001/T1560.001.md index 1cbfea20..ae33bedd 100644 --- a/atomics/T1560.001/T1560.001.md +++ b/atomics/T1560.001/T1560.001.md @@ -27,7 +27,7 @@ Some 3rd party utilities may be preinstalled, such as `tar` on Linux and macOS o ## Atomic Test #1 - Compress Data for Exfiltration With Rar An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. -When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory +When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory **Supported Platforms:** Windows diff --git a/atomics/T1560/T1560.md b/atomics/T1560/T1560.md index 7064ebe6..fafa2328 100644 --- a/atomics/T1560/T1560.md +++ b/atomics/T1560/T1560.md @@ -13,7 +13,7 @@ Both compression and encryption are done prior to exfiltration, and can be perfo ## Atomic Test #1 - Compress Data for Exfiltration With PowerShell An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. -When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory +When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory **Supported Platforms:** Windows diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index 348eabd1..57adacc4 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -725,7 +725,7 @@ if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet ## Atomic Test #21 - Tamper with Windows Defender Evade Scanning -Folder Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. -To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath +To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath **Supported Platforms:** Windows diff --git a/atomics/T1562.003/T1562.003.md b/atomics/T1562.003/T1562.003.md index 30600cd3..a4848a3c 100644 --- a/atomics/T1562.003/T1562.003.md +++ b/atomics/T1562.003/T1562.003.md @@ -47,6 +47,7 @@ export HISTCONTROL=ignoreboth ## Atomic Test #2 - Mac HISTCONTROL + **Supported Platforms:** macOS, Linux diff --git a/atomics/T1574.006/T1574.006.md b/atomics/T1574.006/T1574.006.md index 4061d648..cb03959c 100644 --- a/atomics/T1574.006/T1574.006.md +++ b/atomics/T1574.006/T1574.006.md @@ -18,7 +18,7 @@ LD_PRELOAD hijacking may grant access to the victim process's memory, system/net ## Atomic Test #1 - Shared Library Injection via /etc/ld.so.preload This test adds a shared library to the `ld.so.preload` list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the `glibc` package. -Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. +Upon successful execution, bash will echo `../bin/T1574.006.so` to /etc/ld.so.preload. **Supported Platforms:** Linux