security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-11-28 16:24:17 +00:00
parent f132339bf6
commit b16ca202be
9 changed files with 77 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/Indexes/Indexes-CSV/index.csv
+1
View File
@@ -289,6 +289,7 @@ defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-04
defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
289 defense-evasion T1112 Modify Registry 57 Allow Simultaneous Download Registry 37950714-e923-4f92-8c7c-51e4b6fffbf6 command_prompt
290 defense-evasion T1112 Modify Registry 58 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
291 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
292 defense-evasion T1112 Modify Registry 60 Activities To Disable Secondary Authentication Detected By Modified Registry Value. c26fb85a-fa50-4fab-a64a-c51f5dc538d5 command_prompt
293 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
294 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
295 defense-evasion T1027.001 Obfuscated Files or Information: Binary Padding 2 Pad Binary to Change Hash using truncate command - Linux/macOS e22a9e89-69c7-410f-a473-e6c212cd2292 sh
atomics/Indexes/Indexes-CSV/windows-index.csv
+1
View File
@@ -194,6 +194,7 @@ defense-evasion,T1112,Modify Registry,56,Snake Malware Registry Blob,8318ad20-04
defense-evasion,T1112,Modify Registry,57,Allow Simultaneous Download Registry,37950714-e923-4f92-8c7c-51e4b6fffbf6,command_prompt
defense-evasion,T1112,Modify Registry,58,Modify Internet Zone Protocol Defaults in Current User Registry - cmd,c88ef166-50fa-40d5-a80c-e2b87d4180f7,command_prompt
defense-evasion,T1112,Modify Registry,59,Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell,b1a4d687-ba52-4057-81ab-757c3dc0d3b5,powershell
defense-evasion,T1112,Modify Registry,60,Activities To Disable Secondary Authentication Detected By Modified Registry Value.,c26fb85a-fa50-4fab-a64a-c51f5dc538d5,command_prompt
defense-evasion,T1574.008,Hijack Execution Flow: Path Interception by Search Order Hijacking,1,powerShell Persistence via hijacking default modules - Get-Variable.exe,1561de08-0b4b-498e-8261-e922f3494aae,powershell
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,1,LockBit Black - Modify Group policy settings -cmd,9ab80952-74ee-43da-a98c-1e740a985f28,command_prompt
defense-evasion,T1484.001,Domain Policy Modification: Group Policy Modification,2,LockBit Black - Modify Group policy settings -Powershell,b51eae65-5441-4789-b8e8-64783c26c1d1,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
194 defense-evasion T1112 Modify Registry 57 Allow Simultaneous Download Registry 37950714-e923-4f92-8c7c-51e4b6fffbf6 command_prompt
195 defense-evasion T1112 Modify Registry 58 Modify Internet Zone Protocol Defaults in Current User Registry - cmd c88ef166-50fa-40d5-a80c-e2b87d4180f7 command_prompt
196 defense-evasion T1112 Modify Registry 59 Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell b1a4d687-ba52-4057-81ab-757c3dc0d3b5 powershell
197 defense-evasion T1112 Modify Registry 60 Activities To Disable Secondary Authentication Detected By Modified Registry Value. c26fb85a-fa50-4fab-a64a-c51f5dc538d5 command_prompt
198 defense-evasion T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking 1 powerShell Persistence via hijacking default modules - Get-Variable.exe 1561de08-0b4b-498e-8261-e922f3494aae powershell
199 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 1 LockBit Black - Modify Group policy settings -cmd 9ab80952-74ee-43da-a98c-1e740a985f28 command_prompt
200 defense-evasion T1484.001 Domain Policy Modification: Group Policy Modification 2 LockBit Black - Modify Group policy settings -Powershell b51eae65-5441-4789-b8e8-64783c26c1d1 powershell
atomics/Indexes/Indexes-Markdown/index.md
+1
View File
@@ -358,6 +358,7 @@
- Atomic Test #57: Allow Simultaneous Download Registry [windows]
- Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
- Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
- Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+1
View File
@@ -249,6 +249,7 @@
- Atomic Test #57: Allow Simultaneous Download Registry [windows]
- Atomic Test #58: Modify Internet Zone Protocol Defaults in Current User Registry - cmd [windows]
- Atomic Test #59: Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell [windows]
- Atomic Test #60: Activities To Disable Secondary Authentication Detected By Modified Registry Value. [windows]
- [T1574.008 Hijack Execution Flow: Path Interception by Search Order Hijacking](../../T1574.008/T1574.008.md)
- Atomic Test #1: powerShell Persistence via hijacking default modules - Get-Variable.exe [windows]
- T1027.001 Obfuscated Files or Information: Binary Padding [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
atomics/Indexes/index.yaml
+18
View File
@@ -12740,6 +12740,24 @@ defense-evasion:
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
name: powershell
- name: Activities To Disable Secondary Authentication Detected By Modified Registry
Value.
auto_generated_guid: c26fb85a-fa50-4fab-a64a-c51f5dc538d5
description: |
Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
/v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
/v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
'
name: command_prompt
T1574.008:
technique:
modified: '2023-03-30T21:01:44.781Z'
atomics/Indexes/windows-index.yaml
+18
View File
@@ -10165,6 +10165,24 @@ defense-evasion:
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'http' -Value 3
Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults' -Name 'https' -Value 3
name: powershell
- name: Activities To Disable Secondary Authentication Detected By Modified Registry
Value.
auto_generated_guid: c26fb85a-fa50-4fab-a64a-c51f5dc538d5
description: |
Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
supported_platforms:
- windows
executor:
command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
/v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 0 /f
'
cleanup_command: 'reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor"
/v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
'
name: command_prompt
T1574.008:
technique:
modified: '2023-03-30T21:01:44.781Z'
atomics/T1112/T1112.md
+35
View File
@@ -128,6 +128,8 @@ The Registry of a remote system may be modified to aid in execution of files as
- [Atomic Test #59 - Modify Internet Zone Protocol Defaults in Current User Registry - PowerShell](#atomic-test-59---modify-internet-zone-protocol-defaults-in-current-user-registry---powershell)
- [Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.](#atomic-test-60---activities-to-disable-secondary-authentication-detected-by-modified-registry-value)
<br/>
@@ -2198,4 +2200,37 @@ Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
<br/>
<br/>
## Atomic Test #60 - Activities To Disable Secondary Authentication Detected By Modified Registry Value.
Detect the disable secondary authentication activities that adversary attempt to bypass MFA and to get the unauthorized access to the system or sensitive data.
See the related article (https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.SecondaryAuthenticationFactor::MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice).
**Supported Platforms:** Windows
**auto_generated_guid:** c26fb85a-fa50-4fab-a64a-c51f5dc538d5
#### Attack Commands: Run with `command_prompt`!
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 0 /f
```
#### Cleanup Commands:
```cmd
reg add "HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor" /v "AllowSecondaryAuthenticationDevice" /t REG_DWORD /d 1 /f
```
<br/>