Merge branch 'master' into master

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}
+{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}
+{"version":"4.3","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}
+{"version":"4.3","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}
+{"version":"4.3","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]}

atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json

@@ -1 +1 @@
-{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]}
+{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]}

atomics/Indexes/Indexes-CSV/index.csv

@@ -25,6 +25,7 @@ credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
 credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
+credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt

atomics/Indexes/Indexes-CSV/windows-index.csv

@@ -12,6 +12,7 @@ credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password
 credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt
 credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell
 credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell
+credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell
 credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt
 credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt
 credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt

atomics/Indexes/Indexes-Markdown/index.md

@@ -39,6 +39,7 @@
   - Atomic Test #3: LaZagne - Credentials from Browser [windows]
   - Atomic Test #4: Simulating access to Chrome Login Data [windows]
   - Atomic Test #5: Simulating access to Opera Login Data [windows]
+  - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]

atomics/Indexes/Indexes-Markdown/windows-index.md

@@ -22,6 +22,7 @@
   - Atomic Test #3: LaZagne - Credentials from Browser [windows]
   - Atomic Test #4: Simulating access to Chrome Login Data [windows]
   - Atomic Test #5: Simulating access to Opera Login Data [windows]
+  - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows]
 - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md)
   - Atomic Test #1: Enumeration for Credentials in Registry [windows]
   - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]

atomics/Indexes/index.yaml

@@ -1524,6 +1524,45 @@ credential-access:
           Ignore
 
 '
+    - name: Simulating access to Windows Firefox Login Data
+      auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c
+      description: |
+        Simulates an adversary accessing encrypted credentials from firefox web browser's login database.
+        more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
+      supported_platforms:
+      - windows
+      dependency_executor_name: powershell
+      dependencies:
+      - description: 'Firefox must be installed
+
+'
+        prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe")
+          -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit
+          0} else {exit 1}
+        get_prereq_command: |
+          if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"}
+          $installer = "$env:temp\firefoxsetup.exe"
+          (New-Object Net.WebClient).DownloadFile($url,$installer)
+          Start-Process $installer -ArgumentList '/S' -Wait
+      - description: 'Firefox login data file must exist
+
+'
+        prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit
+          0} else {exit 1}
+        get_prereq_command: |
+          if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"}
+          Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait
+          Start-Process $firefox -NoNewWindow
+          Start-Sleep -s 20
+          Stop-Process -Name firefox
+      executor:
+        name: powershell
+        command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination
+          $env:temp -Force
+
+'
+        cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction
+          Ig
   T1552.002:
     technique:
       created: '2020-02-04T12:58:40.678Z'
@@ -33017,7 +33056,7 @@ defense-evasion:
           (#{crackmapexec_exe})
 
 '
-        prereq_command: 'if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
+        prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
 
 '
         get_prereq_command: 'Write-Host Automated installer not implemented yet, please
@@ -33025,9 +33064,7 @@ defense-evasion:
 
 '
       executor:
-        command: 'crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
-
-'
+        command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
         name: command_prompt
   T1550.003:
     technique:
@@ -54763,11 +54800,10 @@ discovery:
 
 '
         prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit
-          1;
+          1; fi
 
 '
-        get_prereq_command: 'echo "Install lastlog on the machine to run the test.";
-          exit 1;
+        get_prereq_command: 'sudo apt-get install login; exit 1;
 
 '
       executor:
@@ -66466,7 +66502,7 @@ lateral-movement:
           (#{crackmapexec_exe})
 
 '
-        prereq_command: 'if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
+        prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
 
 '
         get_prereq_command: 'Write-Host Automated installer not implemented yet, please
@@ -66474,9 +66510,7 @@ lateral-movement:
 
 '
       executor:
-        command: 'crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
-
-'
+        command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n"
         name: command_prompt
   T1550.003:
     technique:

atomics/T1087.001/T1087.001.md

@@ -208,11 +208,11 @@ rm -f #{output_file}
 ##### Description: Check if lastlog command exists on the machine
 ##### Check Prereq Commands:
 ```sh
-if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1;
+if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
 ```
 ##### Get Prereq Commands:
 ```sh
-echo "Install lastlog on the machine to run the test."; exit 1;
+sudo apt-get install login; exit 1;
 ```
 
 

atomics/T1087.001/T1087.001.yaml

@@ -85,9 +85,9 @@ atomic_tests:
   - description: |
       Check if lastlog command exists on the machine
     prereq_command: |
-      if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1;
+      if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi
     get_prereq_command: |
-      echo "Install lastlog on the machine to run the test."; exit 1;
+      sudo apt-get install login; exit 1;
   executor:
     command: |
       lastlog > #{output_file}

atomics/T1550.002/T1550.002.md

@@ -96,7 +96,7 @@ command execute with crackmapexec
 
 
 ```cmd
-crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
+#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}
 ```
 
 
@@ -106,7 +106,7 @@ crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
 ##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
 ##### Check Prereq Commands:
 ```powershell
-if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
+if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
 ```
 ##### Get Prereq Commands:
 ```powershell

atomics/T1550.002/T1550.002.yaml

@@ -75,10 +75,10 @@ atomic_tests:
   - description: |
       CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe})
     prereq_command: |
-      if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 }
+      if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1}
     get_prereq_command: |
       Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe}
   executor:
     command: |
-      crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command}
+      #{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}
     name: command_prompt

atomics/T1555.003/T1555.003.md

@@ -22,6 +22,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl
 
 - [Atomic Test #5 - Simulating access to Opera Login Data](#atomic-test-5---simulating-access-to-opera-login-data)
 
+- [Atomic Test #6 - Simulating access to Windows Firefox Login Data](#atomic-test-6---simulating-access-to-windows-firefox-login-data)
+
 
 <br/>
 
@@ -269,4 +271,65 @@ New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType F
 
 
 
+<br/>
+<br/>
+
+## Atomic Test #6 - Simulating access to Windows Firefox Login Data
+Simulates an adversary accessing encrypted credentials from firefox web browser's login database.
+more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** eb8da98a-2e16-4551-b3dd-83de49baa14c
+
+
+
+
+
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force
+```
+
+#### Cleanup Commands:
+```powershell
+Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Firefox must be installed
+##### Check Prereq Commands:
+```powershell
+if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"}
+$installer = "$env:temp\firefoxsetup.exe"
+(New-Object Net.WebClient).DownloadFile($url,$installer)
+Start-Process $installer -ArgumentList '/S' -Wait
+```
+##### Description: Firefox login data file must exist
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"}
+Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait
+Start-Process $firefox -NoNewWindow
+Start-Sleep -s 20
+Stop-Process -Name firefox
+```
+
+
+
+
 <br/>

atomics/T1555.003/T1555.003.yaml

@@ -131,3 +131,35 @@ atomic_tests:
       Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp
     cleanup_command: |
       Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore
+- name: Simulating access to Windows Firefox Login Data
+  auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c
+  description: |
+    Simulates an adversary accessing encrypted credentials from firefox web browser's login database.
+    more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data
+  supported_platforms:
+    - windows
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Firefox must be installed
+    prereq_command: 'if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}'      
+    get_prereq_command: |
+      if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"}
+      $installer = "$env:temp\firefoxsetup.exe"
+      (New-Object Net.WebClient).DownloadFile($url,$installer)
+      Start-Process $installer -ArgumentList '/S' -Wait
+  - description: |
+      Firefox login data file must exist
+    prereq_command: 'if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1}'    
+    get_prereq_command: | 
+      if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"}
+      Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait
+      Start-Process $firefox -NoNewWindow
+      Start-Sleep -s 20
+      Stop-Process -Name firefox
+  executor:
+    name: powershell
+    command: |
+      Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force
+    cleanup_command: |
+      Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig

atomics/used_guids.txt

@@ -849,3 +849,4 @@ f7d43d35-d628-4582-bb03-01b1c5e10d11
 c510d25b-1667-467d-8331-a56d3e9bc4ff
 deecd55f-afe0-4a62-9fba-4d1ba2deb321
 d239772b-88e2-4a2e-8473-897503401bcc
+eb8da98a-2e16-4551-b3dd-83de49baa14c

bin/generate-atomic-docs.rb

@@ -233,16 +233,37 @@ class AtomicRedTeamDocs
           "techniqueID" => atomic_yaml['attack_technique'],
           "score" => 100,
           "enabled" => true,
-          "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"
+          "links" => ["label" => "View Atomic", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"]
         }
+
         techniqueParent =  {
           "techniqueID" => atomic_yaml['attack_technique'].split('.')[0],
           "score" => 100,
           "enabled" => true,
-          "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"
+          "links" => ["label" => "View Atomic", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"]
         }
 
         techniques.push(technique)
+
+        for technique in techniques
+          if not technique['techniqueID'].include?(".") then 
+            techniqueParent =  {
+              "techniqueID" => atomic_yaml['attack_technique'].split('.')[0],
+              "score" => 100,
+              "enabled" => true,
+#             "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"
+              "links" => ["label" => "View Atomics", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'].split('.')[0] + "/" + atomic_yaml['attack_technique'].split('.')[0] + ".md"]
+            }
+          else
+            techniqueParent =  {
+              "techniqueID" => atomic_yaml['attack_technique'].split('.')[0],
+              "score" => 100,
+              "enabled" => true
+#             "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"
+            }
+          end 
+        end
+
         techniques.push(techniqueParent) unless techniques.include?(techniqueParent)
         has_windows_tests = false
         has_macos_tests = false