security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate docs from job=validate_atomics_generate_docs branch=T1140-Add

Browse Source
This commit is contained in:
CircleCI Atomic Red Team doc generator
2018-09-14 13:34:52 +00:00
parent 52ca3f8b1b
commit d0a5bb7762
3 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/T1140/T1140.md
+21
View File
@@ -26,6 +26,8 @@ Contributors: Matthew Demaske, Adaptforward, Red Canary</blockquote>
- [Atomic Test #1 - Deobfuscate/Decode Files Or Information](#atomic-test-1---deobfuscatedecode-files-or-information)
- [Atomic Test #2 - Certutil Rename and Decode](#atomic-test-2---certutil-rename-and-decode)
<br/>
@@ -46,3 +48,22 @@ certutil.exe -encode #{executable} file.txt
certutil.exe -decode file.txt #{executable}
```
<br/>
<br/>
## Atomic Test #2 - Certutil Rename and Decode
Rename certutil and decode a file. This is in reference to latest research by FireEye [here](https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html)
**Supported Platforms:** Windows
#### Inputs
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable | name of executable/file to decode | path | c:\file.exe|
#### Run it with `command_prompt`!
```
cmd.exe /c copy %windir%\\system32\\certutil.exe %temp%tcm.tmp
cmd.exe /c %temp%tcm.tmp -decode #{executable}
```
<br/>
atomics/index.md
+1
View File
@@ -149,6 +149,7 @@
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- Atomic Test #1: Disable iptables firewall [linux]
- Atomic Test #2: Disable syslog [linux]
atomics/windows-index.md
+1
View File
@@ -21,6 +21,7 @@
- T1073 DLL Side-Loading [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- [T1140 Deobfuscate/Decode Files or Information](./T1140/T1140.md)
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- [T1089 Disabling Security Tools](./T1089/T1089.md)
- T1211 Exploitation for Defense Evasion [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)
- T1181 Extra Window Memory Injection [CONTRIBUTE A TEST](https://atomicredteam.io/contributing)