security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci]

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2021-01-13 19:14:46 +00:00
parent 1f26ebdb6c
commit bc705cb7aa
6 changed files with 21 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/Indexes-CSV/index.csv
+2 -2
View File
@@ -108,7 +108,7 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
@@ -278,7 +278,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1027.001,Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
108 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
109 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
110 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
111 persistence T1197 BITS Jobs 4 Bits download using destktopimgdownldr.exe (cmd) Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
112 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
113 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
114 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
278 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
279 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
280 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
281 defense-evasion T1197 BITS Jobs 4 Bits download using destktopimgdownldr.exe (cmd) Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
282 defense-evasion T1027.001 Binary Padding 1 Pad Binary to Change Hash - Linux/macOS dd ffe2346c-abd5-4b45-a713-bf5f1ebd573a sh
283 defense-evasion T1548.002 Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
284 defense-evasion T1548.002 Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
atomics/Indexes/Indexes-CSV/windows-index.csv
+2 -2
View File
@@ -137,7 +137,7 @@ defense-evasion,T1055.004,Asynchronous Procedure Call,1,Process Injection via C#
defense-evasion,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
defense-evasion,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
defense-evasion,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,1,Bypass UAC using Event Viewer (cmd),5073adf8-9a50-4bd9-b298-a9bd2ead8af9,command_prompt
defense-evasion,T1548.002,Bypass User Account Control,2,Bypass UAC using Event Viewer (PowerShell),a6ce9acf-842a-4af6-8f79-539be7608e2b,powershell
defense-evasion,T1548.002,Bypass User Account Control,3,Bypass UAC using Fodhelper,58f641ea-12e3-499a-b684-44dee46bd182,command_prompt
@@ -330,7 +330,7 @@ persistence,T1053.002,At (Windows),1,At.exe Scheduled task,4a6c0dc4-0f2a-4203-92
persistence,T1197,BITS Jobs,1,Bitsadmin Download (cmd),3c73d728-75fb-4180-a12f-6712864d7421,command_prompt
persistence,T1197,BITS Jobs,2,Bitsadmin Download (PowerShell),f63b8bc4-07e5-4112-acba-56f646f3f0bc,powershell
persistence,T1197,BITS Jobs,3,"Persist, Download, & Execute",62a06ec5-5754-47d2-bcfc-123d8314c6ae,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using destktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1197,BITS Jobs,4,Bits download using desktopimgdownldr.exe (cmd),afb5e09e-e385-4dee-9a94-6ee60979d114,command_prompt
persistence,T1176,Browser Extensions,1,Chrome (Developer Mode),3ecd790d-2617-4abf-9a8c-4e8d47da9ee1,manual
persistence,T1176,Browser Extensions,2,Chrome (Chrome Web Store),4c83940d-8ca5-4bb2-8100-f46dc914bc3f,manual
persistence,T1176,Browser Extensions,3,Firefox,cb790029-17e6-4c43-b96f-002ce5f10938,manual
1 Tactic Technique # Technique Name Test # Test Name Test GUID Executor Name
137 defense-evasion T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
138 defense-evasion T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
139 defense-evasion T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
140 defense-evasion T1197 BITS Jobs 4 Bits download using destktopimgdownldr.exe (cmd) Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
141 defense-evasion T1548.002 Bypass User Account Control 1 Bypass UAC using Event Viewer (cmd) 5073adf8-9a50-4bd9-b298-a9bd2ead8af9 command_prompt
142 defense-evasion T1548.002 Bypass User Account Control 2 Bypass UAC using Event Viewer (PowerShell) a6ce9acf-842a-4af6-8f79-539be7608e2b powershell
143 defense-evasion T1548.002 Bypass User Account Control 3 Bypass UAC using Fodhelper 58f641ea-12e3-499a-b684-44dee46bd182 command_prompt
330 persistence T1197 BITS Jobs 1 Bitsadmin Download (cmd) 3c73d728-75fb-4180-a12f-6712864d7421 command_prompt
331 persistence T1197 BITS Jobs 2 Bitsadmin Download (PowerShell) f63b8bc4-07e5-4112-acba-56f646f3f0bc powershell
332 persistence T1197 BITS Jobs 3 Persist, Download, & Execute 62a06ec5-5754-47d2-bcfc-123d8314c6ae command_prompt
333 persistence T1197 BITS Jobs 4 Bits download using destktopimgdownldr.exe (cmd) Bits download using desktopimgdownldr.exe (cmd) afb5e09e-e385-4dee-9a94-6ee60979d114 command_prompt
334 persistence T1176 Browser Extensions 1 Chrome (Developer Mode) 3ecd790d-2617-4abf-9a8c-4e8d47da9ee1 manual
335 persistence T1176 Browser Extensions 2 Chrome (Chrome Web Store) 4c83940d-8ca5-4bb2-8100-f46dc914bc3f manual
336 persistence T1176 Browser Extensions 3 Firefox cb790029-17e6-4c43-b96f-002ce5f10938 manual
atomics/Indexes/Indexes-Markdown/index.md
+2 -2
View File
@@ -214,7 +214,7 @@
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -566,7 +566,7 @@
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- [T1027.001 Binary Padding](../../T1027.001/T1027.001.md)
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/Indexes-Markdown/windows-index.md
+2 -2
View File
@@ -282,7 +282,7 @@
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1027.001 Binary Padding [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1548.002 Bypass User Account Control](../../T1548.002/T1548.002.md)
@@ -597,7 +597,7 @@
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using destktopimgdownldr.exe (cmd) [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1037 Boot or Logon Initialization Scripts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1542.003 Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/Indexes/index.yaml
+10 -10
View File
@@ -10149,12 +10149,12 @@ persistence:
'
name: command_prompt
- name: Bits download using destktopimgdownldr.exe (cmd)
- name: Bits download using desktopimgdownldr.exe (cmd)
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
description: "This test simulates using destopimgdwnldr.exe to download a malicious
file\ninstead of a desktop or lockscreen background img. The process that
actually makes \nthe TCP connection and creates the file on the disk is a
svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
description: "This test simulates using desktopimgdownldr.exe to download a
malicious file\ninstead of a desktop or lockscreen background img. The process
that actually makes \nthe TCP connection and creates the file on the disk
is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
supported_platforms:
- windows
@@ -26058,12 +26058,12 @@ defense-evasion:
'
name: command_prompt
- name: Bits download using destktopimgdownldr.exe (cmd)
- name: Bits download using desktopimgdownldr.exe (cmd)
auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114
description: "This test simulates using destopimgdwnldr.exe to download a malicious
file\ninstead of a desktop or lockscreen background img. The process that
actually makes \nthe TCP connection and creates the file on the disk is a
svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
description: "This test simulates using desktopimgdownldr.exe to download a
malicious file\ninstead of a desktop or lockscreen background img. The process
that actually makes \nthe TCP connection and creates the file on the disk
is a svchost process (“-k netsvc -p -s BITS”) \nand not desktopimgdownldr.exe.
See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/\n"
supported_platforms:
- windows
atomics/T1197/T1197.md
+3 -3
View File
@@ -16,7 +16,7 @@ BITS upload functionalities can also be used to perform [Exfiltration Over Alter
- [Atomic Test #3 - Persist, Download, & Execute](#atomic-test-3---persist-download--execute)
- [Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)](#atomic-test-4---bits-download-using-destktopimgdownldrexe-cmd)
- [Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd)](#atomic-test-4---bits-download-using-desktopimgdownldrexe-cmd)
<br/>
@@ -137,8 +137,8 @@ del #{local_file} >nul 2>&1
<br/>
<br/>
## Atomic Test #4 - Bits download using destktopimgdownldr.exe (cmd)
This test simulates using destopimgdwnldr.exe to download a malicious file
## Atomic Test #4 - Bits download using desktopimgdownldr.exe (cmd)
This test simulates using desktopimgdownldr.exe to download a malicious file
instead of a desktop or lockscreen background img. The process that actually makes
the TCP connection and creates the file on the disk is a svchost process (“-k netsvc -p -s BITS”)
and not desktopimgdownldr.exe. See https://labs.sentinelone.com/living-off-windows-land-a-new-native-file-downldr/