Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]
This commit is contained in:
CircleCI Atomic Red Team doc generator
parent
8425489f5c
commit
a3e16e194f
@@ -140,7 +140,7 @@ privilege-escalation,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b
|
||||
privilege-escalation,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
|
||||
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
|
||||
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
|
||||
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
privilege-escalation,T1574.006,Dynamic Linker Hijacking,1,Shared Library Injection via /etc/ld.so.preload,39cb0e67-dd0d-4b74-a74b-c072db7ae991,bash
|
||||
privilege-escalation,T1574.006,Dynamic Linker Hijacking,2,Shared Library Injection via LD_PRELOAD,bc219ff7-789f-4d51-9142-ecae3397deae,bash
|
||||
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
|
||||
@@ -152,7 +152,7 @@ privilege-escalation,T1547.006,Kernel Modules and Extensions,1,Linux - Load Kern
|
||||
privilege-escalation,T1543.001,Launch Agent,1,Launch Agent,a5983dee-bf6c-4eaf-951c-dbc1a7b90900,bash
|
||||
privilege-escalation,T1543.004,Launch Daemon,1,Launch Daemon,03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf,bash
|
||||
privilege-escalation,T1053.004,Launchd,1,Event Monitor Daemon Persistence,11979f23-9b9d-482a-9935-6fc9cd022c3e,bash
|
||||
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
privilege-escalation,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
|
||||
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
|
||||
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
|
||||
@@ -264,7 +264,7 @@ defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with
|
||||
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
|
||||
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
|
||||
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
|
||||
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
|
||||
defense-evasion,T1610,Deploy Container,1,Deploy container using nsenter container escape,58004e22-022c-4c51-b4a8-2b85ac5c596b,sh
|
||||
@@ -361,7 +361,7 @@ defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modificat
|
||||
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,7,chown - Change file or folder mode ownership only,967ba79d-f184-4e0e-8d09-6362b3162e99,bash
|
||||
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,8,chown - Change file or folder ownership recursively,3b015515-b3d8-44e9-b8cd-6fa84faf30b2,bash
|
||||
defense-evasion,T1222.002,Linux and Mac File and Directory Permissions Modification,9,chattr - Remove immutable file attribute,e7469fe2-ad41-4382-8965-99b94dd3c13f,sh
|
||||
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
|
||||
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
|
||||
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
|
||||
@@ -527,7 +527,7 @@ persistence,T1053.003,Cron,2,Cron - Add script to all cron subfolders,b7d42afa-9
|
||||
persistence,T1053.003,Cron,3,Cron - Add script to /var/spool/cron/crontabs/ folder,2d943c18-e74a-44bf-936f-25ade6cccab4,bash
|
||||
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
|
||||
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
|
||||
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
|
||||
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
|
||||
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
|
||||
@@ -547,7 +547,7 @@ persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657
|
||||
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
|
||||
persistence,T1136.001,Local Account,5,Create a new user in Linux with `root` UID and GID.,a1040a30-d28b-4eda-bd99-bb2861a4616c,bash
|
||||
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
|
||||
persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
persistence,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
persistence,T1037.002,Logon Script (Mac),1,Logon Scripts - Mac,f047c7de-a2d9-406e-a62b-12a09d9516f4,manual
|
||||
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
|
||||
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
|
||||
@@ -892,8 +892,8 @@ exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,
|
||||
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
|
||||
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,4,Exfiltration Over Alternative Protocol - HTTP,6aa58451-1121-4490-a8e9-1dada3f1c68c,powershell
|
||||
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,5,Exfiltration Over Alternative Protocol - SMTP,ec3a835e-adca-4c7c-88d2-853b69c11bb9,powershell
|
||||
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
|
||||
initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
|
||||
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
|
||||
|
||||
|
@@ -95,11 +95,11 @@ privilege-escalation,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PR
|
||||
privilege-escalation,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
|
||||
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
|
||||
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
|
||||
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
privilege-escalation,T1055.001,Dynamic-link Library Injection,1,Process Injection via mavinject.exe,74496461-11a1-4982-b439-4d87a550d254,powershell
|
||||
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
|
||||
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
|
||||
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
privilege-escalation,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
|
||||
privilege-escalation,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
|
||||
privilege-escalation,T1134.004,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell,069258f4-2162-46e9-9a25-c9c6c56150d2,powershell
|
||||
@@ -178,7 +178,7 @@ defense-evasion,T1218.001,Compiled HTML File,7,Invoke CHM Shortcut Command with
|
||||
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
|
||||
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
|
||||
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
|
||||
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
|
||||
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
|
||||
defense-evasion,T1006,Direct Volume Access,1,Read volume boot sector via DOS device path (PowerShell),88f6327e-51ec-4bbf-b2e8-3fea534eab8b,powershell
|
||||
@@ -234,7 +234,7 @@ defense-evasion,T1218.004,InstallUtil,5,InstallUtil Uninstall method call - /U v
|
||||
defense-evasion,T1218.004,InstallUtil,6,InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant,06d9deba-f732-48a8-af8e-bdd6e4d98c1d,powershell
|
||||
defense-evasion,T1218.004,InstallUtil,7,InstallUtil HelpText method call,5a683850-1145-4326-a0e5-e91ced3c6022,powershell
|
||||
defense-evasion,T1218.004,InstallUtil,8,InstallUtil evasive invocation,559e6d06-bb42-4307-bff7-3b95a8254bad,powershell
|
||||
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
defense-evasion,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
defense-evasion,T1127.001,MSBuild,1,MSBuild Bypass Using Inline Tasks (C#),58742c0f-cb01-44cd-a60b-fb26e8871c93,command_prompt
|
||||
defense-evasion,T1127.001,MSBuild,2,MSBuild Bypass Using Inline Tasks (VB),ab042179-c0c5-402f-9bc8-42741f5ce359,command_prompt
|
||||
defense-evasion,T1553.005,Mark-of-the-Web Bypass,1,Mount ISO image,002cca30-4778-4891-878a-aaffcfa502fa,powershell
|
||||
@@ -367,7 +367,7 @@ persistence,T1574.012,COR_PROFILER,3,Registry-free process scope COR_PROFILER,79
|
||||
persistence,T1546.001,Change Default File Association,1,Change Default File Association,10a08978-2045-4d62-8c42-1957bbbea102,command_prompt
|
||||
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
|
||||
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
|
||||
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
persistence,T1136.002,Domain Account,1,Create a new Windows domain admin user,fcec2963-9951-4173-9bfa-98d8b7834e62,command_prompt
|
||||
persistence,T1136.002,Domain Account,2,Create a new account similar to ANONYMOUS LOGON,dc7726d2-8ccb-4cc6-af22-0d5afb53a548,command_prompt
|
||||
persistence,T1136.002,Domain Account,3,Create a new Domain Account using PowerShell,5a3497a4-1568-4663-b12a-d4a5ed70c7d7,powershell
|
||||
@@ -377,7 +377,7 @@ persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags
|
||||
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
|
||||
persistence,T1136.001,Local Account,4,Create a new user in PowerShell,bc8be0ac-475c-4fbf-9b1d-9fffd77afbde,powershell
|
||||
persistence,T1136.001,Local Account,6,Create a new Windows admin user,fda74566-a604-4581-a4cc-fbbe21d66559,command_prompt
|
||||
persistence,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
persistence,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
persistence,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
|
||||
persistence,T1546.007,Netsh Helper DLL,1,Netsh Helper DLL Registration,3244697d-5a3a-4dfc-941c-550f69f91a4d,command_prompt
|
||||
persistence,T1137,Office Application Startup,1,Office Application Startup - Outlook as a C2,bfe6ac15-c50b-4c4f-a186-0fc6b8ba936c,command_prompt
|
||||
@@ -618,8 +618,8 @@ lateral-movement,T1072,Software Deployment Tools,1,Radmin Viewer Utility,b4988ca
|
||||
lateral-movement,T1021.006,Windows Remote Management,1,Enable Windows Remote Management,9059e8de-3d7d-4954-a322-46161880b9cf,powershell
|
||||
lateral-movement,T1021.006,Windows Remote Management,2,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
|
||||
lateral-movement,T1021.006,Windows Remote Management,3,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
|
||||
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin privileges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
|
||||
initial-access,T1133,External Remote Services,1,Running Chrome VPN Extensions via the Registry 2 vpn extension,4c8db261-a58b-42a6-a866-0a294deedde4,powershell
|
||||
initial-access,T1078.003,Local Accounts,1,Create local account with admin priviliges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
initial-access,T1078.003,Local Accounts,1,Create local account with admin privileges,a524ce99-86de-4db6-b4f9-e08f35a47a15,command_prompt
|
||||
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
|
||||
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
|
||||
|
||||
|
@@ -260,7 +260,7 @@
|
||||
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
|
||||
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -295,7 +295,7 @@
|
||||
- [T1053.004 Launchd](../../T1053.004/T1053.004.md)
|
||||
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
|
||||
- Atomic Test #1: Logon Scripts - Mac [macos]
|
||||
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
|
||||
@@ -484,7 +484,7 @@
|
||||
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
|
||||
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
||||
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
|
||||
@@ -627,7 +627,7 @@
|
||||
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
|
||||
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
|
||||
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
|
||||
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
|
||||
@@ -911,7 +911,7 @@
|
||||
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
|
||||
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
|
||||
- Atomic Test #1: Create a new Windows domain admin user [windows]
|
||||
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
|
||||
@@ -953,7 +953,7 @@
|
||||
- Atomic Test #5: Create a new user in Linux with `root` UID and GID. [linux]
|
||||
- Atomic Test #6: Create a new Windows admin user [windows]
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- [T1037.002 Logon Script (Mac)](../../T1037.002/T1037.002.md)
|
||||
- Atomic Test #1: Logon Scripts - Mac [macos]
|
||||
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
|
||||
@@ -1638,7 +1638,7 @@
|
||||
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -1646,7 +1646,7 @@
|
||||
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md)
|
||||
|
||||
@@ -196,7 +196,7 @@
|
||||
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
|
||||
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1484 Domain Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1484.002 Domain Trust Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -214,7 +214,7 @@
|
||||
- Atomic Test #2: IFEO Global Flags [windows]
|
||||
- T1547.008 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
|
||||
- Atomic Test #1: Logon Scripts [windows]
|
||||
- T1134.003 Make and Impersonate Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -349,7 +349,7 @@
|
||||
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
|
||||
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
|
||||
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
|
||||
- Atomic Test #2: Certutil Rename and Decode [windows]
|
||||
@@ -438,7 +438,7 @@
|
||||
- Atomic Test #8: InstallUtil evasive invocation [windows]
|
||||
- T1036.001 Invalid Code Signature [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- [T1127.001 MSBuild](../../T1127.001/T1127.001.md)
|
||||
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
|
||||
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
|
||||
@@ -662,7 +662,7 @@
|
||||
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
|
||||
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- [T1136.002 Domain Account](../../T1136.002/T1136.002.md)
|
||||
- Atomic Test #1: Create a new Windows domain admin user [windows]
|
||||
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
|
||||
@@ -685,7 +685,7 @@
|
||||
- Atomic Test #4: Create a new user in PowerShell [windows]
|
||||
- Atomic Test #6: Create a new Windows admin user [windows]
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- [T1037.001 Logon Script (Windows)](../../T1037.001/T1037.001.md)
|
||||
- Atomic Test #1: Logon Scripts [windows]
|
||||
- T1556 Modify Authentication Process [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -1142,7 +1142,7 @@
|
||||
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
|
||||
- Atomic Test #1: Enable Guest account with RDP capability and admin privileges [windows]
|
||||
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -1150,7 +1150,7 @@
|
||||
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1078.003 Local Accounts](../../T1078.003/T1078.003.md)
|
||||
- Atomic Test #1: Create local account with admin priviliges [windows]
|
||||
- Atomic Test #1: Create local account with admin privileges [windows]
|
||||
- T1566 Phishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1566.001 Spearphishing Attachment](../../T1566.001/T1566.001.md)
|
||||
@@ -1161,3 +1161,4 @@
|
||||
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1199 Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
|
||||
@@ -11581,7 +11581,7 @@ privilege-escalation:
|
||||
- Containers
|
||||
identifier: T1078.001
|
||||
atomic_tests:
|
||||
- name: Enable Guest account with RDP capability and admin priviliges
|
||||
- name: Enable Guest account with RDP capability and admin privileges
|
||||
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
|
||||
description: |
|
||||
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
|
||||
@@ -13739,7 +13739,7 @@ privilege-escalation:
|
||||
x_mitre_version: '1.1'
|
||||
identifier: T1078.003
|
||||
atomic_tests:
|
||||
- name: Create local account with admin priviliges
|
||||
- name: Create local account with admin privileges
|
||||
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
|
||||
description: After execution the new account will be active and added to the
|
||||
Administrators group
|
||||
@@ -21806,7 +21806,7 @@ defense-evasion:
|
||||
- Containers
|
||||
identifier: T1078.001
|
||||
atomic_tests:
|
||||
- name: Enable Guest account with RDP capability and admin priviliges
|
||||
- name: Enable Guest account with RDP capability and admin privileges
|
||||
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
|
||||
description: |
|
||||
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
|
||||
@@ -27356,7 +27356,7 @@ defense-evasion:
|
||||
x_mitre_version: '1.1'
|
||||
identifier: T1078.003
|
||||
atomic_tests:
|
||||
- name: Create local account with admin priviliges
|
||||
- name: Create local account with admin privileges
|
||||
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
|
||||
description: After execution the new account will be active and added to the
|
||||
Administrators group
|
||||
@@ -39900,7 +39900,7 @@ persistence:
|
||||
- Containers
|
||||
identifier: T1078.001
|
||||
atomic_tests:
|
||||
- name: Enable Guest account with RDP capability and admin priviliges
|
||||
- name: Enable Guest account with RDP capability and admin privileges
|
||||
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
|
||||
description: |
|
||||
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
|
||||
@@ -42006,7 +42006,7 @@ persistence:
|
||||
x_mitre_version: '1.1'
|
||||
identifier: T1078.003
|
||||
atomic_tests:
|
||||
- name: Create local account with admin priviliges
|
||||
- name: Create local account with admin privileges
|
||||
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
|
||||
description: After execution the new account will be active and added to the
|
||||
Administrators group
|
||||
@@ -68138,7 +68138,7 @@ initial-access:
|
||||
- Containers
|
||||
identifier: T1078.001
|
||||
atomic_tests:
|
||||
- name: Enable Guest account with RDP capability and admin priviliges
|
||||
- name: Enable Guest account with RDP capability and admin privileges
|
||||
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
|
||||
description: |
|
||||
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
|
||||
@@ -68637,7 +68637,7 @@ initial-access:
|
||||
x_mitre_version: '1.1'
|
||||
identifier: T1078.003
|
||||
atomic_tests:
|
||||
- name: Create local account with admin priviliges
|
||||
- name: Create local account with admin privileges
|
||||
auto_generated_guid: a524ce99-86de-4db6-b4f9-e08f35a47a15
|
||||
description: After execution the new account will be active and added to the
|
||||
Administrators group
|
||||
|
||||
@@ -6,12 +6,12 @@ Default accounts are not limited to client machines, rather also include account
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges](#atomic-test-1---enable-guest-account-with-rdp-capability-and-admin-priviliges)
|
||||
- [Atomic Test #1 - Enable Guest account with RDP capability and admin privileges](#atomic-test-1---enable-guest-account-with-rdp-capability-and-admin-privileges)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges
|
||||
## Atomic Test #1 - Enable Guest account with RDP capability and admin privileges
|
||||
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group,
|
||||
and desktop will allow multiple RDP connections.
|
||||
|
||||
|
||||
@@ -6,12 +6,12 @@ Local Accounts may also be abused to elevate privileges and harvest credentials
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Create local account with admin priviliges](#atomic-test-1---create-local-account-with-admin-priviliges)
|
||||
- [Atomic Test #1 - Create local account with admin privileges](#atomic-test-1---create-local-account-with-admin-privileges)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Create local account with admin priviliges
|
||||
## Atomic Test #1 - Create local account with admin privileges
|
||||
After execution the new account will be active and added to the Administrators group
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
Reference in New Issue
Block a user