security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2019-11-18 15:31:37 +00:00
parent cf3e90ec91
commit b3917a661f
10 changed files with 579 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1023/T1023.md
+31
View File
@@ -0,0 +1,31 @@
# T1023 - Shortcut Modification
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1023)
<blockquote>Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.</blockquote>
## Atomic Tests
- [Atomic Test #1 - Shortcut Modification](#atomic-test-1---shortcut-modification)
<br/>
## Atomic Test #1 - Shortcut Modification
This test to simulate shortcut modification and then execute. example shortcut (*.lnk , .url) strings check with powershell;
gci -path "C:\Users" -recurse -include *.url -ea SilentlyContinue | Select-String -Pattern "exe" | FL
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| shortcut_file_path | shortcut modified and execute | path | shortcutname.url|
#### Run it with `command_prompt`!
```
echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe >> #{shortcut_file_path} && #{shortcut_file_path}
```
<br/>
atomics/T1044/T1044.md
+43
View File
@@ -0,0 +1,43 @@
# T1044 - File System Permissions Weakness
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1044)
<blockquote>Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
### Services
Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
### Executable Installers
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)</blockquote>
## Atomic Tests
- [Atomic Test #1 - File System Permissions Weakness](#atomic-test-1---file-system-permissions-weakness)
<br/>
## Atomic Test #1 - File System Permissions Weakness
This test to show checking file system permissions weakness and which can lead to privilege escalation by replacing malicious file. Example; check weak file permission and then replace.
powershell -c "Get-WmiObject win32_service | select PathName" (check service file location) and
copy /Y C:\temp\payload.exe C:\ProgramData\folder\Update\weakpermissionfile.exe ( replace weak permission file with malicious file )
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| weak_permission_file | check weak files permission | path | GoogleUpdate.exe|
#### Run it with `powershell`!
```
Get-WmiObject win32_service | select PathName
get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
```
<br/>
atomics/T1058/T1058.md
+36
View File
@@ -0,0 +1,36 @@
# T1058 - Service Registry Permissions Weakness
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1058)
<blockquote>Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)</blockquote>
## Atomic Tests
- [Atomic Test #1 - Service Registry Permissions Weakness](#atomic-test-1---service-registry-permissions-weakness)
<br/>
## Atomic Test #1 - Service Registry Permissions Weakness
Service registry permissions weakness check and then which can lead to privilege escalation with ImagePath. eg.
reg add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /v ImagePath /d "C:\temp\AtomicRedteam.exe"
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| weak_service_name | weak service check | Registry | weakservicename|
#### Run it with `powershell`!
```
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
```
<br/>
atomics/T1075/T1075.md
+11 -7
View File
@@ -6,14 +6,13 @@ Windows 7 and higher with KB2871997 require valid domain user credentials or RID
## Atomic Tests
- [Atomic Test #1 - Mimikatz Pass the Hash](#atomic-test-1---mimikatz-pass-the-hash)
- [Atomic Test #1 - crackmapexec Pass the Hash](#atomic-test-1---crackmapexec-pass-the-hash)
<br/>
## Atomic Test #1 - Mimikatz Pass the Hash
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
## Atomic Test #1 - crackmapexec Pass the Hash
command execute with crackmapexec
**Supported Platforms:** Windows
@@ -23,13 +22,18 @@ Note: must dump hashes first
|------|-------------|------|---------------|
| user_name | username | string | Administrator|
| domain | domain | string | atomic.local|
| ntlm | ntlm hash | string | cc36cf7a8514893efccd3324464tkg1a|
| ntlm | command | string | cc36cf7a8514893efccd3324464tkg1a|
| command | command to execute | string | whoami|
#### Run it with `command_prompt`!
```
mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
```
#### Commands to Check Prerequisites:
```
powershell -c if(Test-Path C:\CrackMapExecWin\crackmapexec.exe) { 0 } else { -1 }
```
<br/>
atomics/art_navigator_layer.json
+1 -1
View File
File diff suppressed because one or more lines are too long
atomics/index.md
+11 -6
View File
@@ -46,7 +46,8 @@
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1519 Emond [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
@@ -124,12 +125,14 @@
- Atomic Test #1: Modify SSP configuration in registry [windows]
- [T1505 Server Software Component](./T1505/T1505.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, centos, ubuntu, linux]
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1023 Shortcut Modification](./T1023/T1023.md)
- Atomic Test #1: Shortcut Modification [windows]
- [T1165 Startup Items](./T1165/T1165.md)
- Atomic Test #1: Startup Items [macos]
- Atomic Test #2: Startup Items (emond rule) [macos]
@@ -423,7 +426,8 @@
- T1519 Emond [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
@@ -453,7 +457,8 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1166 Setuid and Setgid](./T1166/T1166.md)
- Atomic Test #1: Setuid and Setgid [macos, centos, ubuntu, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, centos, ubuntu, linux]
@@ -796,7 +801,7 @@
- Atomic Test #1: Logon Scripts [windows]
- Atomic Test #2: Logon Scripts - Mac [macos]
- [T1075 Pass the Hash](./T1075/T1075.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #1: crackmapexec Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
atomics/index.yaml
+425 -6
View File
@@ -1500,6 +1500,92 @@ persistence:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
cmd.exe /k %APPDATA%\updater.exe
T1044:
technique:
x_mitre_permissions_required:
- Administrator
- User
x_mitre_data_sources:
- File monitoring
- Services
- Process command-line parameters
name: File System Permissions Weakness
description: |-
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
### Services
Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
### Executable Installers
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)
id: attack-pattern--0ca7beef-9bbc-4e35-97cf-437384ddce6a
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: |-
Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Stefan Kanthak
- Travis Smith, Tripwire
created: '2017-05-31T21:30:43.063Z'
x_mitre_effective_permissions:
- SYSTEM
- User
- Administrator
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
external_references:
- external_id: T1044
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1044
- source_name: capec
external_id: CAPEC-17
url: https://capec.mitre.org/data/definitions/17.html
- source_name: Mozilla Firefox Installer DLL Hijack
description: Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory
2012-98. Retrieved March 10, 2017.
url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/
- source_name: Seclists Kanthak 7zip Installer
description: "Kanthak, S. (2015, December 8). Executable installers are vulnerable^WEVIL
(case 7): 7z*.exe\tallows remote code execution with escalation of privilege.
Retrieved March 10, 2017."
url: http://seclists.org/fulldisclosure/2015/Dec/34
modified: '2019-07-17T21:22:37.100Z'
identifier: T1044
atomic_tests:
- name: File System Permissions Weakness
description: "This test to show checking file system permissions weakness and
which can lead to privilege escalation by replacing malicious file. Example;
check weak file permission and then replace.\npowershell -c \"Get-WmiObject
win32_service | select PathName\" (check service file location) and \ncopy
/Y C:\\temp\\payload.exe C:\\ProgramData\\folder\\Update\\weakpermissionfile.exe
\ ( replace weak permission file with malicious file )\n"
supported_platforms:
- windows
input_arguments:
weak_permission_file:
description: check weak files permission
type: path
default: GoogleUpdate.exe
executor:
name: powershell
elevation_required: false
command: |
Get-WmiObject win32_service | select PathName
get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
T1158:
technique:
x_mitre_data_sources:
@@ -4187,6 +4273,92 @@ persistence:
Disable-TransportAgent #{transport_agent_identity}
Uninstall-TransportAgent #{transport_agent_identity}
Get-TransportAgent
T1058:
technique:
x_mitre_data_sources:
- Process command-line parameters
- Services
- Windows Registry
x_mitre_permissions_required:
- Administrator
- SYSTEM
name: Service Registry Permissions Weakness
description: |-
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)
id: attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.1'
x_mitre_system_requirements:
- Ability to modify service values in the Registry
type: attack-pattern
x_mitre_detection: |-
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086), so additional logging may need to be configured to gather the appropriate data.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Matthew Demaske, Adaptforward
- Travis Smith, Tripwire
created: '2017-05-31T21:30:49.119Z'
x_mitre_effective_permissions:
- SYSTEM
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
external_references:
- external_id: T1058
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1058
- source_name: capec
external_id: CAPEC-478
url: https://capec.mitre.org/data/definitions/478.html
- source_name: MSDN Registry Key Security
description: Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved
March 16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx
- description: 'Hull, D. (2014, May 3). Kansa: Service related collectors and
analysis. Retrieved October 10, 2019.'
source_name: TrustedSignal Service Failure
url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
- source_name: Twitter Service Recovery Nov 2017
description: The Cyber (@r0wdy_). (2017, November 30). Service Recovery Parameters.
Retrieved April 9, 2018.
url: https://twitter.com/r0wdy_/status/936365549553991680
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
modified: '2019-10-11T02:52:39.175Z'
identifier: T1058
atomic_tests:
- name: Service Registry Permissions Weakness
description: "Service registry permissions weakness check and then which can
lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\"
/v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n"
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service check
type: Registry
default: weakservicename
executor:
name: powershell
elevation_required: false
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
T1166:
technique:
x_mitre_data_sources:
@@ -4298,6 +4470,73 @@ persistence:
command: |
sudo chown root #{file_to_setuid}
sudo chmod g+s #{file_to_setuid}
T1023:
technique:
x_mitre_permissions_required:
- User
- Administrator
x_mitre_data_sources:
- File monitoring
- Process monitoring
- Process command-line parameters
name: Shortcut Modification
description: Shortcuts or symbolic links are ways of referencing other files
or programs that will be opened or executed when the shortcut is clicked or
executed by a system startup process. Adversaries could use shortcuts to execute
their tools for persistence. They may create a new shortcut as a means of
indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036)
to look like a legitimate program. Adversaries could also edit the target
path or entirely replace an existing shortcut so their tools will be executed
instead of the intended legitimate program.
id: attack-pattern--970cdb5c-02fb-4c38-b17e-d6327cf3c810
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: Since a shortcut's target path likely will not change, modifications
to shortcut files that do not correlate with known software changes, patches,
removal, etc., may be suspicious. Analysis should attempt to relate shortcut
file change or creation events to other potentially suspicious events based
on known adversary behavior such as process launches of unknown executables
that make network connections.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Travis Smith, Tripwire
created: '2017-05-31T21:30:30.757Z'
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
external_references:
- external_id: T1023
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1023
- source_name: capec
external_id: CAPEC-132
url: https://capec.mitre.org/data/definitions/132.html
modified: '2019-07-18T19:28:08.364Z'
identifier: T1023
atomic_tests:
- name: Shortcut Modification
description: "This test to simulate shortcut modification and then execute.
example shortcut (*.lnk , .url) strings check with powershell; \ngci -path
\"C:\\Users\" -recurse -include *.url -ea SilentlyContinue | Select-String
-Pattern \"exe\" | FL \n"
supported_platforms:
- windows
input_arguments:
shortcut_file_path:
description: shortcut modified and execute
type: path
default: shortcutname.url
executor:
name: command_prompt
elevation_required: false
command: 'echo [InternetShortcut] > test.url && echo URL=C:\windows\system32\calc.exe
>> #{shortcut_file_path} && #{shortcut_file_path}
'
T1165:
technique:
x_mitre_permissions_required:
@@ -12425,6 +12664,92 @@ privilege-escalation:
copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\updater.exe
copy %windir%\System32\amsi.dll %APPDATA%\amsi.dll
cmd.exe /k %APPDATA%\updater.exe
T1044:
technique:
x_mitre_permissions_required:
- Administrator
- User
x_mitre_data_sources:
- File monitoring
- Services
- Process command-line parameters
name: File System Permissions Weakness
description: |-
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.
### Services
Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
### Executable Installers
Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)
id: attack-pattern--0ca7beef-9bbc-4e35-97cf-437384ddce6a
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.0'
type: attack-pattern
x_mitre_detection: |-
Look for changes to binaries and service executables that may normally occur during software updates. If an executable is written, renamed, and/or moved to match an existing service executable, it could be detected and correlated with other suspicious behavior. Hashing of binaries and service executables could be used to detect replacement against historical data.
Look for abnormal process call trees from typical processes and services and for execution of other commands that could relate to Discovery or other adversary techniques.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Stefan Kanthak
- Travis Smith, Tripwire
created: '2017-05-31T21:30:43.063Z'
x_mitre_effective_permissions:
- SYSTEM
- User
- Administrator
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
external_references:
- external_id: T1044
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1044
- source_name: capec
external_id: CAPEC-17
url: https://capec.mitre.org/data/definitions/17.html
- source_name: Mozilla Firefox Installer DLL Hijack
description: Kugler, R. (2012, November 20). Mozilla Foundation Security Advisory
2012-98. Retrieved March 10, 2017.
url: https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/
- source_name: Seclists Kanthak 7zip Installer
description: "Kanthak, S. (2015, December 8). Executable installers are vulnerable^WEVIL
(case 7): 7z*.exe\tallows remote code execution with escalation of privilege.
Retrieved March 10, 2017."
url: http://seclists.org/fulldisclosure/2015/Dec/34
modified: '2019-07-17T21:22:37.100Z'
identifier: T1044
atomic_tests:
- name: File System Permissions Weakness
description: "This test to show checking file system permissions weakness and
which can lead to privilege escalation by replacing malicious file. Example;
check weak file permission and then replace.\npowershell -c \"Get-WmiObject
win32_service | select PathName\" (check service file location) and \ncopy
/Y C:\\temp\\payload.exe C:\\ProgramData\\folder\\Update\\weakpermissionfile.exe
\ ( replace weak permission file with malicious file )\n"
supported_platforms:
- windows
input_arguments:
weak_permission_file:
description: check weak files permission
type: path
default: GoogleUpdate.exe
executor:
name: powershell
elevation_required: false
command: |
Get-WmiObject win32_service | select PathName
get-acl "C:\Program Files (x86)\Google\Update\#{weak_permission_file}" | FL | findstr "FullControl"
T1179:
technique:
x_mitre_data_sources:
@@ -13519,6 +13844,92 @@ privilege-escalation:
"Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
'
T1058:
technique:
x_mitre_data_sources:
- Process command-line parameters
- Services
- Windows Registry
x_mitre_permissions_required:
- Administrator
- SYSTEM
name: Service Registry Permissions Weakness
description: |-
Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service's Registry keys can be manipulated to modify a service's execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)
If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).
Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)
id: attack-pattern--39a130e1-6ab7-434a-8bd2-418e7d9d6427
x_mitre_platforms:
- Windows
object_marking_refs:
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
x_mitre_version: '1.1'
x_mitre_system_requirements:
- Ability to modify service values in the Registry
type: attack-pattern
x_mitre_detection: |-
Service changes are reflected in the Registry. Modification to existing services should not occur frequently. If a service binary path or failure parameters are changed to values that are not typical for that service and does not correlate with software updates, then it may be due to malicious activity. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current service information. (Citation: TechNet Autoruns) Look for changes to services that do not correlate with known software, patch cycles, etc. Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data.
Monitor processes and command-line arguments for actions that could be done to modify services. Remote access tools with built-in features may interact directly with the Windows API to perform these functions outside of typical system utilities. Services may also be changed through Windows system management tools such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and [PowerShell](https://attack.mitre.org/techniques/T1086), so additional logging may need to be configured to gather the appropriate data.
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
x_mitre_contributors:
- Matthew Demaske, Adaptforward
- Travis Smith, Tripwire
created: '2017-05-31T21:30:49.119Z'
x_mitre_effective_permissions:
- SYSTEM
kill_chain_phases:
- kill_chain_name: mitre-attack
phase_name: persistence
- kill_chain_name: mitre-attack
phase_name: privilege-escalation
external_references:
- external_id: T1058
source_name: mitre-attack
url: https://attack.mitre.org/techniques/T1058
- source_name: capec
external_id: CAPEC-478
url: https://capec.mitre.org/data/definitions/478.html
- source_name: MSDN Registry Key Security
description: Microsoft. (n.d.). Registry Key Security and Access Rights. Retrieved
March 16, 2017.
url: https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx
- description: 'Hull, D. (2014, May 3). Kansa: Service related collectors and
analysis. Retrieved October 10, 2019.'
source_name: TrustedSignal Service Failure
url: https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
- source_name: Twitter Service Recovery Nov 2017
description: The Cyber (@r0wdy_). (2017, November 30). Service Recovery Parameters.
Retrieved April 9, 2018.
url: https://twitter.com/r0wdy_/status/936365549553991680
- source_name: TechNet Autoruns
description: Russinovich, M. (2016, January 4). Autoruns for Windows v13.51.
Retrieved June 6, 2016.
url: https://technet.microsoft.com/en-us/sysinternals/bb963902
modified: '2019-10-11T02:52:39.175Z'
identifier: T1058
atomic_tests:
- name: Service Registry Permissions Weakness
description: "Service registry permissions weakness check and then which can
lead to privilege escalation with ImagePath. eg. \nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Services\\#{weak_service_name}\"
/v ImagePath /d \"C:\\temp\\AtomicRedteam.exe\"\n"
supported_platforms:
- windows
input_arguments:
weak_service_name:
description: weak service check
type: Registry
default: weakservicename
executor:
name: powershell
elevation_required: false
command: |
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name} |FL
T1166:
technique:
x_mitre_data_sources:
@@ -22521,10 +22932,10 @@ lateral-movement:
modified: '2019-07-18T16:56:39.990Z'
identifier: T1075
atomic_tests:
- name: Mimikatz Pass the Hash
description: |
Note: must dump hashes first
[Reference](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#pth)
- name: crackmapexec Pass the Hash
description: 'command execute with crackmapexec
'
supported_platforms:
- windows
input_arguments:
@@ -22537,14 +22948,22 @@ lateral-movement:
type: string
default: atomic.local
ntlm:
description: ntlm hash
description: command
type: string
default: cc36cf7a8514893efccd3324464tkg1a
command:
description: command to execute
type: string
default: whoami
executor:
name: command_prompt
command: 'mimikatz # sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}
elevation_required: false
prereq_command: 'powershell -c if(Test-Path C:\CrackMapExecWin\crackmapexec.exe)
{ 0 } else { -1 }
'
command: "crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
\n"
T1097:
technique:
x_mitre_data_sources:
atomics/matrix.md
+5 -5
View File
@@ -13,20 +13,20 @@
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Emond [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Remote Desktop Protocol](./T1076/T1076.md) | [Email Collection](./T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](./T1042/T1042.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | [Input Capture](./T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [InstallUtil](./T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [File System Permissions Weakness](./T1044/T1044.md) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Launchctl](./T1152/T1152.md) | [Create Account](./T1136/T1136.md) | [Hooking](./T1179/T1179.md) | [Control Panel Items](./T1196/T1196.md) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Local Job Scheduling](./T1168/T1168.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [DCShadow](./T1207/T1207.md) | [Keychain](./T1142/T1142.md) | [Query Registry](./T1012/T1012.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](./T1160/T1160.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](./T1018/T1018.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | Emond [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [New Service](./T1050/T1050.md) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Security Software Discovery](./T1063/T1063.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Password Filter DLL](./T1174/T1174.md) | [Software Discovery](./T1518/T1518.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](./T1089/T1089.md) | [Private Keys](./T1145/T1145.md) | [System Information Discovery](./T1082/T1082.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Plist Modification](./T1150/T1150.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | [Windows Remote Management](./T1028/T1028.md) | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Connections Discovery](./T1049/T1049.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | [PowerShell Profile](./T1504/T1504.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Owner/User Discovery](./T1033/T1033.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Process Injection](./T1055/T1055.md) | [File Deletion](./T1107/T1107.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Service Discovery](./T1007/T1007.md) | | | | |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Time Discovery](./T1124/T1124.md) | | | | |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | [Kernel Modules and Extensions](./T1215/T1215.md) | [Scheduled Task](./T1053/T1053.md) | [File and Directory Permissions Modification](./T1222/T1222.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | |
| | [Source](./T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Gatekeeper Bypass](./T1144/T1144.md) | | | | | | |
| | [Source](./T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](./T1058/T1058.md) | [Gatekeeper Bypass](./T1144/T1144.md) | | | | | | |
| | [Space after Filename](./T1151/T1151.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Agent](./T1159/T1159.md) | [Startup Items](./T1165/T1165.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | |
| | [Trap](./T1154/T1154.md) | [Launch Daemon](./T1160/T1160.md) | [Sudo](./T1169/T1169.md) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
@@ -52,9 +52,9 @@
| | | [Screensaver](./T1180/T1180.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Security Support Provider](./T1101/T1101.md) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Server Software Component](./T1505/T1505.md) | | Process Hollowing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | [Service Registry Permissions Weakness](./T1058/T1058.md) | | [Process Injection](./T1055/T1055.md) | | | | | | |
| | | [Setuid and Setgid](./T1166/T1166.md) | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | [Shortcut Modification](./T1023/T1023.md) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
| | | [Startup Items](./T1165/T1165.md) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | [Systemd Service](./T1501/T1501.md) | | [Rootkit](./T1014/T1014.md) | | | | | | |
atomics/windows-index.md
+11 -6
View File
@@ -199,7 +199,8 @@
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1179 Hooking](./T1179/T1179.md)
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- [T1183 Image File Execution Options Injection](./T1183/T1183.md)
@@ -223,7 +224,8 @@
- Atomic Test #1: At.exe Scheduled task [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1100 Web Shell](./T1100/T1100.md)
- Atomic Test #1: Web Shell Written to Disk [windows]
@@ -267,7 +269,8 @@
- [T1038 DLL Search Order Hijacking](./T1038/T1038.md)
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1133 External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1044 File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1044 File System Permissions Weakness](./T1044/T1044.md)
- Atomic Test #1: File System Permissions Weakness [windows]
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
- Atomic Test #4: Create Windows System File with Attrib [windows]
- Atomic Test #5: Create Windows Hidden File with Attrib [windows]
@@ -313,8 +316,10 @@
- Atomic Test #1: Modify SSP configuration in registry [windows]
- [T1505 Server Software Component](./T1505/T1505.md)
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1058 Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1023 Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1058 Service Registry Permissions Weakness](./T1058/T1058.md)
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- [T1023 Shortcut Modification](./T1023/T1023.md)
- Atomic Test #1: Shortcut Modification [windows]
- T1019 System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1209 Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -475,7 +480,7 @@
- [T1037 Logon Scripts](./T1037/T1037.md)
- Atomic Test #1: Logon Scripts [windows]
- [T1075 Pass the Hash](./T1075/T1075.md)
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #1: crackmapexec Pass the Hash [windows]
- [T1097 Pass the Ticket](./T1097/T1097.md)
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- [T1076 Remote Desktop Protocol](./T1076/T1076.md)
atomics/windows-matrix.md
+5 -5
View File
@@ -10,18 +10,18 @@
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Ticket](./T1097/T1097.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](./T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](./T1040/T1040.md) | [Remote Desktop Protocol](./T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Password Policy Discovery](./T1201/T1201.md) | [Remote File Copy](./T1105/T1105.md) | [Email Collection](./T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](./T1042/T1042.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](./T1042/T1042.md) | [File System Permissions Weakness](./T1044/T1044.md) | [Component Object Model Hijacking](./T1122/T1122.md) | [Input Capture](./T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](./T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](./T1179/T1179.md) | [Connection Proxy](./T1090/T1090.md) | [Input Prompt](./T1141/T1141.md) | [Permission Groups Discovery](./T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](./T1122/T1122.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Control Panel Items](./T1196/T1196.md) | Kerberoasting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Discovery](./T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](./T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Mshta](./T1170/T1170.md) | [Create Account](./T1136/T1136.md) | [New Service](./T1050/T1050.md) | [DCShadow](./T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](./T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [PowerShell](./T1086/T1086.md) | [DLL Search Order Hijacking](./T1038/T1038.md) | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](./T1038/T1038.md) | [Network Sniffing](./T1040/T1040.md) | [Remote System Discovery](./T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvcs/Regasm](./T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Filter DLL](./T1174/T1174.md) | [Security Software Discovery](./T1063/T1063.md) | [Windows Admin Shares](./T1077/T1077.md) | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Regsvr32](./T1117/T1117.md) | File System Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](./T1044/T1044.md) | Port Monitors [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Deobfuscate/Decode Files or Information](./T1140/T1140.md) | [Private Keys](./T1145/T1145.md) | [Software Discovery](./T1518/T1518.md) | [Windows Remote Management](./T1028/T1028.md) | | | [Remote File Copy](./T1105/T1105.md) |
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [PowerShell Profile](./T1504/T1504.md) | [Disabling Security Tools](./T1089/T1089.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](./T1082/T1082.md) | | | | [Standard Application Layer Protocol](./T1071/T1071.md) |
| | [Scheduled Task](./T1053/T1053.md) | [Hooking](./T1179/T1179.md) | [Process Injection](./T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Network Configuration Discovery](./T1016/T1016.md) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Scripting](./T1064/T1064.md) | [Hypervisor](./T1062/T1062.md) | SID-History Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Connections Discovery](./T1049/T1049.md) | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Service Execution](./T1035/T1035.md) | [Image File Execution Options Injection](./T1183/T1183.md) | [Scheduled Task](./T1053/T1053.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Owner/User Discovery](./T1033/T1033.md) | | | | [Uncommonly Used Port](./T1065/T1065.md) |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File Deletion](./T1107/T1107.md) | | [System Service Discovery](./T1007/T1007.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Signed Binary Proxy Execution](./T1218/T1218.md) | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Registry Permissions Weakness](./T1058/T1058.md) | [File Deletion](./T1107/T1107.md) | | [System Service Discovery](./T1007/T1007.md) | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
| | [Signed Script Proxy Execution](./T1216/T1216.md) | [Logon Scripts](./T1037/T1037.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | File System Logical Offsets [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Time Discovery](./T1124/T1124.md) | | | | |
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Modify Existing Service](./T1031/T1031.md) | [Web Shell](./T1100/T1100.md) | [File and Directory Permissions Modification](./T1222/T1222.md) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | |
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Netsh Helper DLL](./T1128/T1128.md) | | Group Policy Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
@@ -37,8 +37,8 @@
| | | [Screensaver](./T1180/T1180.md) | | [Masquerading](./T1036/T1036.md) | | | | | | |
| | | [Security Support Provider](./T1101/T1101.md) | | [Modify Registry](./T1112/T1112.md) | | | | | | |
| | | [Server Software Component](./T1505/T1505.md) | | [Mshta](./T1170/T1170.md) | | | | | | |
| | | Service Registry Permissions Weakness [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | Shortcut Modification [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
| | | [Service Registry Permissions Weakness](./T1058/T1058.md) | | [NTFS File Attributes](./T1096/T1096.md) | | | | | | |
| | | [Shortcut Modification](./T1023/T1023.md) | | [Network Share Connection Removal](./T1126/T1126.md) | | | | | | |
| | | System Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](./T1027/T1027.md) | | | | | | |
| | | Time Providers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Parent PID Spoofing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | |