Generated docs from job=generate-docs branch=master [ci skip]

2023-11-19 19:23:53 +00:00
parent 55cbd79603
commit ca9a658d79
9 changed files with 134 additions and 2 deletions
@@ -200,6 +200,7 @@ defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,5,Windows - Modif
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,6,Windows - Modify file last modified timestamp with PowerShell,f8f6634d-93e1-4238-8510-f8a90a20dcf2,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,7,Windows - Modify file last access timestamp with PowerShell,da627f63-b9bd-4431-b6f8-c5b44d061a62,powershell
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,8,Windows - Timestomp a File,d7512c33-3a75-4806-9893-69abc3ccdd43,powershell
+defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,9,MacOS - Timestomp Date Modified,87fffff4-d371-4057-a539-e3b24c37e564,sh
 defense-evasion,T1620,Reflective Code Loading,1,WinPwn - Reflectively load Mimik@tz into memory,56b9589c-9170-4682-8c3d-33b86ecb5119,powershell
 defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,1,CMSTP Executing Remote Scriptlet,34e63321-9683-496b-bbc1-7566bc55e624,command_prompt
 defense-evasion,T1218.003,Signed Binary Proxy Execution: CMSTP,2,CMSTP Executing UAC Bypass,748cb4f6-2fb3-4e97-b7ad-b22635a09ab0,command_prompt
@@ -46,6 +46,7 @@ defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,1,Set a file's ac
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,2,Set a file's modification timestamp,20ef1523-8758-4898-b5a2-d026cc3d2c52,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,3,Set a file's creation timestamp,8164a4a6-f99c-4661-ac4f-80f5e4e78d2b,sh
 defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,4,Modify file timestamps using reference file,631ea661-d661-44b0-abdb-7a7f3fc08e50,sh
+defense-evasion,T1070.006,Indicator Removal on Host: Timestomp,9,MacOS - Timestomp Date Modified,87fffff4-d371-4057-a539-e3b24c37e564,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,1,Pad Binary to Change Hash - Linux/macOS dd,ffe2346c-abd5-4b45-a713-bf5f1ebd573a,sh
 defense-evasion,T1027.001,Obfuscated Files or Information: Binary Padding,2,Pad Binary to Change Hash using truncate command - Linux/macOS,e22a9e89-69c7-410f-a473-e6c212cd2292,sh
 defense-evasion,T1078.001,Valid Accounts: Default Accounts,3,Enable Guest Account on macOS,0315bdff-4178-47e9-81e4-f31a6d23f7e4,command_prompt
@@ -266,6 +266,7 @@
  - Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
  - Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
  - Atomic Test #8: Windows - Timestomp a File [windows]
+  - Atomic Test #9: MacOS - Timestomp Date Modified [macos]
 - [T1620 Reflective Code Loading](../../T1620/T1620.md)
  - Atomic Test #1: WinPwn - Reflectively load Mimik@tz into memory [windows]
 - T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -81,6 +81,7 @@
  - Atomic Test #2: Set a file's modification timestamp [linux, macos]
  - Atomic Test #3: Set a file's creation timestamp [linux, macos]
  - Atomic Test #4: Modify file timestamps using reference file [linux, macos]
+  - Atomic Test #9: MacOS - Timestomp Date Modified [macos]
 - T1620 Reflective Code Loading [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1564.011 Ignore Process Interrupts [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
 - T1497.003 Time Based Evasion [CONTRIBUTE A TEST](https://github.com/redcanaryco/atomic-red-team/wiki/Contributing)
@@ -10176,6 +10176,44 @@ defense-evasion:
          import-module "#{file_path}\timestomp.ps1"
          timestomp -dest "#{file_path}\kxwn.lock"
        name: powershell
+    - name: MacOS - Timestomp Date Modified
+      auto_generated_guid: 87fffff4-d371-4057-a539-e3b24c37e564
+      description: 'Stomps on the modification timestamp of a file using MacOS''s
+        SetFile utility
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        target_filename:
+          description: 'Path of file that we are going to stomp on last modified time
+
+            '
+          type: path
+          default: "/tmp/T1070.006-modified.txt"
+        target_date:
+          description: Date to replace original timestamps with
+          type: string
+          default: 01/01/1970
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 MacOS file modified timestomp test''
+          > #{target_filename}
+
+          '
+      executor:
+        name: sh
+        command: 'SetFile -m #{target_date} #{target_filename}
+
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
+          '
  T1620:
    technique:
      modified: '2023-09-29T21:09:49.267Z'
@@ -5679,6 +5679,44 @@ defense-evasion:

          '
        name: sh
+    - name: MacOS - Timestomp Date Modified
+      auto_generated_guid: 87fffff4-d371-4057-a539-e3b24c37e564
+      description: 'Stomps on the modification timestamp of a file using MacOS''s
+        SetFile utility
+
+        '
+      supported_platforms:
+      - macos
+      input_arguments:
+        target_filename:
+          description: 'Path of file that we are going to stomp on last modified time
+
+            '
+          type: path
+          default: "/tmp/T1070.006-modified.txt"
+        target_date:
+          description: Date to replace original timestamps with
+          type: string
+          default: 01/01/1970
+      dependencies:
+      - description: 'The file must exist in order to be timestomped
+
+          '
+        prereq_command: 'test -e #{target_filename} && exit 0 || exit 1
+
+          '
+        get_prereq_command: 'echo ''T1070.006 MacOS file modified timestomp test''
+          > #{target_filename}
+
+          '
+      executor:
+        name: sh
+        command: 'SetFile -m #{target_date} #{target_filename}
+
+          '
+        cleanup_command: 'rm -f #{target_filename}
+
+          '
  T1620:
    technique:
      modified: '2023-09-29T21:09:49.267Z'
@@ -22,6 +22,8 @@ Timestomping may be used along with file name [Masquerading](https://attack.mitr

 - [Atomic Test #8 - Windows - Timestomp a File](#atomic-test-8---windows---timestomp-a-file)

+- [Atomic Test #9 - MacOS - Timestomp Date Modified](#atomic-test-9---macos---timestomp-date-modified)
+

 <br/>

@@ -419,4 +421,54 @@ New-Item -Path "#{file_path}\kxwn.lock" -ItemType File



+<br/>
+<br/>
+
+## Atomic Test #9 - MacOS - Timestomp Date Modified
+Stomps on the modification timestamp of a file using MacOS's SetFile utility
+
+**Supported Platforms:** macOS
+
+
+**auto_generated_guid:** 87fffff4-d371-4057-a539-e3b24c37e564
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| target_filename | Path of file that we are going to stomp on last modified time | path | /tmp/T1070.006-modified.txt|
+| target_date | Date to replace original timestamps with | string | 01/01/1970|
+
+
+#### Attack Commands: Run with `sh`! 
+
+
+```sh
+SetFile -m #{target_date} #{target_filename}
+```
+
+#### Cleanup Commands:
+```sh
+rm -f #{target_filename}
+```
+
+
+
+#### Dependencies:  Run with `sh`!
+##### Description: The file must exist in order to be timestomped
+##### Check Prereq Commands:
+```sh
+test -e #{target_filename} && exit 0 || exit 1
+```
+##### Get Prereq Commands:
+```sh
+echo 'T1070.006 MacOS file modified timestomp test' > #{target_filename}
+```
+
+
+
+
 <br/>