security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-04-01 00:25:22 +00:00
parent 0a7e7c7ef5
commit b7fc8fbd8f
3 changed files with 78 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1037/T1037.md
+17 -10
View File
@@ -28,7 +28,8 @@ Mac allows login and logoff hooks to be run as root whenever a specific user log
<br/>
## Atomic Test #1 - Logon Scripts
Adds a registry value to run batch script created in the C:\Windows\Temp directory.
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
**Supported Platforms:** Windows
@@ -38,7 +39,7 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| script_path | Path to .bat file | String | $env:SystemRoot&#92;Temp&#92;art.bat|
| script_path | Path to .bat file | String | %temp%&#92;art.bat|
| script_command | Command To Execute | String | echo Art "Logon Script" atomic test was successful. >> %USERPROFILE%&#92;desktop&#92;T1037-log.txt|
@@ -46,15 +47,15 @@ Adds a registry value to run batch script created in the C:\Windows\Temp directo
```cmd
echo cmd /c "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
```
#### Cleanup Commands:
```cmd
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
del #{script_path} >nul 2>nul
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
```
@@ -65,7 +66,8 @@ del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
<br/>
## Atomic Test #2 - Scheduled Task Startup Script
Run an exe on user logon or system startup
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
**Supported Platforms:** Windows
@@ -129,7 +131,9 @@ Mac logon script
<br/>
## Atomic Test #4 - Supicious vbs file run from startup Folder
vbs files can be placed in and ran from the startup folder to maintain persistance
vbs files can be placed in and ran from the startup folder to maintain persistance. Upon execution, "T1137 Hello, World VBS!" will be displayed twice.
Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@@ -162,7 +166,9 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbssta
## Atomic Test #5 - Supicious jse file run from startup Folder
jse files can be placed in and ran from the startup folder to maintain persistance.
Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
Upon execution, "T1137 Hello, World JSE!" will be displayed twice.
Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
@@ -195,7 +201,8 @@ Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\jsesta
## Atomic Test #6 - Supicious bat file run from startup Folder
bat files can be placed in and executed from the startup folder to maintain persistance.
Upon execution, cmd will be run and immediately closed.
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
**Supported Platforms:** Windows
atomics/T1069/T1069.md
+6 -3
View File
@@ -60,7 +60,8 @@ groups
<br/>
## Atomic Test #2 - Basic Permission Groups Discovery Windows
Basic Permission Groups Discovery for Windows
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
@@ -86,7 +87,8 @@ net group "domain admins" /domain
<br/>
## Atomic Test #3 - Permission Groups Discovery PowerShell
Permission Groups Discovery utilizing PowerShell
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
**Supported Platforms:** Windows
@@ -116,7 +118,8 @@ get-ADPrincipalGroupMembership #{user} | select name
<br/>
## Atomic Test #4 - Elevated group enumeration using net group
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
**Supported Platforms:** Windows
atomics/index.yaml
+55 -50
View File
@@ -2758,17 +2758,16 @@ persistence:
identifier: T1037
atomic_tests:
- name: Logon Scripts
description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
directory.
'
description: |
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path to .bat file
type: String
default: "$env:SystemRoot\\Temp\\art.bat"
default: "%temp%\\art.bat"
script_command:
description: Command To Execute
type: String
@@ -2777,16 +2776,16 @@ persistence:
name: command_prompt
elevation_required: false
command: |
echo cmd /c "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
del #{script_path} >nul 2>nul
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
- name: Scheduled Task Startup Script
description: 'Run an exe on user logon or system startup
'
description: |
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
@@ -2814,10 +2813,11 @@ persistence:
Populate the plist with the location of your shell script\n\n\t defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
- name: Supicious vbs file run from startup Folder
description: 'vbs files can be placed in and ran from the startup folder to
maintain persistance
'
description: "vbs files can be placed in and ran from the startup folder to
maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -2832,9 +2832,11 @@ persistence:
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
- name: Supicious jse file run from startup Folder
description: |
jse files can be placed in and ran from the startup folder to maintain persistance.
Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
description: "jse files can be placed in and ran from the startup folder to
maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -2851,7 +2853,8 @@ persistence:
- name: Supicious bat file run from startup Folder
description: |
bat files can be placed in and executed from the startup folder to maintain persistance.
Upon execution, cmd will be run and immediately closed.
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
supported_platforms:
- windows
executor:
@@ -18008,9 +18011,9 @@ discovery:
dscl . -list /Groups
groups
- name: Basic Permission Groups Discovery Windows
description: 'Basic Permission Groups Discovery for Windows
'
description: |
Basic Permission Groups Discovery for Windows. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
supported_platforms:
- windows
executor:
@@ -18021,9 +18024,9 @@ discovery:
net group /domain
net group "domain admins" /domain
- name: Permission Groups Discovery PowerShell
description: 'Permission Groups Discovery utilizing PowerShell
'
description: |
Permission Groups Discovery utilizing PowerShell. This test will display some errors if run on a computer not connected to a domain. Upon execution, domain
information will be displayed.
supported_platforms:
- windows
input_arguments:
@@ -18038,10 +18041,9 @@ discovery:
get-localgroup
get-ADPrincipalGroupMembership #{user} | select name
- name: Elevated group enumeration using net group
description: 'Runs "net group" command including command aliases and loose typing
to simulate enumeration/discovery of high value domain groups
'
description: |
Runs "net group" command including command aliases and loose typing to simulate enumeration/discovery of high value domain groups. This
test will display some errors if run on a computer not connected to a domain. Upon execution, domain information will be displayed.
supported_platforms:
- windows
executor:
@@ -25860,17 +25862,16 @@ lateral-movement:
identifier: T1037
atomic_tests:
- name: Logon Scripts
description: 'Adds a registry value to run batch script created in the C:\Windows\Temp
directory.
'
description: |
Adds a registry value to run batch script created in the %temp% directory. Upon execution, there will be a new environment variable in the HKCU\Environment key
that can be viewed in the Registry Editor.
supported_platforms:
- windows
input_arguments:
script_path:
description: Path to .bat file
type: String
default: "$env:SystemRoot\\Temp\\art.bat"
default: "%temp%\\art.bat"
script_command:
description: Command To Execute
type: String
@@ -25879,16 +25880,16 @@ lateral-movement:
name: command_prompt
elevation_required: false
command: |
echo cmd /c "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}"
echo "#{script_command}" > #{script_path}
REG.exe ADD HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d "#{script_path}" /f
cleanup_command: |
REG.exe DELETE HKCU\Environment /v UserInitMprLogonScript /f
del #{script_path} >nul 2>nul
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>nul
del #{script_path} >nul 2>&1
del "%USERPROFILE%\desktop\T1037-log.txt" >nul 2>&1
- name: Scheduled Task Startup Script
description: 'Run an exe on user logon or system startup
'
description: |
Run an exe on user logon or system startup. Upon execution, success messages will be displayed for the two scheduled tasks. To view
the tasks, open the Task Scheduler and look in the Active Tasks pane.
supported_platforms:
- windows
executor:
@@ -25916,10 +25917,11 @@ lateral-movement:
Populate the plist with the location of your shell script\n\n\t defaults
write com.apple.loginwindow LoginHook /Library/Scripts/AtomicRedTeam.sh\n"
- name: Supicious vbs file run from startup Folder
description: 'vbs files can be placed in and ran from the startup folder to
maintain persistance
'
description: "vbs files can be placed in and ran from the startup folder to
maintain persistance. Upon execution, \"T1137 Hello, World VBS!\" will be
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -25934,9 +25936,11 @@ lateral-movement:
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\vbsstartup.vbs" -ErrorAction Ignore
Remove-Item "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vbsstartup.vbs" -ErrorAction Ignore
- name: Supicious jse file run from startup Folder
description: |
jse files can be placed in and ran from the startup folder to maintain persistance.
Upon execution, "T1137 Hello, World JSE!" will be printed to the powershell session twice.
description: "jse files can be placed in and ran from the startup folder to
maintain persistance.\nUpon execution, \"T1137 Hello, World JSE!\" will be
displayed twice. \nAdditionally, the new files can be viewed in the \"$env:APPDATA\\Microsoft\\Windows\\Start
Menu\\Programs\\Startup\"\nfolder and will also run when the computer is restarted
and the user logs in.\n"
supported_platforms:
- windows
executor:
@@ -25953,7 +25957,8 @@ lateral-movement:
- name: Supicious bat file run from startup Folder
description: |
bat files can be placed in and executed from the startup folder to maintain persistance.
Upon execution, cmd will be run and immediately closed.
Upon execution, cmd will be run and immediately closed. Additionally, the new files can be viewed in the "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
folder and will also run when the computer is restarted and the user logs in.
supported_platforms:
- windows
executor: