security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2024-07-24 02:31:35 +00:00
parent c62a30637d
commit b0f5fc12dd
12 changed files with 110 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -2,7 +2,7 @@
# Atomic Red Team
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1614-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/validate-atomics.yml/badge.svg?branch=master) ![Atomics](https://img.shields.io/badge/Atomics-1615-flat.svg) ![GitHub Action Status](https://github.com/redcanaryco/atomic-red-team/actions/workflows/generate-docs.yml/badge.svg?branch=master)
Atomic Red Team™ is a library of tests mapped to the
[MITRE ATT&CK®](https://attack.mitre.org/) framework. Security teams can use
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -343,6 +343,7 @@ defense-evasion,T1112,Modify Registry,86,Modify RDP-Tcp Initial Program Registry
defense-evasion,T1112,Modify Registry,87,Abusing MyComputer Disk Cleanup Path for Persistence,f2915249-4485-42e2-96b7-9bf34328d497,command_prompt
defense-evasion,T1112,Modify Registry,88,Abusing MyComputer Disk Fragmentation Path for Persistence,3235aafe-b49d-451b-a1f1-d979fa65ddaf,command_prompt
defense-evasion,T1112,Modify Registry,89,Abusing MyComputer Disk Backup Path for Persistence,599f3b5c-0323-44ed-bb63-4551623bf675,command_prompt
defense-evasion,T1112,Modify Registry,90,Adding custom paths for application execution,573d15da-c34e-4c59-a7d2-18f20d92dfa3,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
343 defense-evasion T1112 Modify Registry 87 Abusing MyComputer Disk Cleanup Path for Persistence f2915249-4485-42e2-96b7-9bf34328d497 command_prompt
344 defense-evasion T1112 Modify Registry 88 Abusing MyComputer Disk Fragmentation Path for Persistence 3235aafe-b49d-451b-a1f1-d979fa65ddaf command_prompt
345 defense-evasion T1112 Modify Registry 89 Abusing MyComputer Disk Backup Path for Persistence 599f3b5c-0323-44ed-bb63-4551623bf675 command_prompt
346 defense-evasion T1112 Modify Registry 90 Adding custom paths for application execution 573d15da-c34e-4c59-a7d2-18f20d92dfa3 command_prompt
347 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
348 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
349 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -245,6 +245,7 @@ defense-evasion,T1112,Modify Registry,86,Modify RDP-Tcp Initial Program Registry
defense-evasion,T1112,Modify Registry,87,Abusing MyComputer Disk Cleanup Path for Persistence,f2915249-4485-42e2-96b7-9bf34328d497,command_prompt
defense-evasion,T1112,Modify Registry,88,Abusing MyComputer Disk Fragmentation Path for Persistence,3235aafe-b49d-451b-a1f1-d979fa65ddaf,command_prompt
defense-evasion,T1112,Modify Registry,89,Abusing MyComputer Disk Backup Path for Persistence,599f3b5c-0323-44ed-bb63-4551623bf675,command_prompt
defense-evasion,T1112,Modify Registry,90,Adding custom paths for application execution,573d15da-c34e-4c59-a7d2-18f20d92dfa3,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
245 defense-evasion T1112 Modify Registry 87 Abusing MyComputer Disk Cleanup Path for Persistence f2915249-4485-42e2-96b7-9bf34328d497 command_prompt
246 defense-evasion T1112 Modify Registry 88 Abusing MyComputer Disk Fragmentation Path for Persistence 3235aafe-b49d-451b-a1f1-d979fa65ddaf command_prompt
247 defense-evasion T1112 Modify Registry 89 Abusing MyComputer Disk Backup Path for Persistence 599f3b5c-0323-44ed-bb63-4551623bf675 command_prompt
248 defense-evasion T1112 Modify Registry 90 Adding custom paths for application execution 573d15da-c34e-4c59-a7d2-18f20d92dfa3 command_prompt
249 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
250 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
251 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -416,6 +416,7 @@
- Atomic Test #87: Abusing MyComputer Disk Cleanup Path for Persistence [windows]
- Atomic Test #88: Abusing MyComputer Disk Fragmentation Path for Persistence [windows]
- Atomic Test #89: Abusing MyComputer Disk Backup Path for Persistence [windows]
- Atomic Test #90: Adding custom paths for application execution [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -304,6 +304,7 @@
- Atomic Test #87: Abusing MyComputer Disk Cleanup Path for Persistence [windows]
- Atomic Test #88: Abusing MyComputer Disk Fragmentation Path for Persistence [windows]
- Atomic Test #89: Abusing MyComputer Disk Backup Path for Persistence [windows]
- Atomic Test #90: Adding custom paths for application execution [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+29
View File
@@ -14331,6 +14331,35 @@ defense-evasion:
'
name: command_prompt
elevation_required: true
- name: Adding custom paths for application execution
auto_generated_guid: 573d15da-c34e-4c59-a7d2-18f20d92dfa3
description: "As per Microsoft,the entries found under App Paths are used primarily
to map an applications executable file name to that files fully qualified
path and to pre-pend information to the PATH environment variable on a per-application,
per-process basis. \nThe path can be modified to load a custom application
of choice. \nPost the registry changes of this test, when someone tries to
manually run msedge.exe via StartMenu/Run window , notepad will be launched.\n"
supported_platforms:
- windows
input_arguments:
app_name:
description: path of application to be modified
type: string
default: msedge.exe
new_path:
description: New App Path Added
type: string
default: C:\Windows\System32\notepad.exe
executor:
command: 'reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\#{app_name}" /t REG_SZ /d #{new_path} /f
'
cleanup_command: |
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /v (Default) /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /f
name: command_prompt
elevation_required: true
T1574.008:
technique:
modified: '2023-05-09T14:00:00.188Z'
atomics/Indexes/windows-index.yaml
+29
View File
@@ -11685,6 +11685,35 @@ defense-evasion:
'
name: command_prompt
elevation_required: true
- name: Adding custom paths for application execution
auto_generated_guid: 573d15da-c34e-4c59-a7d2-18f20d92dfa3
description: "As per Microsoft,the entries found under App Paths are used primarily
to map an applications executable file name to that files fully qualified
path and to pre-pend information to the PATH environment variable on a per-application,
per-process basis. \nThe path can be modified to load a custom application
of choice. \nPost the registry changes of this test, when someone tries to
manually run msedge.exe via StartMenu/Run window , notepad will be launched.\n"
supported_platforms:
- windows
input_arguments:
app_name:
description: path of application to be modified
type: string
default: msedge.exe
new_path:
description: New App Path Added
type: string
default: C:\Windows\System32\notepad.exe
executor:
command: 'reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App
Paths\#{app_name}" /t REG_SZ /d #{new_path} /f
'
cleanup_command: |
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /v (Default) /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /f
name: command_prompt
elevation_required: true
T1574.008:
technique:
modified: '2023-05-09T14:00:00.188Z'
atomics/T1112/T1112.md
+43
View File
@@ -188,6 +188,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #89 - Abusing MyComputer Disk Backup Path for Persistence](#atomic-test-89---abusing-mycomputer-disk-backup-path-for-persistence)
- [Atomic Test #90 - Adding custom paths for application execution](#atomic-test-90---adding-custom-paths-for-application-execution)
<br/>
@@ -3244,4 +3246,45 @@ reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\Back
<br/>
<br/>
## Atomic Test #90 - Adding custom paths for application execution
As per Microsoft,the entries found under App Paths are used primarily to map an applications executable file name to that files fully qualified path and to pre-pend information to the PATH environment variable on a per-application, per-process basis.
The path can be modified to load a custom application of choice.
Post the registry changes of this test, when someone tries to manually run msedge.exe via StartMenu/Run window , notepad will be launched.
**Supported Platforms:** Windows
**auto_generated_guid:** 573d15da-c34e-4c59-a7d2-18f20d92dfa3
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| app_name | path of application to be modified | string | msedge.exe|
| new_path | New App Path Added | string | C:&#92;Windows&#92;System32&#92;notepad.exe|
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d #{new_path} /f
```
#### Cleanup Commands:
```cmd
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /v (Default) /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\#{app_name}" /t REG_SZ /d "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" /f
```
<br/>
atomics/T1112/T1112.yaml
+1
View File
@@ -1359,6 +1359,7 @@ atomic_tests:
elevation_required: true
- name: Adding custom paths for application execution
auto_generated_guid: 573d15da-c34e-4c59-a7d2-18f20d92dfa3
description: |
As per Microsoft,the entries found under App Paths are used primarily to map an applications executable file name to that files fully qualified path and to pre-pend information to the PATH environment variable on a per-application, per-process basis.
The path can be modified to load a custom application of choice.
atomics/used_guids.txt
+1
View File
@@ -1653,3 +1653,4 @@ f2915249-4485-42e2-96b7-9bf34328d497
17d1a3cc-3373-495a-857a-e5dd005fb302
6904235f-0f55-4039-8aed-41c300ff7733
004a5d68-627b-452d-af3d-43bd1fc75a3b
573d15da-c34e-4c59-a7d2-18f20d92dfa3