security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-06-17 13:11:19 +00:00
parent 7a17072dd3
commit a0e012ee09
2 changed files with 46 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+40 -20
View File
@@ -11430,9 +11430,9 @@ privilege-escalation:
atomic_tests:
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
description: |
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
supported_platforms:
- windows
input_arguments:
@@ -11444,6 +11444,10 @@ privilege-escalation:
description: Specify the guest password
type: String
default: Password123!
remove_rdp_access_during_cleanup:
description: Set to 1 if you want the cleanup to remove RDP access to machine
type: Integer
default: 0
executor:
command: |-
net user #{guest_user} /active:yes
@@ -11456,8 +11460,9 @@ privilege-escalation:
net user #{guest_user} /active:no >nul 2>&1
net localgroup administrators #{guest_user} /delete >nul 2>&1
net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
name: command_prompt
elevation_required: true
T1078.002:
@@ -21649,9 +21654,9 @@ defense-evasion:
atomic_tests:
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
description: |
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
supported_platforms:
- windows
input_arguments:
@@ -21663,6 +21668,10 @@ defense-evasion:
description: Specify the guest password
type: String
default: Password123!
remove_rdp_access_during_cleanup:
description: Set to 1 if you want the cleanup to remove RDP access to machine
type: Integer
default: 0
executor:
command: |-
net user #{guest_user} /active:yes
@@ -21675,8 +21684,9 @@ defense-evasion:
net user #{guest_user} /active:no >nul 2>&1
net localgroup administrators #{guest_user} /delete >nul 2>&1
net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
name: command_prompt
elevation_required: true
T1578.003:
@@ -39427,9 +39437,9 @@ persistence:
atomic_tests:
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
description: |
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
supported_platforms:
- windows
input_arguments:
@@ -39441,6 +39451,10 @@ persistence:
description: Specify the guest password
type: String
default: Password123!
remove_rdp_access_during_cleanup:
description: Set to 1 if you want the cleanup to remove RDP access to machine
type: Integer
default: 0
executor:
command: |-
net user #{guest_user} /active:yes
@@ -39453,8 +39467,9 @@ persistence:
net user #{guest_user} /active:no >nul 2>&1
net localgroup administrators #{guest_user} /delete >nul 2>&1
net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
name: command_prompt
elevation_required: true
T1136.002:
@@ -67406,9 +67421,9 @@ initial-access:
atomic_tests:
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
description: |
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
supported_platforms:
- windows
input_arguments:
@@ -67420,6 +67435,10 @@ initial-access:
description: Specify the guest password
type: String
default: Password123!
remove_rdp_access_during_cleanup:
description: Set to 1 if you want the cleanup to remove RDP access to machine
type: Integer
default: 0
executor:
command: |-
net user #{guest_user} /active:yes
@@ -67432,8 +67451,9 @@ initial-access:
net user #{guest_user} /active:no >nul 2>&1
net localgroup administrators #{guest_user} /delete >nul 2>&1
net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
name: command_prompt
elevation_required: true
T1078.002:
atomics/T1078.001/T1078.001.md
+6 -3
View File
@@ -12,7 +12,8 @@ Default accounts are not limited to client machines, rather also include account
<br/>
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
and desktop will allow multiple RDP connections.
**Supported Platforms:** Windows
@@ -24,6 +25,7 @@ After execution the Default Guest account will be enabled (Active) and added to
|------|-------------|------|---------------|
| guest_user | Specify the guest account | String | guest|
| guest_password | Specify the guest password | String | Password123!|
| remove_rdp_access_during_cleanup | Set to 1 if you want the cleanup to remove RDP access to machine | Integer | 0|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
@@ -43,8 +45,9 @@ reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConne
net user #{guest_user} /active:no >nul 2>&1
net localgroup administrators #{guest_user} /delete >nul 2>&1
net localgroup "Remote Desktop Users" #{guest_user} /delete >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1
if #{remove_rdp_access_during_cleanup} NEQ 1 (echo Note: set remove_rdp_access_during_cleanup input argument to disable RDP access during cleanup)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f >nul 2>&1)
if #{remove_rdp_access_during_cleanup} EQU 1 (reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f >nul 2>&1)
```